How we handle your data.

Refractly is built and operated by Paarth Jha, an individual data controller based in India. There is no corporate entity behind the service today; you are dealing with one person.

For all privacy-related questions, requests, or complaints, the single point of contact is info@refractly.app. Replies typically arrive within a few working days. Where the GDPR or DPDP Act would normally require a designated Data Protection Officer, no such statutory threshold has been crossed yet; the controller (Paarth Jha) handles these requests directly.

This policy applies to refractly.app, the authenticated studio application, and every related service operated by Paarth Jha. It applies wherever you happen to live; references to the GDPR cover users in the European Economic Area and the United Kingdom, and references to the DPDP Act cover users in India. For users elsewhere, the protections described below are offered on a best-effort basis as a matter of policy, even where no specific local law requires them.

Refractly collects only what it needs to run the service. Roughly, the personal data we store is:

• Account. Email address, your display name, and a hashed password (managed by Supabase Auth — we never see the plaintext). When you sign in with Google, Supabase Auth additionally receives the OAuth-issued identifier (the sub), your Google profile name, and the URL of your Google profile picture, which we store in profiles.avatar_url purely to render your avatar in the app.
• Subscription.Your current tier (Free, Creator, Pro), subscription status, and an opaque Dodo Payments customer ID. Card numbers, CVVs, and the billing address fields Dodo collects at checkout (name, country, postcode, street address) all live inside Dodo Payments — we do not receive or store them. At checkout we send only a placeholder country code; the real billing address is collected by Dodo's hosted page directly from you.
• Voice profile. The sample posts you paste during onboarding and any AI-generated analysis derived from them (tone, vocabulary level, sentence rhythm, signature phrases).
• Studios. The names and descriptions of the brand workspaces you create.
• Generations. The prompts you submit, the generated outputs for each platform, and any edits or regenerations you perform on them.
• Usage.Counts (generations this month, studios, voice profiles), the calendar month you're anchored to, and timestamps for last activity.
• Moderation incidents. When a prompt is blocked by the content moderation system, an excerpt of the input (capped at 500 characters), the reason, the source (pre-flight or post-flight), and the resulting strike count.
• Cookies. Strictly-essential session cookies set by Supabase to keep you signed in. There are no analytics cookies, no advertising trackers, no third-party fingerprinting, and therefore no cookie banner is required under the GDPR or the DPDP Rules.

We do not collect special-category data (Article 9 GDPR) such as health, biometric, religious, or political data, and we ask you not to put it into prompts either.

Under the GDPR, every processing activity needs a legal basis. Ours:

• Contract performance (Art. 6(1)(b)). Running your account, training your voice profile, generating drafts, refining and regenerating outputs, and processing your subscription. Without this data the service literally cannot function.
• Legitimate interest (Art. 6(1)(f)). Security, fraud prevention, debugging, abuse detection, and content moderation. Strike escalation follows a fixed ladder — strikes 1–2 give a warning, strike 3 triggers a seven-day suspension, strikes 4–5 give a further warning, strike 6 results in a permanent ban. We balance this against your right to use the service free of unreasonable friction; if you disagree with a moderation decision you may contest it at info@refractly.app.
• Legal obligation (Art. 6(1)(c)). Tax, accounting, and lawful information requests from competent authorities.
• Consent (Art. 6(1)(a)). Currently not used. We do not run marketing email, behavioural advertising, or any AI training on your inputs or outputs. If we ever introduce a processing activity that requires consent, we will ask for it separately and explicitly — and you will be able to refuse without losing access to the service.

Under the DPDP Act, the equivalent legal grounds are specified legitimate use (operating a service the user voluntarily signed up for) and compliance with law.

When you ask Refractly to generate, ideate, refine, or regenerate content, your prompt and the relevant pieces of your voice profile are sent through OpenRouter, an LLM gateway based in the United States. Refractly is currently configured to route inference to Google Gemini 3.1 Flash Lite by default; if that model changes, this policy will be updated.

On generation and ideation calls, web search is enabled via OpenRouter's search plugin. This means your prompt is also shared with the search provider OpenRouter selects, so the model can ground its output in current information. Refinement and single-card regeneration do not use web search.

Three important facts about this pipeline:

• OpenRouter's default policy is not to store prompts or responses. Request metadata (token counts, latency, the model used) is always retained, and OpenRouter reserves the right to sample prompts for anonymous categorisation purposes, per its published privacy documentation.
• Refractly does not train, fine-tune, or evaluate any AI model on your inputs or outputs, and we have not opted into OpenRouter's data-improvement programme. We do not currently route exclusively through Zero-Data-Retention endpoints; downstream inference providers (today, Google Gemini) operate under their own retention and use policies, which are governed by their terms and not by us.
• The web-search hop is a separate matter. When web search is enabled, OpenRouter's plugin issues a short search query through a third-party search vendor whose data policy is independent of the inference provider's. We pass max_results: 4 to keep that query tight.

New generation and ideation prompts pass through a pre-flight moderation classifier before LLM generation. Refinement and instruction-driven regeneration instructions are checked the same way before they are applied; plain single-card regeneration reuses the already-moderated original generation input. Outputs from initial generation pass through a post-flight refusal detector, and all outputs are sanitized before storage. These steps exist purely to enforce the acceptable-use rules in our Terms — they are not used for analytics, profiling, or personalisation.

To run the service we share data with a small number of sub-processors, each bound by their own Data Processing Agreement. Today they are:

• Supabase — authentication and primary database (EU/US regions). Stores account, voice profiles, studios, generations, usage, and moderation incidents.
• OpenRouter — LLM gateway (US). Receives your prompts and voice context, returns generated text.
• Google (Gemini) — actual inference provider, reached via OpenRouter. Global infrastructure.
• Dodo Payments — subscription billing and checkout. Receives your email, name, and tier purchase events. Handles all card data; we never see it.
• Vercel — frontend hosting and edge delivery for the public landing and the studio app. Sees request metadata only.
• Render — backend hosting (US). Runs the FastAPI service that orchestrates the LLM calls.

This list can change. When we add or remove a sub-processor, the update will appear here. For users on paid plans who want to be notified of material changes by email, write to info@refractly.app.

Because the sub-processors above operate globally, your personal data may be processed outside the European Economic Area, the United Kingdom, and India. Where the destination country does not have an adequacy decision from the European Commission, transfers from EEA/UK users rely on the Standard Contractual Clauses (SCCs) executed with each sub-processor under their respective DPAs, supplemented by the technical safeguards described in the Security section below.

For DPDP Act purposes, transfers from India follow the Central Government's permitted-country framework as it is finalised and may be subject to additional safeguards we will publish here when applicable.

We hold personal data only as long as we need it to run the service or to comply with the law.

• Account and profile. While your account is active. After you delete your account, all linked records (studios, voice profiles, generations, usage rows) are removed within thirty days.
• Generations, voice samples, studios. Until you delete them individually, or until your account is deleted.
• Moderation incidents. Retained for up to twenty-four months for safety enforcement and to support strike counts. After that they are aged out.
• Backups. Database backups are kept on a rolling window of roughly thirty days, after which they are overwritten.
• Billing records. Subscription and invoice data is retained for seven years to meet Indian tax-record obligations, regardless of account status.

Under both the GDPR and the DPDP Act, you have a meaningful set of rights over your personal data. Specifically you may:

• Access — obtain a copy of the personal data we hold about you.
• Rectify — correct anything inaccurate or incomplete.
• Erase — ask us to delete your data. You can do this yourself from the in-app Settings → Danger zone, which permanently removes your profile and every linked record (studios, voice profiles, generations, usage, moderation incidents). For partial erasure, in-app delete buttons also exist on individual studios, voice profiles, and generations. As a backup channel, you can always write to info@refractly.app. If the automated flow cannot confirm billing cancellation or database deletion, it stops and asks you to contact us instead of reporting success.
• Restrict — pause certain kinds of processing while a dispute is resolved.
• Port — receive your data in a portable, machine-readable format.
• Object — to processing based on legitimate interest, on grounds relating to your particular situation.
• Withdraw consent — where any processing is ever based on consent (not the case today, but the right is preserved).
• Nominate (DPDP-specific) — appoint another individual to exercise these rights in the event of your death or incapacity.
• Complain — lodge a complaint with your local supervisory authority (in the EEA/UK, your national Data Protection Authority; in India, the Data Protection Board) if you believe your rights have been violated and we have not resolved the issue to your satisfaction.

To exercise any of these, email info@refractly.app. We will respond within one calendar month (GDPR) or thirty days (DPDP); if a request is unusually complex we may extend by a further two months and tell you why.

Refractly is built on infrastructure that handles security as a default rather than an add-on. Specifically:

• All traffic is encrypted in transit with TLS 1.2 or higher.
• The Supabase database enforces Row-Level Security so users can only ever read their own rows, even if the application layer has a bug.
• Passwords are hashed by Supabase Auth using industry-standard algorithms; we never store or see plaintext credentials.
• Sessions are managed by Supabase Auth using short-lived JWT access tokens (refreshed automatically) and long-lived refresh tokens. Tokens are stored in your browser's localStorage and synchronised to cookies for server-side rendering; cookies are set with SameSite=Lax and the Secure flag in production.
• Payment data is handled entirely by Dodo Payments; our servers never receive, store, or process card information.
• The webhook that updates subscription tiers verifies a cryptographic signature on every event before mutating any data.

No system is perfectly secure. If a personal data breach materially affects you, we will notify you and the relevant supervisory authority without undue delay, in line with Article 33 GDPR and the DPDP breach-reporting obligations.

Refractly is not intended for, marketed to, or designed for children. By signing up, you confirm you are at least eighteen years old. If we become aware that a user is under eighteen we will close the account and delete the associated data.

We will update this page when the underlying processing changes — new sub-processors, new features, new legal grounds, new retention windows. The effective date at the top of the page will reflect the most recent revision. For material changes that expand or alter the way we use your data, we will also notify active users by email at least thirty days in advance and, where required, ask for fresh consent.