Privacy Policy

Effective date: June 16, 2026  ·  Last updated: June 16, 2026

1. Who We Are

Rex ("Rex," "we," "our," or "us") is an independent developer of the Rex iOS application, an AI-powered study platform. Rex is operated as an independent business. For purposes of this Privacy Policy, Rex is the data controller of your personal information.

2. Scope of This Policy

This Privacy Policy applies to:

• The Rex iOS mobile application ("App").
• The Rex website at rexstudyapp.com.
• Any related services, communications, or support channels operated by Rex.

This Policy does not apply to third-party websites, applications, or services that may be linked from within Rex, even if Rex facilitates access to them. We encourage you to review the privacy policies of those third parties independently.

3. Information We Collect

3.1 Information You Provide Directly

• Account registration: when you create an account with email and password, we collect your email address and password. Your password is never stored in plain text — it is hashed using industry-standard methods via Supabase Auth.
• Sign in with Apple: if you sign in with Apple, we receive a unique identifier and the email address you choose to share (which may be a private Apple relay address). We do not receive your Apple password.
• Sign in with Google: if you sign in with Google, we receive your name, email address, and Google account identifier as authorized by you through Google. We do not receive your Google password.
• Guest mode: you may use parts of Rex as a guest without creating an account. Guest content is stored on your device and is associated with a temporary identifier rather than a personal account.
• Profile information: any display name or profile preferences you choose to set.
• User-generated content: study boards, whiteboard drawings, typed notes, chart configurations, imported files, scanned documents, and any other content you create, import, or save within the App.
• Chat messages: text you enter in the Rex tutor chat, including questions and follow-up messages.
• Voice input: audio captured during voice dictation. Dictation uses Apple's on-device speech recognition where supported, so audio is transcribed locally on your device and is not retained after transcription.
• Support communications: messages you send to us for help or feedback.

3.2 Information Collected Automatically

• Device identifiers: iOS device model, operating system version, and locale.
• Usage and event analytics: which features you use, sign-in and subscription events, session activity, and interaction patterns. This is collected via our analytics provider (PostHog) and is associated with your account identifier and email (see Section 6 and 8).
• Crash and diagnostic reports: stack traces and error logs when the App crashes or encounters errors.
• Purchase data: when you subscribe, our payments provider (RevenueCat, working with Apple) records your subscription status, plan, and transaction identifiers associated with your account. We never receive your full payment card details.
• IP address: collected by our servers when the App communicates with our backend. IP addresses are used for security, fraud prevention, and rate limiting.

3.3 Device Permissions You Control

Some features ask for your permission to access parts of your device. These permissions are optional, are only used for the feature you invoke, and can be revoked at any time in your iPhone's Settings:

• Microphone: for voice dictation. Audio is transcribed on-device and not stored.
• Speech recognition: for converting your dictation to text.
• Photos / camera roll: if you choose to import an image into a board, note, or whiteboard.
• Camera / document scanner: if you choose to scan a document into the App.
• Calendar (EventKit): if you use the Calendar widget, we read your calendar events to display them inside Rex. Calendar data stays on your device and is not uploaded to our servers.
• Media library: if you use the music widget to play your own audio while studying.

3.4 Information We Do NOT Collect

• We do not collect precise real-time location data (GPS).
• We do not access your contacts.
• We do not access your photos, camera, calendar, or media library unless you explicitly grant permission for a specific feature, as described in Section 3.3.
• We do not collect Social Security numbers, government-issued ID numbers, full payment card numbers, or health information.
• We do not use advertising tracking identifiers (IDFA) or behavioral advertising, and we do not sell your data.

4. How We Collect Information

5. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the App: to authenticate you, save your boards and content, sync data across sessions, and deliver AI tutor responses.
• Personalizing your experience: to remember your preferences and settings.
• Improving Rex: to understand which features are used most, diagnose bugs, and develop new functionality.
• Security and fraud prevention: to detect and respond to unauthorized access, abuse, or violations of our Terms.
• Account communications: to send password reset emails, security alerts, and important updates about the App. We do not send marketing emails without your opt-in consent.
• Legal compliance: to comply with applicable laws, regulations, and lawful requests.

We will not use your information for any purpose materially different from those stated above without first obtaining your consent or as otherwise permitted by law.

6. Tutor, Analytics & Automated Features

6.1 The Rex Tutor

Rex's tutor is powered by a large language model (LLM) hosted on Rex's backend infrastructure. The following applies:

• Data transmission: messages you send to the tutor are transmitted from your device to our backend servers over an encrypted connection (HTTPS/TLS).
• Session context: your recent messages in a session are retained in memory on our server during that session to allow coherent multi-turn conversations. This session context is not permanently stored after the session ends.
• No training on your data: we do not use your personal chat messages or content to train, fine-tune, or improve machine learning models without your explicit, separate consent.
• On-device speech: Rex uses an on-device text-to-speech engine (Kokoro / Sherpa-ONNX) for spoken responses. Voice output is synthesized locally on your device and is not transmitted to our servers.
• Accuracy: tutor responses are generated automatically and may contain errors, omissions, or outdated information. Rex makes no warranty regarding their accuracy.

6.2 Analytics (PostHog)

We use PostHog to understand how Rex is used so we can improve it. PostHog collects product-analytics events — for example, when you sign in, open the paywall, start or complete a purchase, create a board, or when an error occurs. When you are signed in, these events are associated with your account identifier and, where available, your email address. We use PostHog only for product analytics, not for advertising. Analytics data is processed on PostHog's US-based infrastructure (us.i.posthog.com).

7. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes. We may share information only in the following limited circumstances:

• Service providers: we share data with vendors who process it on our behalf to operate the App (e.g., Supabase for database and authentication). These providers are bound by contractual obligations to protect your data and may only use it as directed by us.
• Legal process: we may disclose information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Rex, our users, or the public.
• Business transfers: if Rex is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via a notice in the App or on our website before your information is subject to a different privacy policy.
• With your consent: we may share your information for other purposes with your explicit consent.

8. Third-Party Services

Rex integrates with the following third-party services. Each has its own privacy policy:

We are not responsible for the privacy practices of these third parties. We encourage you to review their policies.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the App. Specifically:

• Account data: retained until you delete your account.
• User-generated content (boards, notes): retained until you delete the content or your account.
• Tutor session context: cleared at the end of each session (not persisted long-term).
• Voice audio: transcribed on-device in real time and not retained.
• Analytics events (PostHog): retained according to our analytics provider's retention settings, generally no longer than necessary for product analysis.
• Purchase records (RevenueCat / Apple): retained while your subscription is active and as required for tax, accounting, and legal purposes.
• Crash and diagnostic logs: retained for up to 90 days.
• Server logs (IP addresses): retained for up to 30 days for security purposes.

After account deletion, we will delete or anonymize your personal information within 30 days, except where we are legally required to retain it longer.

10. Security

We implement reasonable and appropriate technical and organizational security measures to protect your information, including:

• Encrypted data transmission (HTTPS/TLS) between the App and our servers.
• Encrypted storage at rest via Supabase's managed infrastructure.
• Row-level security (RLS) policies so that each user can only access their own data.
• Hashed password storage — we never store plaintext passwords.
• Access controls limiting which personnel can access production data.

No security system is impenetrable. We cannot guarantee absolute security of your information. In the event of a data breach that affects your personal information in a material way, we will notify you as required by applicable law.

11. Children's Privacy (COPPA)

Rex is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from a child under 13 without proper consent, we will take immediate steps to delete that information. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us using the information in Section 17 and we will delete it promptly.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information. This section describes those rights and how to exercise them.

12.1 Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information, as described in Section 3: identifiers (email address, account ID, Apple/Google sign-in identifiers, IP address); commercial information (subscription and purchase records); internet/network activity (app usage and analytics events); and user content (boards, notes, chat messages, and files you create). We collect this information directly from you, from your device, and from our service providers (Supabase, PostHog, RevenueCat, Apple, Google).

12.2 Your California Rights

• Right to Know / Access: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties with whom we share it.
• Right to Delete: you may request that we delete the personal information we have collected from you, subject to certain legal exceptions.
• Right to Correct: you may request that we correct inaccurate personal information we hold about you.
• Right to Data Portability: you may request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt-Out of Sale or Sharing: we do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we do not sell or share, there is nothing to opt out of — but you retain this right.
• Right to Limit Use of Sensitive Personal Information: we do not use or disclose sensitive personal information for any purpose other than providing the App, as permitted by the CPRA.
• Right to Non-Discrimination: we will not deny you service, charge you a different price, or provide a different quality of service because you exercised your privacy rights.

12.3 How to Exercise Your California Rights

Submit a request by emailing us at rexstudyapp@gmail.com with the subject line "California Privacy Request." We will verify your identity before fulfilling your request and will respond within 45 days (extendable by an additional 45 days where permitted). You may also use an authorized agent to submit a request on your behalf, subject to verification.

13. EEA / UK Users (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) or UK GDPR applies to our processing of your personal data, and Rex acts as the data controller.

13.1 Legal Bases for Processing

• Performance of a contract: to provide the App you signed up for — authenticating your account, saving and syncing your boards, and delivering tutor responses.
• Legitimate interests: to secure the App, prevent fraud and abuse, and understand and improve how Rex is used (analytics), where these interests are not overridden by your rights.
• Legal obligation: to comply with applicable laws, tax requirements, and lawful requests.
• Consent: for optional processing such as marketing communications or any device permission you grant; you may withdraw consent at any time.

13.2 Your GDPR Rights

You have the following rights over your personal data. You can exercise any of them, free of charge, by emailing rexstudyapp@gmail.com:

• Right of access: obtain confirmation of whether we process your data and a copy of it.
• Right to rectification: have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten"): have your personal data deleted where there is no overriding legal reason to keep it.
• Right to restriction: limit how we process your data in certain circumstances.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object: object to processing based on our legitimate interests, including profiling.
• Right to withdraw consent: withdraw any consent you previously gave, without affecting prior lawful processing.
• Right to lodge a complaint: file a complaint with your local supervisory authority (for example, your national Data Protection Authority, or the UK Information Commissioner's Office).

We will respond to any GDPR request within one month, as required by law. We do not sell your personal data.

13.3 International Transfers

Because Rex's servers and certain service providers are located in the United States, transfers of your data from the EEA/UK to the US and other countries are protected by appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or equivalent mechanisms required by applicable law.

14. Your Rights and Choices

• Access and update: you can access and update most of your account information directly within the App.
• Delete your content: you can delete individual boards, notes, or other content within the App at any time.
• Delete your account: you can permanently delete your account directly in the App at Settings → Delete Account. This immediately and irreversibly deletes your account and all your boards, chats, and associated data. You can also request deletion by contacting us (Section 17). Personal data is removed within 30 days, except where we are legally required to retain it.
• Microphone permission: you can revoke the App's microphone access at any time in your iPhone's Settings → Privacy → Microphone.
• Push notifications: you can turn off push notifications at any time in your iPhone's Settings → Notifications → Rex.
• Opt-out of analytics: you may request that we stop associating product-analytics events (PostHog) with your account by emailing us. You can also reset your advertising/device identifiers in iOS Settings.

15. International Data Transfers

Rex is operated in the United States. If you access Rex from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. Data protection laws in these countries may differ from those in your home country. By using Rex, you consent to the transfer of your information to the United States and other countries as described in this Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via an in-app notice or email (if we have your email) at least 14 days before the change takes effect for material changes.

Your continued use of Rex after the effective date of an updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must discontinue use of Rex.

17. Contact Us

For privacy questions, requests to exercise your rights, or to report a privacy concern, please contact us:

Rex
Website: rexstudyapp.com
Contact: rexstudyapp@gmail.com

We will respond to all legitimate requests within 30 days. For requests under CCPA, we will respond within 45 days. For GDPR requests, we will respond within one month.