Privacy Policy

Reflexion Labs — Last updated: January 30, 2026

This Privacy Policy explains how Reflexion Labs ("Reflexion Labs", "we", "us", "our") collects, uses, shares, and protects personal data when you use Reflexion, our agentic orchestrator platform that connects your apps to AI agents, and related services — including account creation, app connections, and subscription management at reflexion-labs.com (together, the "Services").

We are committed to protecting your privacy and handling your data transparently and securely.

1) Who we are (Controller)

Data Controller: Blue Lantern Sàrl, Switzerland
Contact email: privacy@reflexion-labs.com

If you have questions or requests about this policy or your data, contact us at the email above.

2) What this policy covers

This policy covers:

Users of Reflexion, our agentic orchestrator platform
Customers who create an account, connect third-party apps, manage a subscription, or use paid features
Visitors to reflexion-labs.com

It does not cover data processed by:

Third-party services you connect (e.g., OneDrive, Google Drive, Dropbox, Salesforce), which are governed by their own privacy policies and settings.
Any third-party sites you reach via links from our Services.

3) The data we collect

A. Account and customer data

Name, email address, password (hashed), organization/company name (if applicable)
Billing info (e.g., billing address, VAT/UID if provided), subscription status, invoices/receipts. We do not store payment card information—payments are processed by Stripe.
Support messages and correspondence

B. Usage and technical data

Device and app details (e.g., app version), timestamps, feature usage, error logs, and performance metrics
IP address and approximate location derived from IP (typical for security and fraud prevention)
Authentication/session tokens and security logs

C. Third-party app connections (OAuth)

When you connect third-party apps (e.g., OneDrive, Google Drive, Dropbox, Salesforce), we receive OAuth tokens that allow our AI agents to access your data in those services on your behalf. We only access data necessary to execute the tasks you authorize.

Important: You control which apps you connect and what permissions you grant. You can revoke access at any time from your account settings or directly from the third-party service.

D. Content processed by AI agents

When you use the platform, AI agents may access files, documents, and data from your connected apps to execute tasks you request (e.g., retrieving files, generating reports, syncing data). This content is processed to fulfill your requests and is not retained beyond the duration of the task.

Important: You control what tasks agents perform. We recommend reviewing agent permissions and avoiding unnecessary access to sensitive data.

E. Cookies and analytics

We use Google Analytics and similar technologies on the reflexion-labs.com website to understand usage (e.g., page views). You can control cookies via your browser settings.

4) How we use your data

We use data to:

Provide and operate the Services (login, account management, app connections, agent orchestration)
Execute AI agent tasks and return results to you
Connect to third-party apps on your behalf via OAuth
Secure the Services (fraud prevention, abuse monitoring, access control)
Provide customer support and troubleshoot issues
Maintain audit trails of agent actions for governance and compliance
Improve reliability and user experience (e.g., fixing bugs, performance)
Manage subscriptions, billing, and tax compliance
Send service-related communications (e.g., security notices, important updates)
Send marketing communications only where permitted (you can opt out at any time)

5) Legal bases (Switzerland & GDPR where applicable)

We process personal data as needed for:

Contract performance (providing the Services you request)
Legitimate interests (security, fraud prevention, service improvement)
Consent (where required, e.g., certain cookies/marketing)
Legal obligations (accounting, tax, compliance)

Switzerland's revised Federal Act on Data Protection (FADP/revFADP) applies to our processing. If you are in the EEA/UK, the GDPR may also apply in certain circumstances.

6) AI processing (no training by default)

Reflexion uses AI models (including OpenAI) to power agent capabilities such as file retrieval, report generation, and data processing.

Your data is never used to train AI models. Data sent through AI APIs is not used to train or improve models by default. We use API configurations that disable training on your content. (OpenAI's data usage guide, OpenAI's enterprise privacy page)
We send to AI providers only the content required to fulfill your request (e.g., agent instructions and relevant file/data context from your connected apps).
We maintain zero data retention for processed content. Data is discarded after task completion.

Note: AI providers act as service providers/sub-processors for these requests. All agent actions are logged in your audit trail for transparency and governance.

7) Where your data is stored

User account and service data are stored in Switzerland (e.g., user profiles, settings, subscription metadata, and operational logs).
Some processing may occur outside Switzerland when using sub-processors (for example, OpenAI may process data in jurisdictions where it operates). In such cases, we use appropriate safeguards (e.g., contractual protections) where required.

8) How we share data (sub-processors)

We share personal data only as needed to run the Services, including with:

OpenAI (AI processing for agent capabilities)
Composio (third-party app integrations and OAuth management)
Supabase (hosting and infrastructure, Swiss region)
Stripe (payment processing—we do not store your payment card information)
Google Analytics (website analytics, if enabled)
Professional advisors (legal/accounting) and authorities where legally required

We do not sell your personal data.

Provider	Purpose	Location
OpenAI	AI processing (agent capabilities)	US
Composio	Third-party app integrations	US
Supabase	Hosting and infrastructure	Switzerland
Stripe	Payment processing	US / EU
Google Analytics	Website analytics	US / EU

9) Security

We use enterprise-grade security practices appropriate to the risk, including:

Encryption in transit (HTTPS/TLS)
Encryption at rest where appropriate
Access controls (least privilege), authentication safeguards
Monitoring, logging, and incident response procedures

No method of transmission or storage is 100% secure, but we work to protect your data with appropriate technical and organizational measures.

10) Data retention

We keep personal data only as long as necessary for the purposes above, including:

As long as your account is active
As needed to provide the Services and maintain security logs
As required by law (e.g., accounting/tax retention)

When data is no longer needed, we delete or anonymize it.

11) Your rights

Depending on your location and applicable law, you may have the right to:

Access your personal data
Correct inaccurate data
Request deletion (where legally permissible)
Object to or restrict certain processing
Withdraw consent (where processing is based on consent)
Receive a copy of your data (data portability) in some cases

To exercise rights, contact privacy@reflexion-labs.com. We may need to verify your identity.

12) International transfers

If data is processed outside Switzerland/EEA, we implement safeguards as required (e.g., contractual clauses, vendor assessments, and security measures).

13) Children

The Services are not intended for children under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect data from children.

14) Changes to this policy

We may update this policy from time to time. We will post the updated version on our Services and revise the "Last updated" date. For material changes, we may notify you via email or in-product notice.

15) Contact

Blue Lantern Sàrl, Switzerland
Email: privacy@reflexion-labs.com