Privacy Policy

Last updated: March 2026

Overview

Reflio is a personal reflection and journaling platform designed to help you capture thoughts, habits, and insights over time. Your journal is private by design. We aim to protect your data with layered safeguards while giving you meaningful control over how your information is stored and accessed.

Information We Collect

  • Account information (email, username)
  • Content you choose to store such as journal entries and reflections
  • Usage data necessary to operate, maintain, and secure the service

How We Use Your Information

  • To provide and operate the Reflio platform
  • To improve product features and overall reliability
  • To maintain security, monitor abuse, and support account recovery

How Encryption Works

Server-Side Encryption (Default)

Reflio encrypts stored data on our servers by default (encryption at rest). This layer is designed to reduce risk if infrastructure is exposed or accessed without authorization.

When needed to deliver the product (for example, loading your journal in your account session), data is decrypted within controlled systems. Internal access to user content is restricted, requires deliberate internal processes, and is not casually available to staff.

User-Level Encryption (Optional)

You can choose to enable an additional encryption layer using your own passphrase. With this setting, encryption happens before data is stored, and the passphrase is never stored by Reflio and cannot be recovered by our team.

This means protected content is not accessible without your passphrase, including by Reflio. If the passphrase is lost, the encrypted data becomes permanently inaccessible.

While encrypted content is locked, AI features (such as analysis, summaries, and inquiries) are disabled because the system cannot read the protected text. These features are still available to the user, but they will not work until the passphrase is entered and entries are decrypted.

Data Security

We use a defense-in-depth approach to protect your information, including default server-side encryption, optional user-level encryption, access controls, and ongoing monitoring designed to detect and reduce misuse.

No system can eliminate all risk, but our safeguards are intended to make unauthorized access significantly more difficult and to limit exposure if an incident occurs.

Your Control

You can manage privacy settings, choose whether to enable user-level encryption, and delete your account and associated data through your account settings.

Contact

If you have questions about this Privacy Policy, please contact support through the Support page.