Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect information you provide directly:

  • Account information: email address and business website URL
  • Website data: publicly available content from the URL you provide, used to build your brand profile
  • Generated content: AI-generated text, images, and videos created for your marketing campaigns
  • Connected accounts: OAuth tokens for social media platforms you connect
  • Usage data: feature usage, content approvals, and scheduling activity

2. How We Use Your Information

  • To provide, operate, and improve the Service
  • To generate your brand profile and marketing content
  • To publish approved content to your connected social media accounts
  • To send transactional emails (account verification, magic links, system alerts)
  • To process payments through our payment provider (Stripe)
  • To monitor usage for billing and rate-limiting purposes

3. Data Sharing

We share your data only with the following categories of third parties:

  • AI providers: Website content is sent to Google Gemini for analysis and content generation
  • Social media platforms: Approved content is published to platforms you connect (via SocialOomph)
  • Payment processor: Stripe processes subscription payments
  • Email provider: Transactional emails are sent via Postmark
  • Infrastructure: Data is hosted on Cloudflare's global edge network

We do not sell your personal data or share it with third parties for advertising purposes.

4. Data Storage & Isolation

Each business account has its own isolated database. Your data is never co-mingled with other users' data. All data is stored on Cloudflare's infrastructure across their global edge network with encryption at rest.

5. Data Retention

We retain your data for the duration of your active subscription. Upon account cancellation or termination, your data is retained for 30 days to allow for reactivation, after which it is permanently deleted including your isolated database and all generated media assets.

6. Cookies

We use essential cookies only:

  • rexapad-session: Authentication session token (HttpOnly, 7-day expiry)
  • rexapad-active-tenant: Active workspace selection (7-day expiry)

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

7. Security

We implement industry-standard security measures including encrypted data storage, HMAC-signed authentication tokens, isolated per-tenant databases, and encrypted credential storage for connected services. API keys and secrets are managed via Cloudflare Secrets and never exposed in client-side code.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to or restrict certain processing activities

To exercise these rights, contact us at the email address below.

9. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates the most recent revision.

11. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@rexapad.com.

← Back to Rexapad