Privacy Policy

Last updated 2026.

Reflex's architecture means we never receive the pages you visit, the URLs, your credentials, or your sessions. This policy is short because the data is short.

Your machine stays here

Claude Desktop

or Cursor, Claude Code, any MCP client

Reflex MCP server

runs locally

Your Chrome

your real browser and logins

Pages, sessions, passwords

read and acted on locally

API key + call count

pages never cross

Reflex servers

Is this key valid?
Credit balance
Usage counts
Paddle payments

No path exists for your pages, logins, or sessions to reach us.

Data we collect

Email address (for your account).
API key, hashed at rest (the raw key is never stored).
Tool-call counts and tool names with timestamps (for credit metering).
Payment metadata via Paddle, our merchant of record (we never see card numbers).
Website analytics via PostHog (anonymized IP, EU hosting).

Data we do NOT collect

Page content.
URLs visited by the browser.
Credentials.
Cookies and sessions.
Screenshots.
Anything the agent reads or types.

There is no code path that could send any of the above to us; it stays on your machine.

Processors

Paddle (payments & tax, our merchant of record)
Clerk (authentication)
PostHog EU (analytics)
Vercel (hosting)
Resend (email)

Retention

Usage rows are retained as financial records tied to Paddle transactions; they contain no personal data once your email is removed. Account data is kept until you delete your account.

Your rights

You can access, export, and delete your data. Deletion is self-serve in the dashboard (it removes your account, key, and balance, and removes your PostHog person). Export is available on request. For GDPR or CCPA inquiries, contact us at the email below.

Cookies

We use a session cookie (Clerk) and analytics cookies (PostHog). No ad trackers.

Contact

Questions or requests: nitaiaharoni1@gmail.com. We will update this policy if our processing changes and note the change here.