Privacy Policy
Last updated: July 14, 2026 · Early access
This page is maintained by the REACH team and describes how REACH handles data today. It is not a certification.
Data we collect
- Account: email, hashed password, timezone, sign-in timestamps.
- Profile: your handle, display name, and short bio — visible at your public
/u/<handle>address. - Policy: the categories you accept, blocked keywords, minimum message length, and availability summary.
- Requests: the structured request content (title, message, category, offered value), plus AI-assigned relevance and spam scores.
- Messages: replies exchanged inside a request thread.
- Product analytics: anonymous, aggregated page-view counts via Plausible. No cookies, no cross-site tracking, no IP retention.
What we do NOT collect
- Third-party ad-tracking cookies.
- Location tracking beyond coarse country from server logs.
- The content of your other inboxes, calendars, or messages.
Why we hold it
- To let people find your public address and send you requests.
- To triage incoming requests according to your policy.
- To enforce rate limits and prevent abuse.
- To secure the service and comply with law.
Who processes it (subprocessors)
- Lovable Cloud (Supabase infrastructure): hosts our database, authentication, and API.
- Lovable AI Gateway: classifies incoming requests (relevance, spam, category). Only the request title, message, category, and recipient bio are sent. Content is not used to train models.
- Plausible Analytics: cookieless page-view counts.
Retention
Account and request data are retained while your account is active. Deleting your account removes your profile and policy immediately; request history may be retained in a limited form for abuse prevention and legal reasons.
Your rights
You can view your profile, change your policy, and delete your account at any time from the app. To request an export or deletion of the request history visible to you, contact us through the address on any REACH product email you've received.
Security
Data is protected in transit with HTTPS and at rest by our infrastructure provider. Access to production data is limited to the REACH team members who need it. Passwords are hashed and checked against known-leaked password databases before being accepted.
Changes
We may update this policy as REACH evolves. Material changes will be announced on the site or by email.
See also our Terms of Service.