Skip to main content
← Back to Home

Privacy Policy

Last Updated: January 2025

Introduction

CertNode ("we", "us", or "our") operates the Reflex automated dispute response service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Reflex service.

Information We Collect

1. Transaction Data

When you use Reflex, we collect and process:

  • Stripe charge and payment intent IDs
  • Transaction amounts and currencies
  • Customer email addresses and names
  • Billing and shipping addresses
  • Product descriptions and metadata
  • Payment timestamps and status

2. Fulfillment Evidence

To defend against disputes, we collect:

  • Delivery confirmations and tracking information
  • Customer access logs and login timestamps
  • Content download records
  • Service usage and engagement data
  • Support interaction history
  • Policy acknowledgment records

3. User Account Information

  • User ID and authentication credentials
  • Subscription status and billing information
  • Email preferences and notification settings
  • Manual override preferences for dispute handling

4. Dispute Information

  • Stripe dispute IDs and status
  • Dispute reasons and amounts
  • Evidence submitted to payment processors
  • AI-generated narratives and summaries
  • Win probability estimates
  • Dispute outcomes and resolutions

How We Use Your Information

Automated Dispute Response

  • Gathering evidence from transaction and fulfillment records
  • Generating AI-powered dispute narratives
  • Submitting comprehensive evidence to Stripe
  • Calculating win probability estimates

Communication

  • Sending email notifications about dispute responses
  • Alerting you to dispute status changes (won/lost/under review)
  • Providing confidence scores and evidence summaries

Service Improvement

  • Analyzing dispute outcomes to improve AI narratives
  • Identifying patterns in successful defenses
  • Optimizing evidence gathering strategies

Legal Compliance

  • Complying with payment processor requirements
  • Responding to legal requests and subpoenas
  • Protecting against fraud and abuse

Data Storage and Security

Storage Location

  • All data is stored in Supabase (PostgreSQL) databases
  • Encryption at rest and in transit using industry-standard protocols
  • Regular backups and disaster recovery procedures

Data Retention

  • Transaction receipts: Retained for 7 years (legal requirement)
  • Dispute records: Retained for 5 years after resolution
  • User account data: Retained while account is active
  • Email notification logs: Retained for 1 year

Security Measures

  • Role-based access controls (RLS policies)
  • API authentication via service role keys
  • Encrypted communication with third-party services
  • Regular security audits and penetration testing

Data Sharing and Disclosure

Third-Party Services

We share data with:

Stripe: Payment processing and dispute management

  • Charge and customer information
  • Evidence submissions and narratives
  • Dispute status updates

Resend: Email notification delivery

  • Recipient email addresses
  • Notification content and templates

AI Services: Evidence narrative generation

  • Anonymized transaction data
  • Product descriptions and fulfillment evidence

Legal Requirements

We may disclose information when required to:

  • Comply with court orders or legal processes
  • Protect our rights and property
  • Prevent fraud or security threats
  • Cooperate with law enforcement

User Rights and Controls

Access and Portability

  • View all your transaction and dispute data in the Founder Dashboard
  • Export your data in machine-readable formats
  • Request copies of all information we hold about you

Correction and Deletion

  • Update your account information and preferences
  • Request correction of inaccurate data
  • Request deletion of your account and associated data (subject to legal retention requirements)

Manual Override Controls

  • Disable Reflex autopilot globally via user settings
  • Exclude specific disputes from automated response
  • Opt out of email notifications

GDPR Compliance (EU Users)

Legal Basis for Processing

  • Contractual necessity: Processing required to provide Reflex service
  • Legitimate interests: Fraud prevention and service improvement
  • Consent: Email notifications (can be withdrawn)

Your GDPR Rights

  • Right to access your data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

CCPA Compliance (California Users)

Your California Rights

  • Right to know what data we collect
  • Right to delete personal information
  • Right to opt out of data sales (we do not sell data)
  • Right to non-discrimination

Do Not Sell: We do not sell your personal information to third parties.

Contact Us

For privacy-related questions or requests:

Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last Updated" date. Continued use of Reflex after changes constitutes acceptance.

Effective Date: January 1, 2025
By using Reflex, you acknowledge that you have read and understood this Privacy Policy.