Privacy Policy

1. Who is responsible

MEKreflect D.O.O. (North Macedonia, in formation) is the controller of personal data processed by the hosted Service. Contact: info@mekreflect.com.

2. Where your data is hosted

The Service runs on Supabase (database and authentication, hosted in the EU, region eu-central-1) and Vercel (application hosting). Your AI model requests go to the AI provider whose key you supply, under that provider's own terms.

3. What we store

To run the Service for you, we store:

• Your account email (held by Supabase Auth for sign-in).
• Your organizations and their members.
• Your conversations and messages — your chat history with the agents.
• Runs — the audit log of what the agents did.
• Your memory — the context the agents carry forward for you.
• Your AI provider API keys (BYOM) — encrypted at rest with AES-256-GCM, used server-side only, and never returned to your browser.

Each organization's data is isolated by row-level security (RLS), so one organization cannot read another's data.

4. How we use it

We process your data only to operate the Service for you: to authenticate you, run the agents on your chosen model, keep your history and audit log, and maintain your memory. We do NOT train any model on your conversations. We do NOT pool or sell your keys or your data.

5. Your rights

Under the GDPR and North Macedonia data-protection law, you can ask us to give you access to your personal data, export it, or erase it. To exercise these rights, contact us and we will respond within the period required by applicable law.

6. Retention

We keep your data for as long as your account is active or as needed to provide the Service. When you ask us to erase your account, we delete your personal data, subject to any record we must keep by law.

7. Contact

For any privacy question or request, contact info@mekreflect.com.