Reflectra Care — Privacy Policy
Version: 1.0 (DRAFT — pending legal review) Effective date: TBD (target: beta launch) Last updated: 2026-04-17 Contact: privacy@reflectra.ai
Status: DRAFT. This first draft is engineering's plain-language description of how the app actually handles data, written so legal counsel and the psychologist partner can review and finalize before public release. Do not publish or link from production app stores until counsel signs off.
1. Who we are
Reflectra Care ("the app", "we", "us") is a mobile mental-health companion operated by Reflectra. The app captures voice diary entries, optional biometric data, and patient-reported mood check-ins, then makes that information available to a clinician chosen by the patient.
This policy explains what we collect, why, who can see it, how long we keep it, and how you can delete it.
If you are the patient using the app, this policy is about you. If you are a clinician using the app to view assigned patients, see Section 9.
2. Information we collect
2.1 Account information
- Email address
- Name (optional)
- Account password (stored only as a salted hash by Supabase Auth)
- Date of birth and time zone (used to localize check-in reminders)
2.2 Health-related information you choose to share
You decide what to share. Each category is gated by an explicit, in-app consent prompt and can be withdrawn at any time from Patient Settings.
| Category | What it contains | When we collect it |
|---|---|---|
| Voice recordings | Audio of diary sessions | Only after you tap Record and only with voice_recording consent |
| Transcripts | Text transcribed from your voice | Only with transcript consent |
| Mood check-ins | A 5-point mood label (great, good, okay, low, struggling) | Only when you tap a mood card |
| Biometric data | Heart rate, sleep stages, HRV from Apple Health / Health Connect | Only with biometrics consent and OS-level health permission |
| Risk events | Severity tags (low / medium / high / critical) derived from your transcripts | Computed when transcripts are present |
| Voiceprint enrolment | A short voice sample used to recognize you in passive monitoring | Only with voiceprint_enrollment consent |
| Passive monitoring | Background ambient audio capture for mood-relevant cues | Only with passive_monitoring consent and only when permitted by your jurisdiction |
2.3 Information we never collect
- Location beyond region (we use coarse region only to apply local recording-consent law; we do not log latitude / longitude)
- Contact lists, photos outside what you explicitly attach, or browser history
- Audio that you have not chosen to record
2.4 Technical information
- Device model and OS version (for crash diagnostics)
- App version
- Anonymous request IDs for backend traces (no patient identifier in the trace by default)
3. Why we collect it
We use your information only to:
- Show your diary, mood, and biometrics back to you.
- Make the same information available to the clinician you have explicitly authorized to view your account.
- Identify high-severity risk events so a clinician (and only a clinician) can intervene. We do not auto-call emergency services in v1.
- Improve the app — only via aggregated, de-identified usage metrics.
We do not sell your data. We do not advertise.
4. AI processing
When transcripts and aggregated mood data are processed by an AI provider (Anthropic Claude or OpenAI GPT, depending on configuration) to produce summaries and risk scores:
- Only the transcript text or aggregated mood numbers are sent — no name, email, account ID, or phone number.
- The provider does not retain prompts for training (per their enterprise terms; see Section 11).
- All AI output is treated as advisory only. A licensed clinician makes every clinical decision.
5. Who can see your data
| Role | What they see |
|---|---|
| You | Everything we have collected from you |
| Your assigned clinician | Diary entries, mood, biometrics, risk events, AI summaries — only for the patient(s) explicitly assigned to them |
| Other patients | Nothing |
| Other clinicians | Nothing |
| Reflectra engineers | Nothing about an individual patient by default. Limited, audited access only when you have opened a support request |
| Third parties | Only the processors listed in Section 11, and only the data they need to do their job |
Our database (Supabase Postgres) enforces this with row-level security policies. Patient A cannot read Patient B's rows even if our application code has a bug.
6. How long we keep it
| Data class | Retention |
|---|---|
| Account profile | Until you delete your account |
| Diary entries | Until you delete the entry, or your account |
| Voice recordings | 90 days by default; immediately purgeable on request |
| Risk events | 7 years (HIPAA medical-record minimum) once we exit sandbox |
| Audit log | 30 days in regulated mode, 7 days in sandbox mode |
| Consent records | 7 years (proof-of-consent obligation) |
| AI provider prompt logs | Not retained beyond the request lifecycle |
7. How we protect it
- All network traffic uses TLS 1.2 or higher.
- Supabase Postgres encrypts data at rest with AES-256.
- Supabase Storage encrypts audio files at rest.
- Account tokens are stored in the OS secure enclave (iOS Keychain / Android Keystore) via Expo SecureStore.
- We never write personally identifying information to crash logs or analytics.
8. Your rights
You can, at any time and without explanation:
- Read every piece of data we have about you (Patient Settings → Export My Data).
- Delete a single diary entry, a single voice recording, or your entire account (Patient Settings → Delete My Account).
- Withdraw any individual consent (e.g., turn off biometrics or passive monitoring) without losing your other data.
- Ask us to stop sharing with a specific clinician.
- Request a portable copy of your data in JSON format.
- Lodge a complaint with your local data protection authority.
Account deletion hard-deletes diary entries, mood, biometrics, voice recordings, and consent records within 30 days. Risk events that are part of a clinician's documented care record may be retained in anonymized form to satisfy the medical-record retention requirement; you will be told before this happens.
9. Clinician accounts
If you are a clinician using Reflectra Care to view assigned patients:
- Each patient must explicitly assign you. We do not let clinicians self-assign.
- Every record you view is logged in the patient's audit trail.
- You may not export bulk data without the patient's consent.
- You agree to handle patient data under your jurisdiction's medical professional standards (HIPAA in the US, equivalents elsewhere).
10. Children
Reflectra Care is not intended for users under 17. We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@reflectra.ai and we will delete it.
11. Subprocessors
These third parties process your data on our behalf:
| Subprocessor | What they do | Where data is stored | BAA status (US) |
|---|---|---|---|
| Supabase | Postgres database, auth, storage | US | TBD — Team plan upgrade required |
| ElevenLabs | Voice agent / conversational AI | US | TBD — Enterprise tier required |
| Anthropic | AI summaries and risk scores | US | TBD |
| OpenAI | AI summaries (fallback provider) | US | TBD |
| Apple HealthKit | Biometric data passthrough (on-device) | On-device | N/A — on-device only |
| Health Connect (Android) | Biometric data passthrough (on-device) | On-device | N/A — on-device only |
| Expo / EAS | Build and update delivery (no patient data) | US | N/A — no PHI |
We will publish each Business Associate Agreement (BAA) status here once counterparts are signed. Until BAAs are in place we operate in sandbox mode only with synthetic data.
12. Changes to this policy
We will notify you in-app at least 14 days before any material change takes effect. Continued use after the effective date constitutes acceptance.
13. Contact
- Privacy questions: privacy@reflectra.ai
- Data deletion requests: privacy@reflectra.ai (response within 30 days)
- Security disclosures: security@reflectra.ai
- Postal: TBD (Reflectra business address)
Engineering note: This document is the source of truth for the user-facing privacy promise. If a code change widens what we collect, who can see it, or how long we keep it, this document MUST be updated in the same pull request and the version bumped.