REX
PricingSign in
Legal

Privacy Policy

Last updated: [draft]

Draft. Pending legal review. The Anthropic-data-flow disclosure here is intentionally explicit and will remain in the final version.

What we collect

  • Account info: email, display name, sign-in method (email/Google) via our auth provider Clerk.
  • Your content: syllabi, case text, briefs, class notes, outlines, highlights — everything you create or paste into Rex.
  • Usage: per-call token counts, model used, feature, timestamp. Used for billing, soft caps, and aggregate analytics.
  • BYOK API keys (if you provide one): stored encrypted at rest with AES-256-GCM under a server-held master key. Decrypted only at the moment of an Anthropic API call. Never logged.

How AI processing works

When you generate a brief, parse a syllabus, upload slides, or regenerate an outline, Rex sends the relevant content to Anthropic’s API to be processed. Anthropic retains API request data for up to 30 days for operational purposes (abuse prevention), and does not train its models on API requests. Anthropic’s policies are at https://anthropic.com/legal.

On the BYOK plan, Anthropic API calls use your key, not Rex’s. Anthropic still receives the same content; you have a direct contractual relationship with Anthropic for those calls.

Who has access

Internally: only the founder and (when applicable) contracted engineers operating the service. We don’t sell, rent, or share your content with anyone for marketing purposes.

External processors:

  • Anthropic — AI processing.
  • Clerk — authentication.
  • Lemon Squeezy — billing (merchant of record). Handles payment data; we don’t store card numbers.
  • Railway — hosting.
  • AWS S3 — encrypted database backups.
  • Resend — transactional email.

How long we keep your data

  • While your subscription is active: kept indefinitely so you can access it.
  • After cancellation: read-only for 90 days, then deleted (you can re-subscribe in that window to restore).
  • If you delete your account: permanently deleted within 30 days, including from backups.

Your rights

You can export your data anytime (Markdown bundle from Settings, when available). You can delete your account at any time from Settings, which initiates the permanent purge. For California residents (CCPA): you have the right to know what we collect, request deletion, and not be discriminated against for exercising these rights.

Security

Database is encrypted at rest at the Railway volume level. Backups to S3 are encrypted (SSE-S3). User-supplied Anthropic API keys are encrypted with AES-256-GCM under a server-held master key, decrypted only at API call time. We use HTTPS everywhere.

Children

Rex is not directed at children under 13 and we do not knowingly collect data from them.

Contact

Privacy questions: privacy@[YOUR-DOMAIN].

← back