Refly
Privacy Policy
Last updated: 9 July 2026
This Privacy Policy explains what personal data Refly (“Refly”, “we”, “us”) collects,
how we use it, and the choices you have. If you have any questions, contact us at
support@reflyapp.com.
1. Data we collect
- Account data — your name, email address, and a securely hashed password. We never store your password in plain text.
- Content you create — references, collections, tags, notes, PDF files you upload, and the manuscript text you paste or upload for automatic citation.
- Usage data — counts of features used (e.g. number of auto-citation runs) to enforce plan limits, plus basic technical logs.
- Payment data — if you subscribe, payment is handled by our payment processor. We receive your plan and billing status, but not your full card number.
2. How we use your data
- To provide the service: store your library, format bibliographies, and run automatic citation.
- To process manuscript text you submit — detecting claims and verifying that a real source supports each claim.
- To enforce plan quotas, secure the service, and respond to support requests.
3. Third-party services (subprocessors)
To deliver core features we share the minimum necessary data with:
- Anthropic (Claude API) — receives the manuscript/claim text you submit for citation detection and verification. Used solely to return results to you.
- NCBI PubMed, CrossRef, iCite — we send bibliographic search queries (article titles, keywords, DOIs). Your account details are not sent.
- Payment processor (e.g. Stripe / iyzico) — processes subscriptions securely; we do not store card data.
- Error monitoring (optional, e.g. Sentry) — technical error reports without your document contents.
- Cloud backup (optional) — encrypted backups stored with the storage provider you configure.
These providers may process data on servers located outside your country
(for example, the United States). We rely on their standard data-protection safeguards.
4. Data retention
We keep your data while your account is active. You can delete items at any time (soft-deleted
first, then removed), and you may request full account deletion by emailing us. Rotating backups
are kept for a limited period for disaster recovery.
5. Security
Data is encrypted in transit (HTTPS). Passwords are hashed. Each account’s data is isolated so
users cannot access one another’s libraries. Administrative operations are restricted.
6. Your rights
Depending on your location (e.g. under GDPR, the UAE PDPL, or Türkiye’s KVKK) you may have the
right to access, correct, export, or delete your personal data, and to object to certain processing.
To exercise these rights, email support@reflyapp.com.
7. Cookies
We use a single essential session cookie to keep you logged in. We do not use advertising or
cross-site tracking cookies.
8. Children
Refly is intended for researchers and professionals and is not directed to children under 16.
9. Changes
We may update this policy; material changes will be reflected by the “Last updated” date above.