Privacy Policy

Effective Date: April 13, 2026

Reyly ("we," "our," or "us") operates a subscription-based savings optimization platform that helps consumers identify opportunities to reduce their recurring bills across wireless, internet, and streaming services. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.

By using the Reyly website, mobile application, or any associated services (collectively, the "Platform"), you agree to the practices described in this policy. If you do not agree, please do not use the Platform.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, subscribe, or use the Platform, we collect:

• Account details: first name, last name, email address, mobile phone number
• Authentication credentials: password (stored as a one-way hash — never in plain text) and, if you use Google Sign-In, your Google account identifier
• Billing information: payment card details (processed and tokenized by Stripe or PayPal — Reyly never stores raw card numbers), PayPal account identifier, and billing address
• Service inputs: your current wireless carrier and plan, internet provider and plan, streaming subscriptions, and ZIP code — used to calculate your potential savings
• Profile preferences: notification preferences, email opt-ins, and communication settings
• Support communications: messages you send through our help center or contact forms

1.2 Information Collected Automatically

When you access the Platform, we and our service providers automatically collect:

• Device and browser data: IP address, browser type and version, operating system, device identifiers
• Usage data: pages viewed, features used, session duration, click patterns, and navigation paths
• Cookies and similar technologies: see Section 6 for details
• Crash and error reports: technical error logs collected via Sentry for debugging and stability monitoring

1.3 Information From Third Parties

We may receive information about you from:

• Google: if you use Google Sign-In, we receive your name and email address from Google
• Stripe and PayPal: payment status, transaction identifiers, and fraud signals
• Twilio: delivery status for SMS one-time passwords (OTPs) and notifications
• FCC Broadband Data Collection (BDC) API: broadband availability and provider data by ZIP code, used to power internet savings recommendations — no personally identifiable information is shared with the FCC
• Affiliates: if you clicked a referral link before signing up, the affiliate's identifier is associated with your account

2. How We Use Your Information

2.1 Providing and Improving the Platform

• Creating and managing your account and membership
• Calculating your potential savings across wireless, internet, and streaming services
• Processing subscription payments, digital pass purchases, and refunds
• Managing your wallet, perks, and digital pass inventory
• Sending invoices and payment confirmations
• Responding to your support requests

2.2 Communications

• Sending transactional emails and SMS messages: account verification OTPs sent to your registered mobile number, payment receipts, trial reminders, payment failure alerts, grace period warnings, and perk expiration notices
• Sending push notifications to your mobile device for key account events (if you grant permission)
• Sending critical alerts via SMS to your registered mobile number, including payment reminders, subscription renewal notices, and account security notifications
• Sending marketing communications if you have opted in — you may opt out at any time

2.3 Security and Fraud Prevention

• Verifying your identity via OTP sent to your registered mobile number during sign-up and sensitive account changes
• Detecting and preventing fraudulent account creation, self-referrals, and affiliate cookie manipulation
• Monitoring for unauthorized access and enforcing rate limits

2.4 Analytics and Product Development

• Understanding how users interact with the Platform to improve features
• Debugging errors and crashes using aggregated technical logs
• Measuring the effectiveness of our savings recommendations

2.5 Legal and Compliance

• Maintaining audit logs of account changes, payment events, and admin actions as required for financial and regulatory compliance
• Responding to lawful requests from courts or government agencies

3. How We Share Your Information

We do not sell your personal information. We share it only in the following circumstances:

3.1 Service Providers

We share data with vendors who help us operate the Platform, including:

• Stripe — payment processing, subscription management, Apple Pay facilitation
• PayPal — alternative subscription and digital pass payment processing
• Twilio — SMS delivery for OTPs and account alerts
• SendGrid — transactional and marketing email delivery
• Google — authentication services (Google Sign-In)
• Firebase (Google) — push notification delivery for mobile
• Sentry — error tracking and crash reporting
• FCC BDC API — broadband data lookups by ZIP code (no PII transmitted)

These providers are contractually prohibited from using your data for their own purposes beyond providing services to us.

3.2 Affiliates

If you signed up via an affiliate referral link, we share limited conversion information (account creation and payment status) with that affiliate to calculate and pay commission. No sensitive financial data is shared with affiliates.

3.3 Business Transfers

If Reyly is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.

3.4 Legal Requirements

We may disclose your information if required by law, subpoena, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Reyly, our users, or the public.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active account data: retained for the duration of your membership plus a reasonable period thereafter
• Billing and payment records: retained for a minimum of seven (7) years for financial compliance
• Audit logs: retained for a minimum of two (2) years
• OTP and authentication logs: retained for ninety (90) days
• Affiliate tracking cookies: expire after 30 to 60 days (admin-configurable)

You may request deletion of your account and associated personal data at any time (see Section 8). Note that some data may be retained in anonymized or aggregated form even after deletion.

5. Data Security

We implement technical and organizational security measures to protect your information, including:

• Passwords are hashed using bcrypt with a minimum of 12 salt rounds — plain-text passwords are never stored or transmitted
• Payment card data is tokenized by Stripe and PayPal — Reyly never stores raw card numbers
• All data in transit is encrypted using TLS
• Authentication tokens are stored in httpOnly, Secure cookies — never in browser local storage
• Role-based access control (RBAC) limits data access to authorized personnel only
• Stripe webhook payloads are verified using cryptographic signatures before processing
• OTP verification codes expire after 10 minutes and are locked after 5 failed attempts

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.

6. Cookies and Tracking Technologies

6.1 Essential Cookies

Required for the Platform to function. These include session authentication tokens and CSRF protection tokens. You cannot opt out of these without stopping use of the Platform.

6.2 Analytics Cookies

Used to understand how users navigate the Platform so we can improve it. These may include usage statistics and error tracking from Sentry.

6.3 Affiliate Tracking Cookies

When you arrive via an affiliate referral link, a cookie is set to attribute your registration to the referring affiliate. These cookies expire after a period of 30 to 60 days (configurable). The cookie contains only an affiliate identifier — no personal information.

6.4 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using core Platform features.

7. Children's Privacy

The Platform is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@reyly.com.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion: request deletion of your personal information, subject to legal retention requirements
• Portability: request your data in a structured, machine-readable format
• Opt-out of marketing: unsubscribe from marketing emails at any time using the link in any email, or by updating your notification preferences in your account settings
• Push notification opt-out: disable push notifications through your mobile device settings

To exercise any of these rights, contact us at privacy@reyly.com. We will respond within the timeframe required by applicable law.

9. Third-Party Links and Services

The Platform may contain links to third-party websites or integrate with third-party services (such as wireless carrier websites). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

The date at the top of this policy indicates when it was last updated.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

© 2026 Reyly, Inc. All rights reserved.