Reflare

Privacy Policy

Last updated: May 14, 2026

Reflare ("us", "we", or "our") operates the website at https://reflare.io (the "Service").

Who we are

Reflare
2261 Market Street, STE 19836
San Francisco, CA 94114, United States
support@reflare.io

Data Protection Officer: Nicolas Sénécal.
Operated by Reflare Ltd (HE 490572).
See Legal Information for corporate details.

This policy confirms data use aligns with stated practices and references our Terms and Conditions.

Definitions

  • Personal Data: Information identifying living individuals
  • Usage Data: Automatically collected information about Service access
  • Cookies: Small data files stored on user devices
  • Data Controller: Entity determining data processing purposes/methods
  • Data Processor/Service Provider: Entity processing data on controller's behalf
  • Data Subject: Individual subject to Personal Data processing
  • User: Individual using the Service

YouTube and Google Services

Reflare uses YouTube API Services and Google OAuth to operate. By using the Service and connecting your Google account, you also agree to be bound by the YouTube Terms of Service and the Google Privacy Policy.

You can revoke Reflare's access to your Google account at any time via the Google security settings page.

Data collected via YouTube API Services includes:

  • Video metadata, statistics and performance metrics
  • Channel information and analytics
  • Engagement metrics and audience demographics
  • Subtitles, captions and thumbnails
  • Upload permissions for thumbnail modifications

Purpose: AI-powered content optimization, video analysis, A/B testing and analytics dashboards.

Google profile information: name, profile picture and email are used for account identification only.

Google API usage: we access your YouTube account for video listing, performance analysis and thumbnail updates. Reflare does not share YouTube data with third parties for advertising or other unrelated purposes.

Google API Services User Data Policy — Limited Use

Reflare's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Reflare:

  • does not transfer Google user data to third parties for serving ads, including retargeting, personalized or interest-based advertising;
  • does not use Google user data to determine credit-worthiness or for lending purposes;
  • does not sell Google user data;
  • allows humans to read Google user data only with your explicit consent, for security purposes (such as investigating abuse), to comply with applicable law, or where the data has been aggregated and anonymized.

Reflare's access to and use of YouTube data is also governed by the YouTube API Services Terms of Service and the Google Privacy Policy (linked above).

Personal Data

Types collected: email address, first and last name, cookies, usage data.

Newsletter and promotional materials sent; users may opt out via unsubscribe options.

Usage Data

Collected information: IP address, browser type/version, visited pages, visit timing, time spent, device identifiers, diagnostic data.

Cookies

Reflare only uses cookies that are strictly necessary for the Service to function. We do not use advertising, analytics or third-party tracking cookies. Because no non-essential cookies are deposited, no consent banner is required under the EU ePrivacy Directive.

Cookies in use:

  • Authentication / session cookies: keep you signed in to the Service
  • Preference cookies: remember your interface settings
  • Cloudflare security cookies (e.g. __cf_bm, cf_clearance): bot detection and challenge resolution, deposited by our edge provider Cloudflare

You can disable cookies in your browser settings, but the Service may not function correctly without them.

Customer Data

Includes personal information about end users, customers, and website visitors. Processing limited to agreement-specified purposes.

Use of Data

Data used for:

  • Service provision and maintenance
  • Change notifications
  • Interactive feature participation
  • Customer support
  • Service analysis and improvement
  • Usage monitoring
  • Technical issue detection/prevention
  • News, offers, and service information

Retention of Data

We retain Personal Data only for as long as necessary for the purposes set out in this policy:

  • Account data (profile, credentials, settings): for the lifetime of your account, then deleted within 30 days after account closure (subject to the grace period described below).
  • YouTube data (channel info, video metadata, analytics): refreshed continuously while your account is active, deleted within 30 days after account closure or upon revocation of Google access.
  • Generated content and A/B test results: kept for the lifetime of your account, then deleted with the account.
  • Billing and invoicing records: retained for up to 10 years to comply with tax and accounting obligations.
  • Marketing contacts: retained until you unsubscribe, then kept for up to 3 years for proof of consent purposes.
  • Server logs and security data: retained for up to 12 months for security, fraud prevention and incident investigation.

Where a longer retention period is required by law (for example, tax, accounting or litigation hold), the data is kept for the duration of that legal obligation.

International Data Transfers

Your information, including Personal Data, is processed on servers located in the United States and may be transferred to and processed in countries outside your jurisdiction, where data protection laws may differ from those of your country.

Our main sub-processors hosting or transiting Personal Data are:

  • Google Cloud Platform (Google LLC, USA) — primary hosting and storage of application data
  • Cloudflare, Inc. (USA) — DNS, CDN and edge security
  • Stripe, Inc. (USA) — payment processing

Legal basis for transfers outside the EEA / UK. Where Personal Data is transferred from the European Economic Area, the United Kingdom or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the European Commission, we rely on appropriate safeguards under the GDPR, including:

  • The EU-US Data Privacy Framework (and its UK Extension and Swiss-US Framework) where the recipient is self-certified — this is the case for Google LLC, Cloudflare, Inc. and Stripe, Inc.
  • Standard Contractual Clauses (Module 2 / Module 3) approved by the European Commission, executed with each processor as required.
  • Where appropriate, additional technical and organizational measures such as encryption in transit and at rest, pseudonymization and access controls.

By using the Service and submitting your Personal Data, you acknowledge these international transfers and the safeguards in place. No transfer of Personal Data takes place to an organization or country unless adequate controls are in place.

You may request a copy of the relevant transfer safeguards at support@reflare.io.

Business Transaction

Merger, acquisition, or asset sale may transfer Personal Data. Notice provided before transfer and new policy disclosure occurs.

Disclosure for Law Enforcement

Disclosure occurs if legally required or for valid public authority requests.

Legal Requirements

Disclosure made to:

  • Comply with legal obligations
  • Protect Reflare's rights and property
  • Prevent/investigate wrongdoing
  • Protect user safety
  • Prevent legal liability

Security Of Data

Implemented measures:

  • TLS/SSL encryption in transit; industry-standard encryption at rest
  • Strict access controls and authentication
  • Regular security audits and vulnerability testing
  • Hosting on Google Cloud Platform (ISO 27001, SOC 2) with Cloudflare edge protection
  • Encrypted OAuth token storage

No method of transmission is 100% secure. Breach notification within 72 hours per GDPR.

"Do Not Track" Signals

DNT not supported. Users can enable/disable via browser preferences.

GDPR Compliance and Your Rights

Legal Basis for Processing

  • Consent (YouTube data, marketing)
  • Contract Performance (SaaS services)
  • Legitimate Interest (improvement, security, fraud prevention)
  • Legal Obligation (regulatory compliance)

User Rights

  • Right of Access: Request personal data copy
  • Right of Rectification: Correct inaccurate data
  • Right of Erasure: Delete data under certain circumstances
  • Right of Portability: Transfer data in machine-readable format
  • Right of Restriction: Limit processing
  • Right to Object: Object to processing based on interests/marketing
  • Right to Withdraw Consent: Revoke consent anytime

Exercising Rights

Via account dashboard, support@reflare.io, or privacy-specific inquiries.

Response Time: 30 days of receipt. Delays communicated with reasons.

Account Deletion Process

  • Marked for deletion with 30-day grace period
  • Account restoration possible during grace period
  • Permanent deletion after 30 days
  • Email confirmations provided
  • Legal compliance data may be retained

Complaint Rights: You have the right to lodge a complaint with a data protection supervisory authority. Reflare's lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy). You may also contact your local data protection authority in your country of residence.

Automated Decisions and AI Processing

Reflare uses artificial intelligence and machine-learning models to analyze your YouTube content, generate thumbnail variants, score their predicted performance and recommend the best-performing options.

These processes assist your editorial decisions but do not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR — the final decision on which thumbnail to publish always rests with you.

You can:

  • request more information on the logic involved;
  • express your point of view and contest any AI-generated recommendation;
  • request human review of any feature output by contacting support@reflare.io.

CCPA / CPRA Compliance (California Residents)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA / CPRA"), provides you with specific rights regarding your personal information.

Your Rights Under CCPA / CPRA

  • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Correct: request correction of inaccurate personal information we hold about you
  • Right to Delete: request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out of Sale or Sharing: opt out of the sale or sharing of your personal information. Note: we do not sell or share personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: request that we limit the use and disclosure of any sensitive personal information to what is necessary to provide the Service
  • Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA / CPRA rights

Categories of Information Collected

In the past 12 months, we may have collected the following categories of personal information: identifiers (name, email), internet activity (browsing history, interactions with our Service), and professional information (YouTube channel data).

Exercising Your Rights

To exercise your CCPA rights, contact us at support@reflare.io. We will verify your identity before processing your request and respond within 45 days.

Marketing Use of Your Content

As described in our Terms of Service, by using our Service you grant us a license to use thumbnails and related content for marketing purposes. This may include featuring your content on our website, social media, case studies, and promotional materials.

You may revoke this marketing license at any time by contacting us at support@reflare.io. For full details, please refer to the "Marketing License" section of our Terms of Service.

Service Providers

Third parties facilitate the Service. Access limited to assigned tasks; disclosure/unauthorized use prohibited.

Analytics and Advertising

Reflare does not use third-party analytics, advertising or remarketing services such as Google Analytics, Google Ads or Meta / Facebook Pixel. We do not engage in behavioral advertising and do not sell or share your personal data for advertising purposes.

Payments

Payment card details not stored; provided directly to third-party processors. PCI-DSS standards compliance. Stripe is the payment processor.

Links To Other Sites

Third-party links may appear. Users advised to review external privacy policies. Reflare assumes no responsibility for external sites.

Children's Privacy

The Service is not directed to children under the age of 13 (United States, under COPPA) or under the age of 16 in the European Union (or such lower age between 13 and 16 as set by the applicable EU member state under GDPR Article 8). We do not knowingly collect personal data from children below these thresholds. If we become aware that we have collected such data without verifiable parental consent, we will delete it. Parents or guardians who believe their child has provided personal data may contact us at support@reflare.io.

Changes To This Privacy Policy

Updates posted on page. Email and prominent Service notice provided prior to effectiveness. Review periodically recommended.

Contact Us

For any question regarding this Privacy Policy or your personal data, please contact us at support@reflare.io or by mail at:

Reflare
2261 Market Street, STE 19836
San Francisco, CA 94114
United States