Reflina

Privacy Policy

Last updated: February 2026

1. Introduction

Reflina ("we", "our", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our personal health dashboard at reflina.com. We comply with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Peter Iatsenia, Nicolas Lejeune, Oscar Rode
Email: nlej@cimalys.com

3. Information We Collect

We collect the following categories of information:

3.1 Information you provide voluntarily

  • Account information: your name and email address provided through Google OAuth sign-in
  • Health data: sleep entries, nutrition entries, and exercise entries that you manually log
  • Chat messages: messages you send to the AI-powered health assistant

3.2 Information generated by the service

  • AI-generated insights and responses based on your health data

4. How We Use Your Information

We use your information for the following purposes:

  • To provide and operate the health dashboard, including tracking your sleep, nutrition, and exercise
  • To generate AI-powered insights and respond to your chat messages
  • To authenticate your identity and maintain your account
  • To improve and maintain the service
  • To comply with legal obligations

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Consent: You provide consent when you sign in with Google OAuth and voluntarily enter your health data
  • Contract performance: Processing is necessary to provide you with the service
  • Legitimate interests: We process data to improve our service and ensure its security

6. Health Data

Reflina processes health-related data (sleep, nutrition, and exercise entries) that you voluntarily provide. This data is considered special category data under GDPR Article 9. We process this data based on your explicit consent, which you provide by entering data into the application. You may withdraw consent and request deletion of your health data at any time.

7. AI Processing

Your health data and chat messages are sent to a third-party AI provider (OpenRouter) to generate personalized insights and responses. This data is transmitted securely and is used solely for generating your insights. We do not use your data to train AI models. The AI provider processes your data according to their own privacy policy and data processing agreements.

8. Data Storage and Security

Your data is stored securely using Supabase infrastructure. We implement the following security measures:

  • HTTPS/TLS encryption for all data in transit
  • Database encryption at rest via Supabase PostgreSQL
  • Row Level Security (RLS) ensuring users can only access their own data
  • OAuth 2.0 for secure Google authentication
  • Breach notification within 72 hours in accordance with GDPR Article 33

9. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. AI-generated insights are retained for the same duration as the underlying health data they were derived from.

10. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data
  • Right to restriction: Request restriction of processing of your data
  • Right to data portability: Request a machine-readable copy of your data
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw your consent at any time

To exercise any of these rights, contact us at nlej@cimalys.com. We will respond to your request within 30 days.

11. Third-Party Services

We use the following third-party services to operate Reflina:

  • Supabase: Database hosting, authentication, and backend infrastructure
  • Google OAuth: Authentication and sign-in
  • OpenRouter: AI processing for health insights and chat
  • Vercel: Application hosting

Each of these services operates under their own privacy policies. We encourage you to review their respective policies.

12. Cookies

Reflina uses only strictly necessary cookies for authentication session management via Supabase Auth. We do not use any tracking, analytics, or advertising cookies. No consent banner is required as we only use essential cookies necessary for the service to function.

13. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) through our third-party service providers. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs), to protect your data in accordance with GDPR requirements.

14. Children's Privacy

Reflina is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will promptly delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be reflected in the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

16. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Peter Iatsenia, Nicolas Lejeune, Oscar Rode
Email: nlej@cimalys.com

You also have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.