Privacy Policy
How we collect, use, store, and protect your personal data.
Last updated: January 12, 2026
1. Introduction
This Privacy Policy explains how Served.ch LLC ("Company," "we," "us," or "our") collects, uses, stores, and protects personal data when you use the ReflectRally platform and services ("Service").
ReflectRally is an architecture decision governance platform that helps software teams document, track, and govern architectural decisions. We are committed to protecting your privacy and handling your data transparently.
Our commitment: We do not sell your personal data. We collect only what is necessary to provide and improve our Service. Your architectural decisions and content belong to you and your organization.
By using ReflectRally, you agree to the collection and use of information as described in this Privacy Policy. This policy should be read alongside our Terms of Service.
2. Key Definitions
To help you understand this Privacy Policy, here are definitions of key terms:
2.1 Personal Data
Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2.2 Data Controller
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.3 Data Processor
A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
2.4 Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.5 Special Categories of Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
2.6 Consent
Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. Data Controller
The data controller responsible for your personal data is:
Served.ch LLC
Chemin du Pélard 13
1197 Prangins
Switzerland
Email: hello@reflectrally.com
Company ID: CHE-383.329.924
As a Swiss company, we comply with the Swiss Federal Act on Data Protection (FADP) and, where applicable to our users, the EU General Data Protection Regulation (GDPR).
4. Data We Collect
We collect different categories of data depending on how you interact with our Service:
3.1 Account Information
When you create an account, we collect:
| Data Type | Purpose | Required |
|---|---|---|
| Email address | Account identification, login, notifications | Yes |
| Name | Display name, attribution on decisions | Optional |
| Password (hashed) | Authentication (credential login only) | Conditional |
| Profile image | User identification within teams | Optional |
3.2 Organization Data
When you create or join an organization, we collect:
- Organization name and identifier (slug)
- Member list and role assignments (owner, admin, member, viewer)
- Invitation records (inviter, invitee email, status)
- Billing status and subscription plan
3.3 Your Content
Content you create within the Service includes:
- Architectural Decision Records (ADRs): Title, context, decision, consequences, status
- Assumptions: Statements underlying decisions and their validity state
- Dependencies: Relationships between decisions
- Signals: Indicators that decisions may need attention
- Reviews and comments: Approval workflows and discussion
- Notifications: System-generated alerts about decision activity
Note: Your Content may contain personal data about individuals mentioned in architectural decisions (e.g., decision owners, reviewers). Your organization is responsible for ensuring appropriate use of such data.
3.4 Usage and Technical Data
We automatically collect:
- Session data: Login timestamps, session tokens, last active organization
- Device information: Browser type, operating system, device type
- Access logs: IP addresses, pages visited, features used
- Performance data: Load times, errors, service health metrics
3.5 Billing Data
For paid subscriptions, billing is processed by Paddle. We store:
- Paddle subscription ID and customer ID
- Subscription status and plan type
- Billing period dates
- Seat limits and usage
We do not store credit card numbers, bank account details, or other payment credentials. These are handled entirely by Paddle.
5. How We Collect Data
4.1 Data You Provide Directly
- Creating an account and entering profile information
- Creating organizations and inviting members
- Writing architectural decisions, assumptions, and other content
- Contacting us via email or support channels
4.2 Data Collected Automatically
- Server logs when you access the Service
- Analytics data about feature usage
- Cookies and similar technologies (see Section 12)
4.3 Data from Third Parties
- OAuth providers: If you sign in with GitHub, Google, or other OAuth providers, we receive your email, name, and profile picture from those services
- Paddle: Subscription and billing status updates via webhooks
- Invitation links: When you accept an invitation, we link your account to the inviting organization
6. Legal Basis for Processing
We process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (account, content storage) | Contract performance |
| Processing payments and subscriptions | Contract performance |
| Sending service-related notifications | Contract performance |
| Security monitoring and fraud prevention | Legitimate interest |
| Analytics and service improvement | Legitimate interest |
| Marketing communications (optional) | Consent |
| Legal compliance and dispute resolution | Legal obligation |
Where we rely on legitimate interest, we have balanced our interests against your rights and determined that the processing is proportionate and does not override your fundamental rights.
7. How We Use Your Data
6.1 Service Delivery
- Authenticating you and managing your account
- Storing and displaying your architectural decisions and content
- Enabling organization features (membership, roles, invitations)
- Sending notifications about decision activity, reviews, and attention items
- Processing subscriptions and managing billing
6.2 Service Improvement
- Understanding how features are used to prioritize development
- Identifying and fixing bugs and performance issues
- Analyzing usage patterns to improve user experience
6.3 Security and Compliance
- Detecting and preventing unauthorized access or abuse
- Maintaining audit logs for security purposes
- Complying with legal obligations and responding to lawful requests
6.4 Communications
- Sending essential service notifications (password resets, security alerts)
- Providing customer support
- Sending product updates and announcements (with your consent)
8. Data Sharing and Third Parties
We share your data only as described below. We do not sell your personal data.
8.1 Within Your Organization
Your name, email, and role are visible to other members of organizations you belong to. Content you create (decisions, assumptions, comments) is visible to organization members according to their roles.
8.2 Data Processors
As the Data Controller, Served.ch LLC appoints the following Data Processors to assist with processing personal data. All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR-compliant processing. We have specifically chosen European providers where possible to ensure GDPR compliance:
| Provider | Purpose | Location | Data Shared |
|---|---|---|---|
| Scalingo | Application hosting and PostgreSQL database | France (EU) | All Service data (encrypted) |
| Paddle | Payment processing (Merchant of Record) | UK/EU | Billing name, email, country, transaction data |
| Vercel | Marketing website and client application hosting, analytics | EU edge nodes | Page visits, anonymized usage data |
| Brevo | Transactional emails | France (EU) | Email addresses, notification content |
European-first infrastructure: Our core application and database are hosted by Scalingo, a French company using European-owned infrastructure (Outscale/3DS). Your data never leaves the European Union for primary processing and storage.
Our processors are contractually bound to protect your data and use it only for the purposes we specify. We ensure appropriate data protection agreements, including Data Processing Agreements (DPAs) where required, are in place with all providers handling personal data.
These processors may appoint sub-processors with our prior written consent. We maintain a current list of all processors and sub-processors, which is available upon request by contacting us at hello@reflectrally.com.
8.3 OAuth Providers
If you use OAuth authentication (GitHub, Google, etc.), those providers may receive confirmation that you logged into ReflectRally. We receive limited profile data from them as described in Section 5.3.
8.4 Legal Requirements
We may disclose data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to:
- Protect our rights, property, or safety
- Prevent fraud or security threats
- Comply with legal process
8.5 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change.
9. International Data Transfers
Served.ch LLC is based in Switzerland, which is recognized by the European Commission as providing an adequate level of data protection.
8.1 European Data Residency
All primary data processing and storage occurs within the European Union. Our application servers and databases are hosted by Scalingo in France, using infrastructure provided by Outscale (a subsidiary of Dassault Systèmes, 3DS), a European-owned cloud provider.
This means:
- Your architectural decisions, account data, and organization content are stored exclusively in EU data centers
- Database backups are stored within the EU
- No data is transferred to the United States or other non-adequate countries for primary processing
8.2 GDPR Compliance
We have designed our infrastructure to be fully compliant with the General Data Protection Regulation (GDPR):
- EU hosting: Application and database hosted in France by Scalingo
- EU-owned infrastructure: Scalingo uses Outscale (3DS), avoiding reliance on US cloud providers subject to CLOUD Act or FISA 702
- Swiss company: Served.ch LLC benefits from Switzerland's adequacy status and strong data protection laws (FADP)
- Data Processing Agreements: We maintain DPAs with all sub-processors
8.3 Limited Non-EU Processing
Some ancillary services may process limited data outside the EU:
- Paddle (payments): May process billing data in the UK (adequacy decision in place)
- OAuth providers: If you use GitHub/Google login, authentication occurs via their global infrastructure
For any transfers outside the EU/EEA, we ensure appropriate safeguards are in place, including:
- Transfers to countries with EU adequacy decisions (Switzerland, UK)
- Standard Contractual Clauses (SCCs) approved by the European Commission
You may request information about specific transfer mechanisms by contacting us.
10. Data Retention
We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Policy:
| Data Type | Retention Period |
|---|---|
| Account data (active accounts) | Duration of account |
| Account data (after deletion) | 30 days (recovery period), then anonymized or deleted |
| Organization content | Duration of organization, plus 30 days after deletion |
| Billing records | 7 years (legal requirement) |
| Server access logs | 90 days |
| Support correspondence | 3 years after resolution |
9.1 Deleted Users in Organizations
When a user is deleted but was a decision owner or reviewer, we retain an anonymized reference (e.g., "Former member (U7K3)") to maintain decision history integrity. No identifiable personal data is retained.
9.2 Backup Retention
Backups are retained for disaster recovery purposes and are purged according to our backup rotation policy (typically 30-90 days).
11. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
10.1 Right of Access
You can request a copy of the personal data we hold about you. Much of this is available directly in your account settings.
10.2 Right to Rectification
You can update or correct your account information at any time through your account settings.
10.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your account and personal data. Note that:
- Organization content you created may be retained (with anonymized attribution) for the organization's records
- Some data may be retained for legal compliance (e.g., billing records)
- Organization owners must transfer ownership before account deletion
10.4 Right to Data Portability
You can export your data in a machine-readable format. Export functionality is available within the Service, or you may request an export by contacting us.
10.5 Right to Restrict Processing
You can request that we limit how we use your data in certain circumstances.
10.6 Right to Object
You can object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.
10.7 Right to Withdraw Consent
Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time.
10.8 Exercising Your Rights
To exercise any of these rights, contact us at hello@reflectrally.com. We will respond within 30 days. We may need to verify your identity before processing requests.
10.9 Complaints
If you believe we have violated your data protection rights, you may lodge a complaint with your local data protection authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC).
13. Security Measures
We implement technical and organizational measures to protect your data:
12.1 Technical Measures
- Encryption in transit: All data transmitted to and from ReflectRally uses TLS/HTTPS encryption
- Encryption at rest: Databases and backups are encrypted
- Password security: Passwords are hashed using industry-standard algorithms (never stored in plaintext)
- Session management: Secure session tokens with automatic expiration
- Access controls: Role-based access within the application
12.2 Organizational Measures
- Access to production data is limited to authorized personnel
- Regular security reviews and updates
- Incident response procedures
- Vendor security assessments
12.3 Your Responsibilities
You are responsible for:
- Using a strong, unique password
- Keeping your login credentials confidential
- Reporting suspected security incidents to hello@reflectrally.com
12.4 Breach Notification
In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.
14. Children's Privacy
ReflectRally is designed for business use and is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.
If you believe a child under 16 has provided us with personal data, please contact us at hello@reflectrally.com and we will delete that information.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will post the updated policy on this page with a new "Last updated" date
- For material changes, we will notify you via email or prominent in-app notice
- Continued use of the Service after changes take effect constitutes acceptance
We encourage you to review this page periodically.
16. Contact Us
If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, contact us:
Served.ch LLC
Chemin du Pélard 13
1197 Prangins
Switzerland
Email: hello@reflectrally.com
We aim to respond to all inquiries within 30 days.