← Reef Intelligence

Privacy Policy

Last updated: March 1, 2026

Reef Insights LLC ("Reef Insights," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, and protect information when you use the Reef Intelligence platform ("Platform") and associated services. By accessing or using the Platform, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your email address and a securely hashed version of your password. We never store your plaintext password.

Subscription and Billing Information

When you subscribe to the Platform, payment processing is handled by Stripe. Reef Insights stores your Stripe customer ID, subscription ID, subscription tier and billing interval, and subscription status. We do not store credit card numbers or payment details — these are held exclusively by Stripe.

Usage Data

  • Chat history: Conversations with the AI Research Agent, including your messages and agent responses, are stored to enable session continuity and to allow you to review past research.
  • Saved queries and dashboards: Query configurations and saved visualizations you create are stored to your account.
  • Canvas reports: Documents you create using the Canvas feature, including all blocks, versions, and comments, are stored.
  • Account activity: Login events, account setting changes, and other interactions are logged for security and auditing purposes.

API Data

If you use the Platform API, we store your API key (hashed), key configuration (name, rate limits, expiration), and logs of API requests (including endpoint, timestamp, and IP address) for security monitoring and rate limiting purposes.

Team and Organization Data

For Team and Enterprise plans, we store organization name, member email addresses, roles (owner/member), and invitation status for all members of your organization.

Session Data

We use HTTP-only session cookies to maintain your authenticated session. These cookies expire after 7 days of inactivity and are required for the Platform to function. They are not used for advertising or behavioral tracking.

Communications

If you contact us or submit feedback through the Platform, we retain your name, email address, and message content. We may send transactional emails (welcome messages, password confirmations, billing notifications) via AWS Simple Email Service.

2. How We Use Your Information

  • To provide, maintain, and improve the Platform and its features
  • To process payments and manage subscriptions
  • To send transactional emails related to your account and subscription
  • To enforce our Terms of Service and prevent abuse or unauthorized access
  • To monitor API usage for rate limiting, security anomaly detection, and IP blocking
  • To respond to support requests and feedback
  • To comply with applicable legal obligations
  • To detect and investigate potential fraud or security incidents

3. Third-Party Service Providers

We share data with the following service providers to operate the Platform:

  • Stripe — Payment processing and subscription management. Payment information you provide at checkout is processed and stored directly by Stripe. Reef Insights only receives subscription status and identifiers. Subject to Stripe's Privacy Policy.
  • OpenRouter — AI model routing for the Research Agent. Queries you send to the Research Agent are routed through OpenRouter to underlying AI model providers. Research queries are not tied to your personally identifiable information in these requests.
  • AWS Simple Email Service (SES) — Transactional email delivery (account confirmations, billing notifications, password changes).
  • External Data Sources — The Platform queries public datasets from the Federal Reserve (FRED®), U.S. Census Bureau, Realtor.com®, and Zillow®. These are read-only data lookups; your personal information is not shared with these providers.

We do not sell, rent, or share personal information with third parties for advertising or marketing purposes.

4. Cookies and Session Storage

We use a single HTTP-only session cookie to manage authentication. This cookie is set upon login and expires after 7 days of inactivity. It is strictly necessary for the Platform to function.

We do not use cookies for advertising, behavioral tracking, third-party analytics, or retargeting. You can configure your browser to refuse cookies, but this will prevent you from logging into and using the Platform.

5. Data Retention

  • Account and subscription data: Retained for the duration of your account and for a reasonable period after termination as required by law or for dispute resolution.
  • Chat history and saved content: Retained until you delete it or your account is terminated.
  • API request logs: Retained for up to 90 days for security monitoring purposes, then purged.
  • Session tokens: Expire after 7 days of inactivity and are removed from storage upon logout.
  • Email communications: Retained for up to 2 years.

6. Data Security

We implement commercially reasonable security measures to protect your personal information, including:

  • Passwords hashed using bcrypt with appropriate cost factors before storage
  • API keys hashed using SHA-256 before storage — raw keys are never stored
  • All Platform traffic encrypted in transit via HTTPS/TLS
  • Session cookies set with HttpOnly and SameSite flags to prevent client-side access
  • IP-based anomaly detection and blocking for API abuse prevention

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

7. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Request deletion of your personal information and account
  • Export a copy of your personal data
  • Opt out of non-transactional communications
  • Object to certain data processing activities

To exercise these rights, contact us at legal@reefinsights.com. We will respond within 30 days.

8. California Privacy Rights (CCPA)

Under the California Consumer Privacy Act (CCPA), California residents have specific rights regarding their personal information:

  • The right to know what personal information is collected, used, shared, or sold
  • The right to delete personal information held by us
  • The right to opt-out of the sale of personal information
  • The right to non-discrimination for exercising these rights

We do not sell personal information. To exercise your CCPA rights, contact us at legal@reefinsights.com.

9. Children's Privacy

The Platform is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at legal@reefinsights.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or platform notification. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.

11. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Minnesota, without regard to its conflict of law provisions.

12. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us at legal@reefinsights.com.