Privacy Policy
Last updated: April 2, 2026
Refrly (“we,” “us,” or “our”) operates the Refrly platform at refrly.net. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and what rights you have regarding your data. By using our platform, you agree to the practices described in this policy.
1. Information We Collect
1.1 Account Information (Registered Users)
When you create an account, we collect the following:
- Required: Name, email address, password (stored only as a bcrypt hash — we never store your plaintext password)
- Optional profile data: Profile photo, country, city, website URL, social media links, categories/skills, and any additional professional information you provide
1.2 Recommendation Data
When you write a recommendation, we collect:
- Recommendation text, ratings, and category
- Project details (type, timeline)
- Your role and company information at the time of the project
- Your chosen display name preference (full name, partial name, or role only)
Approved recommendations are publicly visible by design. See Section 3 for details on the approval process.
1.3 Information About Non-Registered Individuals
When a user recommends someone who does not yet have a Refrly account, the recommender provides:
- Name: Used to identify the recommended person on the platform
- Email address: Used solely to (a) send a one-time invitation email, (b) allow the person to claim their profile if they choose to register, and (c) enable opt-out
Legal basis for processing: We process this information based on the legitimate interest of enabling professional peer recommendations. The recommended individual is promptly notified and given the ability to opt out (see Section 6.2). The recommendation remains in pending status and is not publicly visible until the recommended person approves it.
1.4 Automatically Collected Data
- Server logs: IP address, browser type, pages visited, and timestamps (retained for 90 days, then automatically deleted)
- Rate limiting data: IP address and email address used for security rate limiting (login attempts, form submissions). Automatically purged after the rate limit window expires (15 minutes to 1 hour depending on the action).
2. How We Use Your Information
We use your information for the following specific purposes:
| Data | Purpose |
|---|---|
| Name & email | Account creation, authentication, email verification, password resets, and transactional notifications |
| Profile information | Public display on your profile page and in search/browse results |
| Recommendation content | Public display of approved recommendations, platform analytics, and quality assurance |
| Non-registered person’s email | Invitation email delivery, profile claiming, and opt-out processing only |
| IP address | Security (rate limiting, abuse prevention) and server logs |
| Password (hashed) | Authentication only — never shared, never stored in plaintext |
| Session cookies | Login state and CSRF protection only |
We do not use your information for advertising, profiling, automated decision-making, or any purpose not listed above.
3. Public Display of Information (Third-Party Provision)
Refrly is a platform for professional recommendations. By its nature, certain information is made publicly accessible:
- Profiles: Name, categories, country, city, and website/social links are publicly visible on your profile page.
- Recommendations: Approved recommendation text, ratings, project type, and the recommender’s display name are publicly visible.
- Email addresses are never displayed publicly.
Approval process: Recommendations are not published immediately. They are created in a pending state and become publicly visible only after the recommended creative explicitly approves them. The creative may also reject a recommendation, in which case it is never published. Recommendations that receive no response within 30 days automatically expire and are not published.
Legal basis: Public display of approved recommendations is based on the explicit consent of both the recommender (who submits the recommendation) and the recommended creative (who approves it). You may withdraw consent by deleting your account or contacting us.
4. Information Sharing with Third Parties
We do not sell, rent, or trade your personal information to any third party. We share personal information only in the following limited circumstances:
- Public platform content: As described in Section 3, approved recommendations and profiles are publicly visible.
- Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
- Safety: We may disclose information when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Refrly, our users, or the public.
5. Cookies
We use session cookies only. These cookies are essential for the platform to function and are used solely for authentication (maintaining your login state) and security (CSRF protection). Session cookies are temporary and are deleted when you close your browser or when your session expires. We do not use tracking cookies, advertising cookies, or any third-party analytics services.
6. Your Rights
6.1 Registered Users
- Access & edit: You can view and edit your profile information at any time from your dashboard.
- Recommendation management: If you are a recommended creative, you can approve or reject pending recommendations from your dashboard.
- Account deletion: You can delete your account from your dashboard settings. See Section 7 for details on what happens to your data.
- Data portability: You may request a machine-readable copy of your personal data (see Section 6.3).
6.2 Non-Registered Individuals (Recommended Persons)
- Opt-out: You can opt out via the link included in your invitation email. This immediately removes your email address and name from our system without requiring you to create an account. Once you opt out, no further recommendations can be submitted for your email address.
- Pending recommendations: Recommendations written about you remain in pending status (not publicly visible) until you register and approve them. You are under no obligation to register or approve.
- Contact us: You may also contact us directly to request removal of your information.
6.3 Data Access, Correction, and Deletion Requests
You have the right to request access to, correction of, or deletion of your personal information. To submit a request:
- How to request: Send an email to privacy@refrly.net or use our contact form.
- Required information: Your full name and the email address associated with your account (or the email address used in a recommendation, for non-registered individuals). We may ask for additional verification to confirm your identity.
- Response time: We will acknowledge your request within 7 days and complete it within 30 days of receipt. If we need additional time (up to 30 more days), we will notify you of the delay and the reason.
- Cost: There is no fee for submitting a data request.
If you are unsatisfied with our response, you may file a complaint with the relevant data protection authority (see Section 11 for EU residents, or Japan’s Personal Information Protection Commission for Japanese residents).
7. Data Retention
We retain your data according to the following schedule:
| Data Type | While Account Active | Upon Account Deletion |
|---|---|---|
| Email & password hash | Retained | Immediately deleted |
| Profile information (name, photo, categories, etc.) | Retained | Immediately deleted |
| Recommendations you wrote | Retained | Deleted |
| Recommendations written about you | Retained | Recommendation text is anonymized (author attribution removed); not deleted, as the recommender retains rights to their content |
| Server/access logs | 90 days | Automatically deleted after 90 days |
| Rate limiting records | 15 min – 1 hour | Automatically purged |
| Non-registered person’s email (opt-out) | N/A | Immediately deleted upon opt-out |
8. Security
We implement industry-standard security measures to protect your personal information:
- Encryption: All data is transmitted over HTTPS (TLS)
- Password security: Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
- CSRF protection: All form submissions are protected against cross-site request forgery
- Content Security Policy: Strict CSP headers prevent cross-site scripting attacks
- Rate limiting: Automated protection against brute-force attacks on login, registration, and other sensitive endpoints
- Session security: Cookies are set with
Secure,HttpOnly, andSameSite=Laxflags
9. Data Breach Response
In the event of a data breach that may affect your personal information, we will:
- Investigate immediately upon discovery to determine the scope and impact of the breach
- Notify affected users via email within 72 hours of confirming the breach, including a description of the breach, the types of data involved, and recommended actions
- Notify relevant authorities as required by applicable law (including Japan’s Personal Information Protection Commission and/or EU supervisory authorities where applicable)
- Take corrective action to contain the breach and prevent recurrence, which may include forced password resets and enhanced security measures
- Document the incident internally with a full timeline, impact assessment, and remediation steps
10. Children’s Privacy
Refrly is not intended for users under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will promptly delete the account.
11. Additional Rights for EU Residents (GDPR)
If you are a resident of the European Economic Area (EEA), you have the following additional rights under the General Data Protection Regulation (GDPR):
- Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format (JSON).
- Right to erasure (“right to be forgotten”): You may request deletion of all your personal data, subject to any overriding legal obligations we may have.
- Right to restrict processing: You may request that we limit how we use your data while a complaint is being resolved.
- Right to object: You may object to our processing of your data based on legitimate interests.
- Right to lodge a complaint: You may file a complaint with your local EU data protection supervisory authority.
To exercise any of these rights, please contact us at privacy@refrly.net. We will respond within 30 days as outlined in Section 6.3.
12. Additional Rights for Japanese Residents (APPI)
If you are a resident of Japan, you have rights under the Act on the Protection of Personal Information (APPI), including:
- Right to disclosure: You may request disclosure of the personal information we hold about you.
- Right to correction: You may request correction of inaccurate personal information.
- Right to cessation of use: You may request that we stop using your personal information if it was collected improperly or is no longer necessary for the stated purpose.
- Right to cessation of third-party provision: You may request that we stop providing your personal information to third parties.
- Complaints: You may contact Japan’s Personal Information Protection Commission (PPC) if you are unsatisfied with our response.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify registered users by email. Your continued use of the platform after changes constitutes acceptance of the updated policy.
14. Contact
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your information is handled:
- Email: privacy@refrly.net
- Contact form: refrly.net/contact