Refyna
Join waitlist

Privacy policy

Last updated: May 26, 2026

This privacy notice explains how Refyna handles personal data on the marketing site at refyna.io and in connection with the launch waitlist. We are committed to GDPR and to the broader EU privacy principles of data minimization, purpose limitation, and transparency.

Who is the controller

Refyna is the data controller for personal data collected on this site. The controller is an EU-established legal entity; contact details are available on request via the waitlist form.

What we collect, why, and on what legal basis

Waitlist form

When you submit the waitlist form we store:

  • Your email address — to notify you when your early-access slot opens.
  • The timestamp of your signup — to order waitlist access fairly.
  • Your IP address — for abuse prevention and to deduplicate repeated submissions from the same network. Retained for 90 days, then deleted.
  • Your browser user-agent string and referrer — for aggregate signup-source analytics (we want to know whether you found us via search, social, or direct link).

Legal basis: consent (you submit the form to ask us to contact you). You can withdraw consent at any time by replying "unsubscribe" to any email we send, after which your record is deleted within 30 days.

Cookies

Cookie usage is covered separately in our cookie policy. In short: strictly-necessary cookies run by default; analytics, advertising, and personalization cookies only run with your consent.

Logs

Our servers automatically write request logs (URL, status code, response time, anonymized IP, user-agent). Logs are retained for 30 days for operational and security purposes, then automatically deleted. Legal basis: legitimate interest in keeping the site secure and reliable.

Who we share data with

For the marketing site (this site, before launch), data flows are:

  • Our EU hosting provider — operates the servers that run the site and store the waitlist database.
  • Cloudflare — provides DNS, DDoS protection, and edge security. Cloudflare may process anonymized request metadata.
  • Backblaze (EU region) — encrypted off-site backups of the waitlist database, GPG-encrypted before leaving our servers.
  • Sentry, Grafana Cloud — error tracking and observability. Configured to redact email addresses and other PII from logs before transmission.

All sub-processors are EU-established or operate under EU Standard Contractual Clauses with adequate supplementary measures. We do not sell personal data, ever.

Where data is stored

Primary servers and backups are in the EU. We treat EU residency as a product principle, not a checkbox, and document our sub-processor list in this policy when material changes are made.

Your rights

Under the GDPR and equivalent UK/Swiss law, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data ("right to erasure")
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (without affecting the lawfulness of processing before withdrawal)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, reply to any email we've sent you from refyna.io or submit a new waitlist entry noting the right you wish to exercise; we'll route the request appropriately and respond within 30 days.

Children

Refyna is a B2B service for e-commerce professionals. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data to us, contact us and we'll delete it.

Security

Practical measures we take:

  • TLS 1.3 for all traffic; HSTS preload
  • Encrypted backups (GPG envelope encryption)
  • Postgres row-level security on all customer tables
  • OAuth tokens encrypted at rest using envelope encryption
  • Mandatory MFA for all administrative access
  • Quarterly restore tests of the backup chain
  • Sentry-level redaction of PII in error reports

Changes to this policy

We'll update this policy when our data practices materially change. The "Last updated" date at the top of this page is the source of truth; material changes will also trigger a re-prompt of the consent banner if cookie usage is affected.