PRIVACY POLICY
Reflectiqa Diary & Psychologist Feedback App
Effective date: 25-12-2025 | Version: 1.0
1. Who we are
MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r., is a company whose data is collected and stored in the Register of Legal Entities of the Republic of Lithuania.
The contact email of the Data Protection Officer is info@teisesprincipas.lt.
The entity responsible for information protection is MB Ethos Solutions, legal entity code 306689726, with its registered office at Gėlių g. 4, Didžiulių k., LT-60295 Raseinių r.
This Privacy Policy explains how we process personal data when you use our diary and psychologist feedback app (the “Service”), visit our website, interact with us on social media, or contact support.
Contact for privacy questions: info@reflectiqa.app
2. Key concepts
- “Account” – your user profile in the Service.
- “Journal Entries” (or “Entries”) – text you write in the Service.
- “Submitted Entries” – Entries (or parts of Entries) you explicitly submit for review.
- “Reviews” – written feedback provided to you in the Service by a psychologist or other qualified reviewer (“Partner”).
- “Subscription” – a paid plan that grants access to premium features and minimum review entitlement.
- “Special category data” – sensitive data under GDPR Article 9 (e.g., health, sexuality, trauma).
3. What personal data we process
We process the following categories of personal data (depending on how you use the Service):
3.1 Account and profile data
- Email address, username (if used), password hash (not your plain password).
- Optional profile information you choose to provide (e.g., display name).
- Language, time zone and basic preferences.
3.2 Subscription and billing data
- Subscription status, plan type, purchase history, invoices/receipts.
- Payment metadata from our payment processor (e.g., transaction ID, payment status).
- We do not store full payment card numbers. Card payments are processed by our payment processor (e.g., Stripe).
3.3 Journal content and reviews
- Journal Entries (text you write).
- Submitted Entries (the subset you submit for review).
- Reviews (feedback written by the Partner).
- Basic metadata linked to Entries (date/time created, tags/categories if you use them).
3.4 Support and communications
- Messages you send to us (email/support forms), and our replies.
- Technical information needed to resolve issues (e.g., error logs related to your request).
3.5 Technical and usage data
- Device and browser information, IP address, approximate location derived from IP (country/city level), session logs.
- Security logs (login attempts, suspicious activity, rate-limiting events).
- Analytics events if you consent to analytics cookies (see Section 10).
3.6 Special category data (important)
Your Journal Entries may include special category data (e.g., mental health, trauma, sexuality, medication). We do not require you to provide such data, but you may choose to include it in your Entries.
4. Why we process your data (purposes and legal bases)
We process personal data for the purposes below. The legal bases are provided under the GDPR.
| Purpose | Examples of data | Legal basis | Retention (high level) |
|---|---|---|---|
| Create and manage your Account | Email, login/security data, preferences | Contract (Art. 6(1)(b)) | While account is active; then deletion/limited retention (Section 9) |
| Provide journaling features (store Entries) | Journal Entries, metadata | Contract (Art. 6(1)(b)) | Until you delete Entries or close account (Section 9) |
| Provide Reviews (minimum weekly review entitlement) | Submitted Entries, Reviews | Contract (Art. 6(1)(b)) + Explicit consent for special category data where applicable (Art. 9(2)(a)) | Until you delete content or close account (Section 9) |
| Process payments and prevent fraud | Subscription, payment metadata, billing records | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) | As required by accounting/tax law (typically up to 10 years) |
| Customer support and service communications | Support messages, identifiers, technical logs | Contract (Art. 6(1)(b)) or Legitimate interests (Art. 6(1)(f)) | Typically 1 year after last contact unless needed longer for disputes |
| Security, abuse prevention, and service integrity | IP, security logs, device info | Legitimate interests (Art. 6(1)(f)) | Typically 6–12 months (or longer if needed for incidents) |
| Analytics and marketing cookies (if enabled) | Cookie identifiers, usage events | Consent (Art. 6(1)(a)) | Per cookie settings / up to cookie expiry |
| Legal claims and compliance | Relevant account, billing, support, and security data | Legal obligation (Art. 6(1)(c)) and/or Legitimate interests (Art. 6(1)(f)) | For the duration of the claim + limitation periods |
5. Special category data and your consent
Because the Service is a diary and reflection product, your Entries may contain special category data. Where required, we rely on your explicit consent to process such data (GDPR Art. 9(2)(a)). By choosing to write such information in the Service and (where applicable) submitting Entries for review, you acknowledge that you are intentionally sharing that content with us and the reviewing Partner.
You can withdraw consent at any time (Section 12). If you withdraw consent, we may not be able to provide Reviews and/or certain features.
6. Who can access your Journal Entries and Reviews
Access to your Journal Entries is restricted:
- You can access your own Entries in your Account.
- A Partner (psychologist/reviewer) may access your Submitted Entries strictly to prepare your Review.
- Our authorized personnel may access limited data when necessary for support, security, or legal compliance.
Partner qualification and responsibility:
- We use reasonable efforts to ensure Partners are appropriately qualified for their role (e.g., credential checks where applicable).
- Partners are bound by confidentiality and data protection obligations.
- However, to the maximum extent permitted by law, we do not guarantee how an individual Partner will interpret or respond to content in every situation.
7. No real-time monitoring and no emergency use
We do not monitor Journal Entries in real time and do not provide emergency services. If you are in immediate danger or may harm yourself or others, contact emergency services.
8. Who we share data with
We may share personal data with the following categories of recipients, only as necessary:
- Payment processors (e.g., Stripe).
- Cloud hosting and infrastructure providers.
- Analytics and advertising providers (only if enabled and only with your consent).
- Professional advisers (lawyers, accountants).
- Debt recovery in cases of unpaid fees.
9. International data transfers
We primarily aim to process data in the European Economic Area (EEA). However, some service providers may process data outside the EEA (including the United States). Where an international transfer occurs, we use safeguards required by law, such as the European Commission’s Standard Contractual Clauses (SCCs).
10. Retention and deletion
We keep personal data only as long as necessary for the purposes described in this Policy:
10.1 Journal Entries and Reviews
Stored while your Account is active. You can delete your Entries from within the Service. When you delete content, we remove it from active systems.
10.2 Account deletion
You can request deletion of your Account. After deletion, we delete or anonymize data, except where we must retain certain data for legal obligations.
11. Cookies and similar technologies
We use cookies and similar technologies to operate the website and, if you consent, to measure performance and run marketing campaigns.
12. Your rights (GDPR)
Subject to conditions and exceptions under the GDPR, you have the right to:
- Access your personal data.
- Rectify inaccurate personal data.
- Delete your personal data.
- Restrict processing.
- Data portability.
- Object to processing.
- Withdraw consent at any time.
- Lodge a complaint with a supervisory authority.
To exercise your rights, contact us at info@reflectiqa.app.
Supervisory authority in Lithuania: State Data Protection Inspectorate (VDAI) – https://vdai.lrv.lt/
13. Security
We use appropriate technical and organizational measures to protect personal data, including access controls and encryption.
14. Children
The Service is not intended for children under 18.
15. Death of a user
Accounts are non-transferable. If we receive a valid death certificate, we will close the Account and delete Journal Entries/Reviews, except where required by law.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
17. Contact
Support, Privacy requests and other questions: info@reflectiqa.app
The last update to the Privacy Policy was made on December 24, 2025.