Reflect
PrivacyTermsDPA

Data Processing Addendum

Last updated: 2026-04-26

This DPA supplements the Terms of Serviceand applies whenever Reflect processes personal data on behalf of a customer (“Controller”). For enterprises requiring a counter-signed DPA on company letterhead, contact [email protected] — we'll send a DocuSign within 1 business day.

1. Roles

Customer is the Controller. Reflect is the Processor. End-users are data subjects. Reflect processes data only on documented instructions from the Controller (the act of integrating the SDK and configuring partners constitutes those instructions).

2. Categories of data

  • Install identifiers (UUID, GAID, IDFA-with-consent).
  • Device metadata: OS, model, country, language, app version.
  • App-defined event names + timestamps + optional revenue.
  • Hashes of email/phone where the Controller opts into hashed CAPI / postback enrichment.

3. Sub-processors

The current sub-processor list is in the Privacy Policy. We give 30 days notice before adding new sub-processors; you can object during that window and terminate without penalty if we proceed despite your objection.

4. International transfers

Reflect runs on Cloudflare. Where data leaves the EEA, the transfer is covered by Standard Contractual Clauses (EU 2021/914 module 3) appended to this DPA on request, plus the supplementary measures Cloudflare publishes for its own infrastructure.

5. Security measures

  • HMAC-SHA256 signed SDK events; rate-limited per app key.
  • AES-GCM at-rest encryption of partner credentials and OAuth refresh tokens.
  • TLS 1.2+ in transit; HSTS preload.
  • Per-tenant row-level isolation in D1; super-admin queries audit-logged.
  • SHA-256 PII hashing prior to postback transmission.

6. Breach notification

Reflect notifies the Controller within 72 hours of confirming a personal-data breach affecting their tenant, with the information required by GDPR Art. 33(3) to the extent then known.

7. Data-subject requests

The Controller is the primary contact for end-users. Reflect provides:

  • POST /api/privacy/delete — irreversible delete of a user's install + events + attributions.
  • POST /api/privacy/export — JSON dump of all data we hold.

8. Audit rights

Once per 12-month period, the Controller may request a SOC2-style report (when available) or a walkthrough of our security architecture. On-site audits are case-by-case for paid plans.

9. Return / deletion on termination

On termination, Reflect retains data for a 30-day export window, then deletes or anonymises within 90 days. Backup tapes age out at 13 months.

10. Order of precedence

In conflict between this DPA and the Terms, this DPA controls for matters of personal-data processing. All other matters are governed by the Terms.

Questions? Email [email protected]. A Retroage Engineering product.