Liigu sisuni
Legal Documentation

Privacy Policy

ReflectHub OÜ — English

All Documents

ReflectHub OÜ
Effective date: 2026-06-18
Last updated: 2026-06-18
Version: v1.0

01.

Who we are

ReflectHub OÜ (Estonian private limited company, registry code 14010143) is the provider of the ReflectHub software-as-a-service platform (the "Service").
This Privacy Policy explains how we process personal data when we act as a data controller for our own business operations (for example, account administration, billing, security, and website communications), and how we handle personal data contained in customer content when we act as a data processor on behalf of our business customers.
Controller contact details:

  • ReflectHub OÜ
  • Registry code: 14010143
  • Registered address: Lõhmuse tee 2, 12113 Tallinn, Estonia
  • Email: privacy@reflecthub.com
  • Website: https://reflecthub.com
02.

Scope of this Privacy Policy

This Privacy Policy applies to personal data processed by ReflectHub OÜ in connection with:

  • our website, marketing pages, and product information requests;
  • account registration and administration for authorized users;
  • subscription management, billing, invoicing, and payment processing;
  • security logging, fraud prevention, and service reliability operations; and
  • support communications and customer success interactions.

This Privacy Policy does not replace any Data Processing Agreement (DPA) between ReflectHub OÜ and a business customer. Where ReflectHub processes customer-uploaded data on behalf of a customer organization, the customer is typically the data controller and ReflectHub acts as the data processor.

03.

Roles under the GDPR

3.1 When ReflectHub is a data controller

ReflectHub acts as a data controller for personal data we need to run our business and provide the Service, such as account contact details, billing records, support communications, and technical/security telemetry related to use of the Service.

3.2 When ReflectHub is a data processor

ReflectHub acts as a data processor for personal data included in customer content ("Customer Data") that business customers and their authorized users upload to or manage within the Service. In those cases, the customer organization determines the purposes and means of processing, and ReflectHub processes the data only on documented instructions from the customer (including via the customer’s use of Service features).

04.

Categories of personal data we collect

4.1 Data collected directly by ReflectHub (controller data)

  • Identity and contact data (for example: name, work email address, company name, role/title).
  • Authentication-related data (for example: email address used to sign in, time-based one-time code (TOTP) configuration metadata, and identifiers issued by federated identity providers when an Authorized User signs in with Google or Facebook). Authentication is passwordless, so we do not store reusable static passwords.
  • Billing and transaction data (for example: billing contact details, invoice details, subscription plan, payment status, VAT number if provided).
  • Technical and device data (for example: IP address, browser type, device type, operating system, timestamps, request logs).
  • Usage and telemetry data (for example: feature usage, error events, diagnostics, performance metrics, audit trail events).
  • Support and communication data (for example: support tickets, email correspondence, in-app chat messages, feedback).

4.2 Data processed on behalf of customers (processor data)

Depending on how a customer uses the Service, Customer Data may include personal data relating to the customer’s employees, contractors, project participants, clients, suppliers, or other individuals. ReflectHub does not independently determine the categories of Customer Data uploaded by customers and processes such data in accordance with the applicable DPA and customer instructions.

05.

Sources of personal data

  • Directly from you or your organization (for example, account signup, purchase, support requests).
  • Automatically from your use of the Service and website (for example, logs, telemetry, cookies or similar technologies where applicable).
  • From payment providers, resellers, or integration partners (for example, billing confirmations or account provisioning information).
  • From publicly available business sources (for example, company websites or registers) where relevant for B2B sales or due diligence.
07.

Cookies and similar technologies

Our website and/or application may use cookies or similar technologies for essential functionality, authentication/session management, security, analytics, and user preference storage. Where non-essential cookies are used, we will obtain consent where required by applicable law.
You can manage cookie preferences through your browser settings and, where available, our cookie consent tools. Disabling certain cookies may affect site or Service functionality.

08.

Data sharing and disclosure

ReflectHub does not sell, rent, or lease personal data to third parties for monetary or other valuable consideration.
We may share personal data with the following categories of recipients where necessary to operate the Service and our business:

  • Cloud hosting and infrastructure providers (application hosting, managed database, file storage, backups, and observability).
  • Edge / DNS and bot-protection providers (DNS resolution, TLS termination, and bot mitigation in front of our domains).
  • Payment processors and billing providers (subscription payments, invoicing, tax processing).
  • Email delivery providers (transactional emails such as sign-in flows, invitations, billing notifications, and product notifications).
  • Professional advisers (legal, accounting, auditors) where necessary and subject to confidentiality obligations.
  • Public authorities, regulators, courts, or law enforcement where disclosure is legally required or necessary to establish, exercise, or defend legal claims.

The current list of recipients that process personal data on our behalf is maintained at https://reflecthub.com/legal/sub-processors. Where a recipient processes personal data on our behalf, we put in place data processing agreements and appropriate safeguards as required by law.

09.

International transfers

Production storage of Customer Data takes place within the European Economic Area (Scaleway, France). Limited categories of personal data may be processed outside the EEA by sub-processors such as Stripe (billing), Resend (transactional email), and Cloudflare (edge / DNS and bot protection). Where personal data is transferred outside the EEA, we implement appropriate safeguards under Chapter V GDPR, including the European Commission's Standard Contractual Clauses (SCCs), reliance on the EU-US Data Privacy Framework where the recipient is certified, and supplementary measures where appropriate.
Customers may request information about relevant transfer mechanisms by contacting us at the privacy contact listed above.

10.

Data retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods may vary depending on the type of data and legal requirements.

Data categoryTypical retention periodBasis / rationale
Customer account and profile dataUp to 3 years after account closure/terminationContract management, dispute handling, limitation periods
Billing, invoicing, and accounting records7 years (or as required by law)Tax and accounting compliance
System access, security, and audit logsUp to 12 months (unless longer retention is required for an investigation)Security monitoring and incident response
BackupsRolling backups, 30 daysDisaster recovery and business continuity
Support recordsUp to 3 years after closure of the support matterService quality, dispute handling, operational continuity

At the end of the applicable retention period, we delete or anonymize personal data, unless continued retention is required by law or necessary for the establishment, exercise, or defense of legal claims.

11.

Security measures

ReflectHub implements appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures include encryption in transit (TLS 1.2+) and at rest, passwordless authentication for Authorized Users (TOTP and federated identity via Google or Facebook), role-based access controls with least-privilege permissions, application-layer ability checks and database-level tenant isolation, centralised logging and monitoring, secure development practices, and routine backups with point-in-time recovery. A summary of the current measures is set out in Annex A of our Data Processing Agreement.
No method of transmission over the internet or method of electronic storage is completely secure. We therefore cannot guarantee absolute security.

12.

Data subject rights

Where ReflectHub acts as a data controller, and subject to applicable law and limitations, individuals may have the following rights under the GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object (including to processing based on legitimate interests)
  • Right to withdraw consent at any time (where processing is based on consent)
  • Right to lodge a complaint with a supervisory authority

If we receive a request relating to Customer Data for which we act as a data processor, we may refer the request to the relevant customer (the data controller) or ask the requester to contact that customer directly.
To exercise your rights in relation to controller data, please contact: privacy@reflecthub.com. We may request additional information to verify identity before responding.

13.

Supervisory authority

If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. ReflectHub OÜ is established in Estonia, and the relevant supervisory authority in Estonia is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

14.

Customer Data and Data Processing Agreement (DPA)

For personal data processed on behalf of business customers within the Service, ReflectHub acts as a data processor and processes such data in accordance with the applicable Data Processing Agreement (DPA) and customer instructions. The DPA governs, among other things, the subject matter and duration of processing, the nature and purpose of processing, categories of data subjects and personal data, sub-processor use, security measures, breach notification support, and deletion/return of Customer Data after termination.

15.

Children

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data from children in connection with our controller activities. If you believe a child has provided personal data to us, please contact us so we can investigate and take appropriate action.

16.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or processing practices. We will post the updated version on our website or within the Service and update the "Last updated" date above. Where required by law, we will provide additional notice or obtain consent.

17.

Contact us

For privacy-related questions, requests, or complaints, please contact:

  • ReflectHub OÜ
  • Email: privacy@reflecthub.com
  • Address: Lõhmuse tee 2, 12113 Tallinn, Estonia