Privacy Policy

Last updated: April 2026

1. Overview

refrme ("we", "us", "our") is committed to protecting the privacy of your personal information. This policy outlines how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Act 1988, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy and data protection laws.

2. Information We Collect

We collect the following types of personal information:

  • Professionals (paying users): Name, email address, business name, phone number, and payment information (processed by Stripe)
  • Referral partners (free users): Name and email address
  • Abbreviated client names (first name and last initial only — we do not store full client names)
  • Prospect stage and progress information
  • Account credentials (passwords are hashed and never stored in plain text)
  • Email notification consent records (timestamps of when consent was given or withdrawn)

We follow the principle of data minimisation and only collect information that is necessary to provide the service. We do not collect phone numbers for referral partners.

3. How We Collect Information

Directly from you: When you create an account, claim a partner account, or update your profile.

From third parties: When a professional adds you as a referral partner, they provide your name and email address to our platform. This information is used solely to enable the referral tracking service. When you claim your account, you are presented with a full privacy notice and asked to acknowledge this data collection.

We do not purchase, scrape, or otherwise obtain personal information from data brokers or public sources.

4. How We Use Your Information

We use personal information to:

  • Provide and maintain the refrme platform
  • Send prospect progress notifications to referral partners who have given express consent
  • Communicate service updates and account information
  • Process payments and manage subscriptions

We do not sell, rent, or trade your personal information to third parties. We do not send marketing emails to referral partners. We have not sold or shared personal information in the preceding 12 months.

5. Email Notifications and Consent

We only send automated email notifications to referral partners who have given express consent. Consent is collected when a partner claims their account through a clear, unticked checkbox. Partners can withdraw consent at any time from their dashboard.

Professionals who invite partners share invite links directly (via their own email, messaging, or in person). refrme does not send unsolicited emails to individuals who have not created an account and consented.

All notification emails include an unsubscribe link and sender identification in compliance with the Australian Spam Act 2003, CAN-SPAM Act (US), CASL (Canada), and the EU ePrivacy Directive. We maintain records of consent including who gave consent, when, and how.

6. Legal Basis for Processing (GDPR / UK GDPR)

For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:

  • Contract: Processing necessary to provide the refrme service to you
  • Consent: Email notifications are only sent with your express consent, which you can withdraw at any time
  • Legitimate interest: Account administration, security, and fraud prevention

7. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the CCPA and CPRA:

  • Right to know: You may request details about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share your personal information as defined by the CCPA/CPRA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
  • Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA beyond what is necessary to provide the service.

To exercise these rights, email hello@refrme.net. We will verify your identity before processing your request and respond within 45 days as required by law.

Categories of personal information collected: Identifiers (name, email), commercial information (subscription status), and internet activity (authentication logs). We collect this information for the business purposes described in Section 4.

8. Data Storage and Security

Your data is stored securely using Supabase infrastructure with row-level security policies, encrypted connections (TLS), and hashed authentication credentials. Access to personal information is restricted to authorised personnel only.

Data is stored and processed in data centres operated by our third-party providers, which may be located in the United States, European Union, or Australia. Where data is transferred outside of the EEA or UK, we rely on the safeguards provided by our processors (including Standard Contractual Clauses where applicable). We have data processing agreements in place with all processors in accordance with GDPR Article 28.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide our services. When a professional cancels their subscription, their data is retained for 30 days before permanent deletion, unless they request immediate deletion. Partner data associated with a cancelled professional account is retained for the partner's continued access until the partner also requests deletion.

Transactional email content is deleted from our systems immediately after successful delivery.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your personal information
  • Withdraw consent for email notifications at any time
  • Request a copy of your data in a portable format (GDPR/UK GDPR)
  • Object to processing of your personal information (GDPR/UK GDPR)
  • Request details about what information we collect and how we use it (CCPA/CPRA)
  • Lodge a complaint with the relevant data protection authority in your jurisdiction

To exercise any of these rights, email us at hello@refrme.net. We will respond to all data access, correction, and deletion requests within 30 days (or 45 days for CCPA/CPRA requests). If we need additional time, we will notify you of the reason and the expected timeframe.

For Australian users, the relevant authority is the Office of the Australian Information Commissioner (OAIC). For EU users, you may contact your local supervisory authority. For UK users, the relevant authority is the Information Commissioner's Office (ICO). California residents may also contact the California Attorney General's office.

11. International Data Transfers

refrme operates globally and your personal information may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this policy, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
  • International Data Transfer Agreement (IDTA) or UK Addendum for transfers from the UK
  • Data processing agreements with all third-party processors

12. Cookies and Technical Data

refrme uses essential cookies for authentication and session management. These cookies are strictly necessary for the service to function and cannot be disabled. We do not use tracking, advertising, or analytics cookies.

  • Authentication cookies: Used to keep you logged in and maintain your session
  • Preference cookies: Used to store your display preferences (e.g. theme)

We collect IP addresses for the purposes of rate limiting, fraud prevention, and security. IP addresses are not linked to user profiles and are not shared with third parties. We do not use IP addresses for tracking, advertising, or profiling.

13. Third-Party Services

We use the following third-party services to operate refrme:

  • Supabase: Database and authentication
  • Stripe: Payment processing (we do not store credit card details)
  • Resend: Email delivery
  • Vercel: Application hosting
  • Sentry: Error monitoring (no personal data is intentionally sent)

Each service processes data in accordance with their own privacy policies. We have data processing agreements in place with these providers where required by applicable law.

14. Children's Privacy

refrme is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

15. Data Breaches

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the relevant authorities as required by applicable law, including the Notifiable Data Breaches scheme under the Australian Privacy Act, GDPR Articles 33 and 34, the UK Data Protection Act, and applicable US state breach notification laws.

16. Do Not Track

refrme does not track users across third-party websites. We honour Do Not Track (DNT) browser signals by default, as we do not engage in any cross-site tracking.

17. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via email or through the platform at least 30 days before the changes take effect. Continued use of refrme after changes constitutes acceptance of the updated policy.

18. Contact

If you have questions about this policy, wish to exercise your privacy rights, or want to request deletion of your data, contact us at hello@refrme.net.