Privacy Policy

Last updated: 25 May 2025

1. Introduction

Refract ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services (collectively, the "Services").

Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it. By using our Services, you acknowledge you have read and understood this Privacy Policy.

For the purposes of applicable data protection legislation, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, Refract is the data controller of personal data collected through our Services.

If you have any questions about this Privacy Policy or our data practices, please contact us at contact@refract.to.

2. Information We Collect

We collect information in the following ways:

Information you provide to us directly

  • Account information: When you register for an account, we collect your name, email address, company name, and any other information you choose to provide.
  • Communications: If you contact us by email or through our website, we will collect the information you provide in that communication, including your name, email address, and the content of your message.
  • Payment information: If you purchase a subscription, payment is processed by our third-party payment providers. We do not store full credit card details on our servers.

Information we collect automatically

  • Usage data: We collect information about how you interact with our Services, including the features you use, the pages you visit, the time and duration of your visits, and other diagnostic data.
  • Device information: We may collect information about the device you use to access our Services, including hardware model, operating system, browser type and version, and unique device identifiers.
  • Log data: Our servers automatically record information when you access our Services, including your IP address, browser type, referring/exit pages, and timestamps.

Information from third-party platforms

  • Discord data: Where you connect a Discord server to our platform, we access and process data from that server in accordance with Discord's API Terms of Service. This may include server member counts, message metadata, channel activity, and other community analytics. We process this data solely to provide the intelligence and analytics features of our Services.
  • OAuth data: If you authenticate via Discord OAuth, we receive your Discord user ID, username, avatar, and email address (if permitted by your Discord privacy settings).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing and improving our Services: To operate, maintain, and enhance our platform, and to develop new features and functionality.
  • Account management: To create and manage your account, authenticate you, and provide customer support.
  • Communications: To send you service-related notices, updates, security alerts, and support messages. With your consent, we may also send you marketing communications about our products and services.
  • Analytics: To understand how our Services are used, monitor performance, and improve user experience.
  • Legal obligations: To comply with applicable laws and regulations, respond to lawful requests from authorities, and protect our legal rights.
  • Safety and security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.

Legal bases for processing (UK/EU users)

Where UK GDPR or EU GDPR applies, we process your personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you (e.g. providing the Services you subscribed to).
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.
  • Legal obligation: Processing necessary to comply with a legal obligation.
  • Consent: Where you have given us explicit consent, such as for marketing emails. You may withdraw consent at any time.

4. Sharing Your Information

We do not sell, trade, or otherwise transfer your personal data to third parties for their own marketing purposes. We may share your information in the following circumstances:

  • Service providers: We share data with trusted third-party vendors who assist us in operating our platform, such as cloud hosting providers, analytics services, payment processors, and customer support tools. These providers are contractually obligated to process data only as instructed by us and in accordance with this policy.
  • Business transfers: If Refract is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
  • Legal requirements: We may disclose your information where required to do so by law or in response to valid legal process (such as a court order or subpoena), or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • With your consent: We may share your information with third parties when you have given us explicit consent to do so.

International transfers

Some of our service providers may be based outside the UK or European Economic Area (EEA). Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the relevant authority, to protect your data in accordance with applicable law.

5. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations.

When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

  • Account data: Retained for the duration of your account and for up to 2 years after account closure, unless a longer retention period is required by law.
  • Community analytics data: Retained for the duration of your subscription. Upon termination, community data is deleted or anonymised within 90 days.
  • Communication records: Retained for up to 3 years from the date of the communication for support and legal purposes.
  • Financial records: Retained for 7 years as required by tax and accounting regulations.

If you would like to request deletion of your data before the end of the applicable retention period, please contact us at support@refract.to.

6. Your Rights

Depending on your location, you may have certain rights in relation to your personal data. Under UK GDPR and EU GDPR, these include:

  • Right of access: You have the right to request a copy of the personal data we hold about you.
  • Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to erasure: You have the right to request that we delete your personal data, subject to certain exceptions (e.g. where we are required to retain it by law).
  • Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability: You have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format and to request that we transmit it to another controller.
  • Right to object: You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. You also have the right to object at any time to the processing of your data for direct marketing purposes.
  • Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on you.

To exercise any of these rights, please contact us at contact@refract.to. We will respond to your request within one month. We may need to verify your identity before fulfilling your request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, by sending you an email notification.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our Services after any changes constitutes your acceptance of the updated policy.

8. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Refract

Email (general enquiries): contact@refract.to

Email (support): support@refract.to

Website: refract.to

Refract

Community intelligence for Discord. Built for gaming studios, music labels, and talent teams who need to know what their audience is thinking.

Company

© 2026 Refract