Privacy Policy
At REFLEX Security, privacy isn't just a policy — it's our core architectural principle. This document explains exactly what data we collect, why we collect it, and how we protect it.
🔒 Zero-Knowledge Architecture
Your vault encryption keys are derived from your master password on your device and never transmitted to our servers. We have no technical ability to read your stored passwords, files, or security data.
1. What We Collect
1.1 Account Information
When you create a REFLEX account, we collect your email address and a bcrypt hash of your password. We never store your master vault password.
1.2 Usage Analytics (Opt-In Only)
With your explicit consent, we may collect anonymized, aggregated usage data (e.g., feature usage frequency, crash reports). This data cannot be linked to your identity. You can opt out at any time in Settings → Privacy.
1.3 Subscription & Billing
Payment processing is handled by Stripe. We store only your email, subscription tier, and billing dates. We never have access to your full card number.
1.4 Third-Party Authentication (Google & Facebook Login)
When you log in using Google Sign-In or Facebook Login, we may collect the following information:
- Your name
- Your email address
- Your unique account ID provided by Google or Facebook
This information is used only to create and manage your account and allow you to sign in to the application.
Google Sign-In
If you choose to sign in using your Google account, we receive limited profile information:
- Name
- Email address
- Google account ID
We do not access your Google Drive files, Gmail messages, Contacts, or Calendar data. Our use complies with the Google API Services User Data Policy, including the Limited Use requirements.
Facebook Login
If you choose to sign in using Facebook Login, we may receive:
- Your name
- Your email address
- Your Facebook user ID
This information is used only for authentication and account creation. We do not access additional Facebook data such as your friends list, posts, photos, or activity.
Data Sharing
⛔ We do not sell, rent, or share your personal information with third parties. Information may only be disclosed if required by law.
🗑️ Data Deletion
If you would like to delete your account and associated data, you can request deletion by contacting us at: support@hive-project.com
1.5 What We Do NOT Collect
- Your vault contents (passwords, notes, files)
- Your browsing or network activity (even when VPN is active)
- Your device behavioral data or AI inference inputs
- Your absolute location data (Note: Our mobile app utilizes local location exclusively to scan for rogue Wi-Fi networks and secure your active connections. Your coordinates are never transmitted to our servers).
- Any biometric data (Note: The mobile Biometric App Lock utilizes your device's native hardware. We do not possess, collect, or transmit your biometric templates).
- Your Google Drive, Gmail, Contacts, Calendar, or any Google service content
- Your Facebook posts, friends list, photos, or any Facebook content
2. VPN Privacy
REFLEX VPN uses ephemeral session keys generated on your device. Our VPN servers process your traffic but cannot associate it with your account or identity. We maintain no connection logs, no traffic logs, and no IP address logs.
This is enforced architecturally, not just by policy. Our VPN infrastructure has undergone independent audits confirming the absence of logging capability.
3. Data Storage & Security
All server-side data is encrypted at rest using AES-256. All data in transit uses TLS 1.3. Our infrastructure is hosted in SOC2 Type II certified data centers.
We conduct quarterly third-party security audits and run a responsible vulnerability disclosure program.
4. Data Sharing
We do not sell, rent, or share your personal information with third parties.
Information may only be disclosed if required by law.
5. Data Deletion
If you would like to delete your account and associated data, you can request deletion by contacting us at:
6. Data Retention & Deletion
We retain your personal data only for as long as necessary to provide the REFLEX service:
- Account data (email, name) — retained while your account is active. Deleted within 30 days of account closure.
- Usage analytics (if opted in) — anonymized data is retained for up to 12 months, then permanently deleted.
- Billing records — retained as required by applicable tax and financial regulations (typically 7 years).
You may request deletion of your account and all associated data at any time by emailing support@hive-project.com or via Settings → Account → Delete Account.
7. Your Rights (GDPR / CCPA)
Depending on your jurisdiction, you have rights including:
- Right of access — request a copy of your data
- Right to erasure — delete your account and all associated data
- Right to portability — export your data in a portable format
- Right to object — opt out of any data processing
- Right to withdraw consent — revoke third-party login access at any time
To exercise these rights, email support@hive-project.com.
8. Children's Privacy
REFLEX is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us data, contact support@hive-project.com.
9. Contact
If you have any questions about this Privacy Policy, please contact:
10. Mobile Application (Android) Privacy Addendum
On-Device Processing Guarantee
To provide comprehensive zero-trust security, the REFLEX Security mobile application requires access to certain highly sensitive device permissions. In accordance with our Zero-Knowledge Architecture, this data is accessed and analyzed entirely locally on your device via on-device AI. It is never transmitted to, uploaded to, or stored on our servers.
When using the REFLEX Android app, the application accesses the following on-device data strictly to provide core security functionality:
- ✓Installed Applications (QUERY_ALL_PACKAGES): Accessed locally to scan for malicious software, spyware, and unauthorized app installations. We do not transmit your app inventory to our servers.
- ✓Files and Storage (MANAGE_EXTERNAL_STORAGE): Accessed locally to scan downloaded files and documents for malware and ransomware payloads.
- ✓SMS and Call Logs: Accessed locally by our Zero-Click Shield to detect malicious links (smishing) and block known fraudulent phone numbers. We do not read your personal messages or log your communication history off-device.
- ✓Location (Foreground and Background): Accessed locally to secure your active network connections (e.g., detecting rogue Wi-Fi networks). Location data is not tracked or stored by our servers.
- ✓Camera and Microphone: Accessed locally to detect unauthorized background recording by rogue applications and to power the secure QR code scanner. We do not capture, record, or transmit audio or video off-device.
By using the REFLEX mobile app, you acknowledge that these permissions are required for the local threat intelligence engine to function, but that your privacy remains tightly protected through our strictly on-device processing model.