Privacy policy

What we collect

When you create a Refract account, we collect:

• Your email address and display name (provided via Clerk authentication)
• Effects you create, including shader code, 3D scene code, and configuration data
• API keys you generate for MCP access
• Basic usage analytics (page views, feature usage) to improve the product

We do not collect payment information directly. All billing is handled by Stripe, which maintains its own privacy policy.

How we use your data

Your data is used to:

• Provide and maintain the Refract service
• Store and serve your effects via embed URLs
• Authenticate API requests using hashed API keys
• Send transactional emails related to your account
• Improve product quality and fix bugs through anonymized analytics

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Embeds and public content

Effects you create on Refract are accessible via public embed URLs. Anyone with the embed URL can view the rendered effect. Embed URLs do not expose your account information, source code, or personal data — only the compiled visual output.

If you delete an effect, its embed URL will stop working immediately.

Third-party services

Refract uses the following third-party services:

• Clerk — authentication and user management
• Stripe — payment processing for Pro subscriptions
• Neon — PostgreSQL database hosting
• Railway — application hosting

Each service has its own privacy policy governing how they handle data.

Cookies

Refract uses essential cookies for authentication (session management via Clerk). We do not use advertising cookies or third-party tracking cookies.

Data retention

Your account data and effects are retained for as long as your account is active. If you delete your account, we will remove your personal data and effects within 30 days. Anonymized analytics data may be retained indefinitely.

Data security

API keys are stored as SHA-256 hashes — we never store your raw key after creation. All traffic is encrypted via HTTPS. Database access is restricted to authorized services only.

Your rights

You can:

• Access, update, or delete your account data at any time from within the app
• Delete individual effects and their associated embed URLs
• Revoke API keys instantly from the API Keys settings page
• Request a full export of your data by contacting us

Children

Refract is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

Changes

We may update this policy from time to time. Significant changes will be communicated via email or an in-app notice. Continued use of Refract after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy? Reach us at support@refract.build.