Privacy Policy

Introduction

Reflective Technologies ApS (“Reflective Technologies”, “Reflectly ApS”, “Reflectly”, “we”, “our” or “us”) are committed to respecting your privacy and processing personal data in accordance with the EU GDPR. The Privacy Policy set out in this document relates to all websites and mobile applications owned or controlled by Reflective Technologies at any given time. The applications are subject to change but set out in the Reflectly and Reflectly X developer pages on the Apple Store and the Reflective Technologies developer page on the Google Play Store. Collectively they will be referred to as "the Apps" and will include any alternative means of offering or delivering our software and services provided in the future. Certain parts of the Privacy Policy will only relate to some of the websites, the Apps or app categories. The Privacy Policy should be read carefully to discover how we obtain, process, store and disclose your personal data. The policy also sets out your rights as a data subject.

Personal data

Purpose and Lawful Basis

Personal Data

Account Information (e.g. nickname, email and subscription status)

Processing Operation and Purpose

  1. To provide Newsletters with exclusive content and inform you of offers, depending on whether you are a Subscriber or Non-subscriber.
  2. To create an account, allowing you to back up content and for the Growth Bundle website to manage your subscription.
  3. To provide access to Premium features if a subscription is purchased.
  4. To notify you about material changes to the Terms of Service and Privacy Policy.

Lawful Basis

  1. We require your consent*.
  2. Necessary for the performance of a contract we have with you.
  3. Necessary for the performance of a contract we have with you.
  4. Necessary to comply with legal obligations.

*By ticking the box you consent to Newsletters from both Reflective Technologies and/or the Growth Bundle (a platform controlled by us).

To revoke your consent click 'Unsubscribe' at the bottom of one of our emails.

Personal Data

Photo

Processing Operation and Purpose

To allow you to upload a profile photo, creating a more personalised service.

Lawful Basis

We require your consent.

Personal Data

Moods, associated activities, feelings and additional photos, notes, text and voice notes detailing mental health, moods or related thoughts (the "Mental Health Data")

Processing Operation and Purpose

To provide a mood journal that contains relevant content, stores entries, compiles data and presents statistics.

Lawful Basis

We require your explicit consent to process the health data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by marking a tick in the requisite box at sign up or the update notice.

Personal Data

Fingerprint or facial data (the "Biometric Data")

Processing Operation and Purpose

If enabled, your fingerprint or facial data will be used to confirm your identity for the sole purpose of protecting in-app data against unauthorised access. The Apps simply avail of the authentication system provided by your mobile phone. You may have provided your Biometric Data upon setting up your mobile phone, we have no access to this.

When a user attempts to access the Apps, the authentication system will collect fresh Biometric Data to cross authenticate against the Biometric Data stored on your mobile phone. We do not store this fresh Biometric Data, it is processed by your mobile phone operator for the sole purpose of authentication.

Lawful Basis

We require your explicit consent to process the Biometric Data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by affirmatively clicking that you allow the App to process the data when prompted.

Personal Data

Data relating to exercise, mindfulness, sexual activity, sleep, physique, nutrition, heart rate, blood pressure and other data supported by Apple Health (the "Apple Health Data")

Processing Operation and Purpose

  1. To monitor your health more effectively by allowing us to write data.
  2. To provide your health data in an easy to read graphical format, and to track your progress.

Lawful Basis

We require your explicit consent to process the Apple Health Data. It constitutes a special category of personal data under the GDPR, which by default is prohibited save for certain exceptions including explicit consent. Explicit consent is given by affirmatively clicking that you allow us to read and write data when prompted.

Personal Data

Calendar data from the terminal device

Processing Operation and Purpose

To automatically integrate Calendar events.

Lawful Basis

We require either your consent, or explicit consent depending on the calendar event. If the event relates to a special category of personal data such as health or religious belief (i.e. medical appointments or church service) explicit consent is required.

Explicit Consent is one of the limited exceptions to the prohibition of processing special category personal data under the GDPR.

Both consent and explicit consent, whichever is required, can be given by affirmatively clicking that you allow us to access the data when prompted.

Personal Data

Demographic group and general goals

Processing Operation and Purpose

To automatically generate App recommendations associated with the selected demographic or goal when a User signs up via the Growth Bundle website.

Lawful Basis

Processing is necessary for the mutual legitimate interest for Apps to be suggested to you.

Personal Data

Payment details

Processing Operation and Purpose

To allow purchases to be made through the Growth Bundle website using card payment.

Lawful Basis

Necessary for the performance of a contract we have with you.

Some of the Apps or websites may not process every category of personal data listed above. This will be clear if and when it applies (e.g. if not asked for your email address, it is not being processed).

Necessary for performance of contract

We process some of your personal data because it is necessary for the performance of a contract we have with you or it is necessary prior to entering into such a contract. If you do not wish to provide a nickname or email for example, we cannot create your account and you will be unable to avail of certain features. It should be noted, however, that not every app will process this data.

Changes to Personal Data

It is important that the personal data we have in relation to you is current and accurate. If your personal data (e.g. email address) changes during our relationship please inform us promptly. If, for whatever reason, your personal data is inaccurate or incomplete you have the right for this to be corrected or completed.

Unprompted Health Data

Although some of our Apps do not directly prompt or encourage you to input health data, you may wish to still provide such data. Often this data is not collected for storage or any other purposes, but instead, stored locally on your device terminal. The same applies to our expenditure and budgeting apps, despite the fact health spending may exist as a default spending category.

Some of the Apps provide the option to back up your data with iCloud, for more information on how Apple processes your personal data see Apple's Privacy Policy. The option to synchronise data across devices using Google Drive or Dropbox may also be provided, please refer to their privacy policies.

Automatic Collection, Retention and Sharing

Device and Usage information automatically collected

In conjunction with our partners we automatically collect and log certain information stored on your terminal device ("Device Data") including device type, operating system specification, network settings, unique device identifier and IP address. “Usage Data” is collected and logged to discover how the Apps are used and which features are popular, it includes data relating to the time you are active, purchases and the features, buttons or screens you interact with. This helps to inform and improve our direction and development. We rely on our legitimate interest of measuring and analysing app usage to further inform development and improve the overall user experience.

Our Analytics providers may by default use IP addresses to determine your general non-specific location. Among other things, this allows geographic sorting and protects us and our apps against misuse and nefarious activity.

Retention of Personal Data

We are committed to the principle of storage limitation and will retain your personal data for no longer than is necessary to fulfil our processing purposes. Following account deletion, revocation of consent or a written deletion request, your personal data will be retained for no longer than 30 days, save for certain instances where legal obligations require longer retention periods.

We will also anonymise some personal data so it will no longer be associated with you. In this event we are entitled to retain and use the information freely.

Sharing with Third Parties

In order to provide you with our services, carry out our activities and to comply with legal obligations, we share your personal data with certain third parties such as:

  • cloud storage providers, to help us securely store and back-up your data. To be able to provide these services, the providers receive your Account Information; Photo (if provided); and the Mental Health Data. The providers we currently use are located in the US.
  • analytics providers, who assist us in the improvement and optimisation of the App. To be able to provide these services, the providers receive Device Data and Usage Data. We currently use a provider located in the US.
  • newsletter and mailing providers, to enable us to generate and send newsletters to you if you have subscribed. To be able to provide this service, the providers receive your Account Information. The providers we use are located in France and the US.
  • payment providers, who execute card payments for purchases made on the Growth Bundle website. To do this, the providers receive your payment details and Account Information. The provider we currently use is located in the US.
  • subscription infrastructure platforms, who facilitate the offering of in-app subscriptions. In doing so they receive your Account Information. The platform we are currently using is located in the US.
  • cookie consent management platforms, who assist us in managing and implementing your preferences when you visit our websites. The platforms receive automatically collected device information to provide this service. The platform we are currently using is located in Denmark.
  • law enforcement authorities, government authorities, government bodies and the courts where they request it and disclosure is lawful. (e.g. prevention and detection of crime).

International Data Transfers

To provide storage and email newsletters we transfer your data to our partners outside the EU. We are committed to ensuring your personal data is protected when transferring to third countries without an adequate level of protection, namely the U.S.

In light of the EU-US Privacy Shield being invalidated, Standard Contractual Clauses are now relied on. Reflective Technologies acknowledges the comments in the Schrems II decision that additional safeguards may be needed to supplement such clauses. We are currently assessing our transfers and working with our partners to implement safeguards, along with the updated Standard Contractual Clauses.

Security

We have implemented appropriate technical and organisational security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to. These measures include encryption and pseudonymisation. Access to your personal data is granted strictly on a need to know basis and we have carefully selected our service providers with security considerations in mind.

Your Rights

General Rights

You have several rights in relation to your personal data, these include the right to:

  • Access a copy of the personal data we hold about you;
  • Correction or completion of any inaccurate or incomplete personal data;
  • Erasure (save for personal data necessary to comply with legal obligations or for the establishment, exercise or defence of legal claims);
  • Obtain a copy of your personal data in a portable format;
  • Restrict the processing of your personal data, in the following instances:-
  1. You are contesting the accuracy of your personal data and we need time to verify it.
  2. Processing has been found unlawful, but you oppose erasure.
  3. You require the personal data for the establishment, exercise or defence of legal claims, but we no longer need it for our processing purposes.
  4. You have objected to processing based on our legitimate interests and a final decision is pending.
  • Withdraw consent or explicit consent for specific processing;
  • Object to the processing of personal data based on our legitimate interests on the grounds that they are overridden by your interests or fundamental rights and freedoms;
  • Object to the processing of personal data for direct marketing purposes.

    • If you wish to exercise any of these rights, please contact us. We may request proof of identification to verify your request.

    Complaint: Supervisory authority

    If you think we have infringed your rights under data protection legislation, you have the right to lodge a complaint. When making your complaint, the relevant supervisory authority is the one in the country:

    1. where you are habitually resident;
    2. where you work; or
    3. where the alleged infringement took place.

    The right to lodge a complaint is without prejudice to any other administrative or judicial remedy you may have. The contact information for the Danish Data Protection Agency is provided below.

    Datatilsynet
    Carl Jacobsens Vej 35
    DK-2500 Valby
    +45 33 19 32 00
    [email protected]

    Age Requirements

    You must be at least 13 years of age to use any of the Apps.

    Cookies

    We use cookies and other such tracking technologies ("Cookies") to remember certain details when a "User" visits some of the websites owned or otherwise controlled by Reflective Technologies.

    Cookies are small data files that transfer to the User's computer, phone, or other such device ( "Terminal Device") upon visiting some of the websites. Information is then obtained on the return visit. Cookies are stored locally on a Terminal Device for different periods, determined by their expiry date. Session Cookies are deleted once the browser is closed, while Persistent Cookies may remain on the Terminal Device until a given date.

    Cookies can be categorised in two further ways: by the party that placed them ("Source"); and what they are used for ("Function").

    1. Source

    1. 1st Party Cookies (placed by Reflective Technologies)
    2. 3rd Party Cookies (placed by Third Party Vendors)

    2. Function

    1. Necessary Cookies
    2. Preference Cookies
    3. Statistics Cookies
    4. Marketing Cookies

    We require your consent to place Preference, Statistics and Marketing Cookies. When you visit some of our websites you will be asked for your cookie preferences by a Cookie Banner. These preferences can be changed at any time through the Cookie Settings window, accessed by clicking the black circular button at the bottom left corner of your display. For further information on the specific cookies used on a website please see the relevant Cookie Banner or Cookie Settings window.

    Necessary Cookies

    Necessary Cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

    There is no option to use the site without Necessary Cookies and unlike the latter three categories, we do not need User consent. The Cookie Banner and Cookie Settings window will by default permanently enable these cookies.

    Preference Cookies

    Preference Cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

    Statistic Cookies

    Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

    Marketing Cookies

    Marketing cookies are used to track visitors across websites. The intention is to display advertisements that are relevant and engaging for the individual User and thereby more valuable for publishers and third party advertisers.

    Disabling and Deleting Cookies

    The current versions of Safari and Mozilla Firefox, by default, block third-party Cookies. For more information please refer to the following blog posts regarding Safari and Mozilla Firefox. If other Browsers, such as Google Chrome or Microsoft Edge are used, third-party Cookies can be blocked manually through the Browser settings.

    The option may also exist in the Browser settings to block all Cookies, including strictly necessary ones. However, the websites may not work as intended, or at all. Most Browsers will allow the User to delete all Cookies or to delete them on an individual basis. The User should be aware that by doing so, their preferences for the websites may be lost. For instructions specific to a particular Browser, please refer to the online support pages provided by the Browser.

    Contact

    If you wish to get in contact with us please email [email protected] or write to us at Balticagade 15B, 8000 Aarhus C, Denmark.

    Questions, comments and requests in relation to this privacy policy or the processing of your personal data should be addressed to our Data Protection Officer ("DPO").

    DPO email: [email protected]

    Changes to this Privacy Policy

    We are constantly reviewing our Privacy Policy to ensure compliance with data protection legislation. Our apps are also constantly evolving and new features and services may change how we process your personal data. Any substantive or material change to this Privacy Policy will be brought to your attention.

    Last updated on November 11, 2023