Back

Privacy Policy

Privacy PolicyTerms of Use

Privacy Policy

Last Updated: February 17, 2026

This Privacy Policy describes how Schenk Technology ApS ("we," "us," or "our") collects, uses, and processes personal data when you use our services, including the Reflekt platform, SDKs, and website (collectively, the "Services").

1. Who We Are

  • Company Name: Schenk Technology ApS
  • Jurisdiction: Denmark
  • Product: Reflekt
  • Contact: noah@schenk.technology

2. Our Dual Role (Controller vs. Processor)

To understand how we handle data, it is important to distinguish between two categories of users:

  1. Customers (Developers/Companies): If you are a developer or company signing up to use Reflekt, we act as the Data Controller of your account information.
  2. End-Users (Respondents): If you are a user interacting with surveys, forms, or feedback boards powered by Reflekt inside a third-party app or website, we act as a Data Processor. The developer of that app/website is the Data Controller, and we process data solely on their behalf.

3. Data We Collect as a Controller (Customers)

This section applies to developers and teams signing up for Reflekt.

A. What We Collect

  • Account Information: When you sign up via Google or GitHub OAuth, we collect your email address, name, and profile avatar.
  • Billing Information: Payments are processed by our Merchant of Record, Polar. We do not store your credit card details or payment instruments. We only retain transaction status and subscription tier information.
  • Usage Data: We use analytics to understand how you navigate our dashboard to improve the product.

B. How We Use This Data

  • To provide access to the Reflekt dashboard and services.
  • To communicate with you regarding your account, updates, or support.
  • To bill you for paid subscriptions.

C. Legal Basis

  • Contractual Necessity: To provide the services you signed up for, including account management, billing, and support.
  • Legal Obligation: For tax, accounting, and regulatory compliance purposes.
  • Legitimate Interest: For product analytics (via PostHog) to understand how you use our dashboard and improve the product. We balance our interest in improving our services against your privacy rights by minimizing data collection and using privacy-focused analytics.
  • Consent: For marketing communications (e.g., product updates, newsletters). You can opt out at any time via the unsubscribe link in our emails or by contacting us.

D. Retention

We keep your data as long as your account is active. You may delete your account at any time via the settings, which will erase your personal data from our active systems.

4. Data We Process as a Processor (End-Users)

This section applies to the data we handle on behalf of our Customers (Developers).

A. How We Process Data

We provide the infrastructure (SDKs and APIs) for Customers to collect feedback. We process this data strictly according to the Customer's instructions.

B. Data Types

  • Responses: The answers provided by end-users in surveys, feedback boards, or forms.
  • Respondent ID: An identifier provided by the Customer (Developer) to associate responses with a user. We strongly recommend Customers provide pseudonymous identifiers (e.g., hashed user IDs) and avoid directly identifying data (such as email addresses) unless strictly necessary for their use case.
  • Metadata: Technical details required to display the correct content, including:
    • Operating System (e.g., Android/iOS/Web)
    • App or Browser Version
    • Timestamps (e.g., shown, dismissed, or completed)

C. Local Storage (SDK Specifics)

The Reflekt SDK uses local storage on the end-user's device.

  • Purpose: To prevent spamming users with the same content and to cache definitions for offline performance.
  • Security: This data is unencrypted on the device but is generally sandboxed by the mobile OS or browser.
  • Retention: Cache generally refreshes every 24 hours and is typically cleared when the app is uninstalled or browser data is cleared.

D. Data Control & Retention

The Customer (Developer) controls this data. They can delete individual responses or entire datasets via the Reflekt dashboard. If a Customer deletes their Reflekt account, all associated End-User data is purged.

Retention: We retain End-User data until the Customer account is deleted. We do not impose automatic deletion periods on survey responses — Customers are responsible for managing data retention in accordance with their own privacy policies and applicable laws.

Note to End-Users: If you wish to access, correct, or delete your data collected via Reflekt, please contact the App Developer directly. As a processor, we cannot fulfill these requests without the Controller's authorization.

E. SDK Permissions

The Reflekt SDK does not require access to sensitive device capabilities such as contacts, location, camera, microphone, or photo library. The SDK only collects the data explicitly passed by the Customer's application code and basic technical metadata as described above.

F. Data Processing Agreement

For Customers who require a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we offer a standard DPA upon request. Please contact us at noah@schenk.technology to request a copy.

5. Sub-processors and Third Parties

We work with trusted third-party service providers necessary to deliver our Services and take reasonable steps to ensure appropriate data protection safeguards are in place.

ProviderServiceLocationRole
ConvexDatabase & BackendEU (Convex EU region)Sub-processor
VercelHosting & DeploymentGlobal (edge infrastructure)Sub-processor
PostHogProduct AnalyticsEU (Europe)Sub-processor
PolarPayments (Merchant of Record)EUController (for payments)
Google / GitHubAuthenticationGlobalController (for OAuth)

6. International Data Transfers

Our core application infrastructure is hosted in the European Union (EU).

Vercel: Vercel may process data globally via its edge infrastructure, including servers located in the United States and other regions. This means requests may be routed through non-EU infrastructure for performance optimization.

7. Purpose Limitation

We only process personal data for the specific purposes described in this Privacy Policy. We do not use your data for purposes incompatible with those stated, such as selling data to third parties or using End-User survey responses for our own marketing purposes.

8. Your Rights (GDPR)

If you are an EU/EEA resident, you have the following rights regarding data for which we are the Controller (Customer Data):

  • Right of Access: Request a copy of your data.
  • Right to Rectification: Correct inaccurate data.
  • Right to Erasure: Request deletion of your account (Right to be Forgotten).
  • Right to Portability: Receive your data in a structured format.
  • Right to Object: Object to processing based on legitimate interests (e.g., analytics).
  • Right to Withdraw Consent: Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Denmark, this is the Danish Data Protection Agency (Datatilsynet) at www.datatilsynet.dk.

To exercise these rights, please contact us at noah@schenk.technology.

9. Security

We implement appropriate technical and organizational measures to protect data, including HTTPS encryption in transit and secure database configurations. However, no method of transmission over the internet is 100% secure.

10. Support Communications

When you contact us for support via email or other channels, we may collect and process personal data contained in your communications (e.g., name, email address, message content). This data is used solely to respond to your inquiries and improve our support services. Support logs are retained for a reasonable period to ensure service quality and resolve any follow-up issues.

11. Children's Privacy

Our Services are not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. Customers are prohibited from using our SDKs to target children under 16 without obtaining verifiable parental consent.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify Customers via email or a notice within the dashboard.