Privacy Policy
Last updated 12 July 2026
Who we are
Refractum is operated by Æ1, registered in the Netherlands. Refractum provides engineering tools for consultants, including Schedule of Values billing and time sheets.
Account data we store
To run the service, we store account and organization information that is not end-to-end encrypted. This includes your email address, display name, organization name, membership and roles, multi-factor authentication status, and anonymous referral counts between organizations. This data is needed for sign-in, access control, and organization management.
End-to-end encrypted data
Your project and work data is encrypted in your browser with AES-256-GCM before it is synced to our servers. This includes:
- SOV project names, fee estimates, line items, and billing periods
- Time sheet titles, employee details, hour entries, and signatures
- Organization contact details used in exports (address, phone, website)
Encryption keys are derived from your password. A recovery key can also unlock your data if you lose access to your password.
We cannot decrypt your project data
Only encrypted ciphertext and wrapped encryption keys are stored on our servers. Refractum does not have your password or recovery key and has no way to decrypt your project files. If you lose both your password and recovery key, your encrypted data cannot be recovered.
Metadata we can see
Even though project content is encrypted, some non-content metadata is stored in plain form. This includes record identifiers, organization membership, creation and update timestamps, billing period year and month, and schema versions. We cannot read the encrypted content itself.
Where data is stored
Encrypted data and account metadata are stored in cloud infrastructure located in the United Kingdom. While your vault is unlocked, data may also be held briefly in your browser's local storage.
Your rights
If you are in the EU or UK, you may have the right to access, correct, or delete personal data we hold about your account and organization.
To download a copy of your personal data, sign in and open Settings → Your data. Your export includes your profile, membership, and the timesheets and SOV projects you created. Organization owners also receive organization details, members, and all organization data. You can request one export every 7 days.
For correction, deletion, or other requests we cannot complete in the app, contact us at the address below.
Encrypted project data can only be viewed, exported, or deleted by you while your vault is unlocked. Because we cannot decrypt it, we cannot fulfil requests that require reading the contents of your encrypted files.
Your responsibilities
Keep your password and recovery key safe. Store your recovery key somewhere you can access if you forget your password. Refractum cannot restore encrypted data without one of them.
Contact
For privacy questions, email privacy@refractum.work.
Changes to this policy
We may update this policy from time to time. The date at the top of this page shows when it was last revised. Continued use of Refractum after changes are posted means you accept the updated policy.