Privacy Policy
This Privacy Policy describes how Jessica He ("we," "us," or "our"), operating as a sole proprietorship, collects, uses, discloses, and protects your information when you use the Rex mobile application (the "App"). By using the App, you agree to the collection and use of information in accordance with this Privacy Policy.
We take your privacy seriously. Rex is a fitness and nutrition tracking application, and we understand that health and fitness data is deeply personal. This policy is designed to be transparent about exactly what data we collect, why we collect it, who we share it with, and what rights you have.
If you do not agree with the terms of this Privacy Policy, please do not access or use the App.
1. Information We Collect
We collect information in the following categories:
1.1 Account Information
When you create an account, we collect:
- Authentication credentials via third-party OAuth providers (Google Sign-In or Apple Sign-In). We do not directly collect or store your password.
- User ID — a unique identifier assigned by our authentication provider (Clerk).
- Email address — provided by your OAuth provider during sign-in.
- Name — if provided by your OAuth provider or entered by you in your user profile.
1.2 Health and Fitness Data
If you choose to connect Apple Health (iOS) or Health Connect (Android), we may read the following data from your device's health platform:
- Step count
- Active calories burned
- Basal energy burned
- Heart rate and resting heart rate
- Sleep analysis (total sleep, deep sleep, REM sleep duration)
- Body mass (weight)
- Height
- Workout records (type, duration, calories)
- Walking/running distance
Important: Health data access is entirely optional. You must explicitly grant permission through your device's system-level health permissions. You can revoke this permission at any time through your device settings. We only read health data — we do not write to or modify your device's health records.
1.3 User-Provided Fitness and Nutrition Data
When you use the App, you may manually enter:
- Meal logs — food names, calorie counts, macronutrient breakdowns (protein, carbohydrates, fat), meal times
- Workout logs — exercise names, sets, reps, weights, duration, workout type
- Body measurements — weight history, waist, chest, bicep, and other body measurements
- Personal records — strength milestones for various exercises
- Fitness profile — height, weight, gender, activity level, fitness goals, preferred unit system
- Calorie and macronutrient goals
- Grocery lists and pantry items
- Meal plans and workout plans
- Saved meals and recipes
- Custom exercises
1.4 AI Interaction Data
When you use the AI chat feature ("Ask Rex"), we collect:
- Text messages you send to the AI assistant
- Chat history between you and the AI assistant
- Voice recordings — if you use voice input, audio is recorded temporarily and transcribed; the audio itself is not stored after transcription
- Food images — if you photograph food for nutritional analysis, the image is sent for analysis but is not permanently stored by us
- AI memory notes — the AI may remember preferences you share (e.g., dietary restrictions, food preferences) to personalize future interactions
1.5 Device and Technical Information
We automatically collect limited technical information for crash reporting and app stability:
- Device type and operating system version
- App version
- Crash logs and error stack traces
- App environment (development or production)
We do not collect: device advertising identifiers, precise geolocation, browsing history, contacts, call logs, SMS messages, or information from other apps on your device.
1.6 Barcode Scan Data
If you scan food barcodes, the barcode number is sent to a third-party food database to retrieve nutritional information. We do not store barcode scan history.
2. How We Use Your Information
2.1 Core App Functionality
- To authenticate your account and maintain your session
- To track and display your meals, workouts, and fitness progress
- To calculate and display nutritional and fitness statistics
- To sync health data from your device's health platform (if you opt in)
- To store your preferences, goals, and saved content
2.2 AI-Powered Features
- To generate personalized greetings and fitness suggestions based on your activity, nutrition, and health data
- To provide conversational AI coaching for meal planning, workout guidance, and fitness questions
- To analyze food images for nutritional estimates
- To transcribe voice input for hands-free meal and workout logging
- To remember your stated preferences for a more personalized experience
2.3 App Stability and Improvement
- To identify and fix crashes and bugs via crash reporting
- To monitor app performance and reliability
2.4 What We Do NOT Use Your Data For
- We do not sell your personal information to anyone, for any reason
- We do not use your data for advertising or ad targeting
- We do not use your health data for insurance underwriting, employment decisions, or any purpose unrelated to providing the App's functionality
- We do not use Apple HealthKit or Health Connect data for marketing or advertising purposes
- We do not share Apple HealthKit or Health Connect data with third parties for their independent use
3. How We Share Your Information
We share your information only with the following third-party service providers, solely to operate the App:
3.1 Clerk (Authentication)
- What we share: OAuth authentication tokens, user ID
- Purpose: User account creation, login, and session management
- Privacy policy: clerk.com/legal/privacy
3.2 Google Gemini API (AI Features)
- What we share: When you use AI features, your chat messages, user context (including nutrition data, workout data, fitness goals, and — if you have connected Apple Health or Health Connect — health metrics such as steps, active calories, sleep duration, and resting heart rate), food images, and voice recordings are sent to Google's Gemini API through our backend server
- Purpose: To generate personalized AI responses, analyze food images, and transcribe voice input
- Important: We send health and fitness context to the AI to provide personalized coaching. If you do not wish for your health data to be included in AI interactions, disconnect Apple Health or Health Connect in the App's Settings before using AI features
- Privacy policy: policies.google.com/privacy
3.3 Sentry (Crash Reporting)
- What we share: Crash reports, error stack traces, device type, and OS version
- What we filter out before sending: We actively strip the following from crash reports before transmission: authentication tokens, health data (heart rate, weight, calories, steps, sleep data), email addresses, usernames, and IP addresses
- Purpose: To identify and fix app crashes and bugs
- Privacy policy: sentry.io/privacy
3.4 Open Food Facts (Barcode Lookups)
- What we share: Food product barcode numbers
- Purpose: To retrieve nutritional information for scanned food products
- Privacy policy: openfoodfacts.org/terms-of-use
3.5 Render (Backend Hosting)
- What we share: All data sent to our backend API (chat messages, user context, images, audio) passes through our server hosted on Render
- Purpose: Server infrastructure to proxy requests to AI services with authentication
- Privacy policy: render.com/privacy
3.6 RevenueCat (Subscription Management)
- What we share: Anonymous app user ID, purchase receipts, subscription status
- Purpose: Managing in-app subscriptions, processing payments, and restoring purchases
- Important: Payment processing is handled entirely by Apple through the App Store. We do not collect or store your payment method, credit card number, or billing address. RevenueCat receives only purchase receipts to verify subscription status.
- Privacy policy: revenuecat.com/privacy
3.7 Apple / Google (OAuth Providers & Payment Processing)
- What we share: Authentication flows route through Apple Sign-In or Google Sign-In. Subscription payments are processed entirely by Apple through the App Store.
- Purpose: Secure account authentication and payment processing
We do not share, sell, rent, or trade your personal information with any other third parties. We do not share any Apple HealthKit or Health Connect data with third parties for advertising, marketing, or data brokerage purposes.
4. Apple HealthKit and Health Connect Compliance
4.1 HealthKit Data Use
In compliance with Apple's HealthKit guidelines:
- We will not use HealthKit data for advertising or similar services
- We will not sell HealthKit data to advertising platforms, data brokers, or information resellers
- We will not use HealthKit data for purposes unrelated to providing health and fitness functionality within the App
- We will not disclose HealthKit data to any third party without your explicit, affirmative consent, except as necessary to provide the App's core health and fitness features as described in this Privacy Policy
- HealthKit data is read-only — we read from Apple Health but do not write to or modify your Apple Health records
- You may disconnect Apple Health at any time in the App's Settings, which will immediately stop all HealthKit data access
4.2 Health Connect Data Use
In compliance with Google Health Connect requirements:
- We use Health Connect data solely to provide health and fitness tracking features within the App
- We do not sell, license, or otherwise transfer Health Connect data
- You may disconnect Health Connect at any time in the App's Settings
5. Data Storage and Security
5.1 Local Storage
The majority of your fitness and nutrition data (meals, workouts, body measurements, goals, preferences, chat history, and AI memory) is stored locally on your device using the device's application storage. This data does not leave your device unless you use AI features that transmit context to our servers.
Authentication tokens are stored in your device's secure enclave (iOS Keychain or Android Keystore) using encrypted storage.
5.2 Data in Transit
All data transmitted between the App and our servers is encrypted using HTTPS (TLS 1.2 or higher).
5.3 Backend Security
Our backend server implements:
- Authentication verification on all API endpoints
- Rate limiting to prevent abuse
- CORS restrictions
- No persistent storage of chat messages or health data on our servers (data is proxied to the AI service and not retained)
5.4 Security Limitations
While we implement reasonable security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data. You use the App at your own risk.
6. Data Retention
6.1 Local Data
Data stored locally on your device persists until:
- You delete the App from your device
- You clear the App's data through your device settings
- You delete specific data within the App (e.g., deleting a meal log)
6.2 Account Data
Your Clerk account data is retained as long as your account is active. You may request account deletion by contacting us at support@rexfit.app.
6.3 AI Service Data
Chat messages, images, and audio sent to Google's Gemini API are subject to Google's data retention policies. Please refer to Google's AI terms of service and privacy policy for details on how Google handles this data.
6.4 Crash Reports
Crash report data sent to Sentry is retained according to Sentry's data retention policies (typically 90 days for error events on the free tier).
7. Your Rights and Choices
7.1 Access and Control
You have the following rights regarding your data:
- Access: You can view all your fitness, nutrition, and profile data within the App at any time
- Correction: You can edit or update your profile information, meal logs, workout logs, and other data within the App
- Deletion: You can delete individual data entries (meals, workouts, etc.) within the App. To request complete account deletion, contact us at support@rexfit.app
- Health Data Disconnection: You can disconnect Apple Health or Health Connect at any time in the App's Settings, which immediately stops all health data access
- Notification Control: You can enable or disable push notifications through your device settings
7.2 California Residents — CCPA Rights
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it
- Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
- Right to Opt-Out of Sale: We do not sell your personal information. If this changes in the future, we will provide a "Do Not Sell My Personal Information" mechanism
- Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing
To exercise your CCPA rights, contact us at support@rexfit.app. We will respond within 45 days.
Categories of Personal Information Collected (per CCPA definitions):
| CCPA Category | Examples | Sold? | Shared for Business Purpose? |
|---|---|---|---|
| Identifiers | User ID, email address | No | Yes (Clerk, Google) |
| Health information | Steps, heart rate, sleep, weight | No | Yes (Google Gemini, for AI features only) |
| Internet/electronic activity | Crash logs, device type | No | Yes (Sentry) |
| Fitness activity | Meals, workouts, goals | No | Yes (Google Gemini, for AI features only) |
| Audio/visual | Voice recordings, food photos | No | Yes (Google Gemini, for AI features only) |
| Inferences | AI-generated fitness suggestions | No | No |
7.3 Additional State Privacy Rights
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have additional rights including data portability and the right to opt out of profiling. Contact us at support@rexfit.app to exercise these rights.
7.4 International Users
The App is primarily designed for users in the United States. If you access the App from outside the United States, your data may be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the App, you consent to this transfer. If you are located in the European Economic Area (EEA) or United Kingdom (UK), please note that we may not fully comply with GDPR requirements at this time. If GDPR compliance is important to you, please contact us at support@rexfit.app before using the App.
8. Children's Privacy
The App is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as quickly as possible.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@rexfit.app.
9. Third-Party Links and Services
The App may contain links to or integrations with third-party services (Apple Health, Health Connect, Google Sign-In, Apple Sign-In). These third-party services have their own privacy policies, which we encourage you to review. We are not responsible for the privacy practices of any third-party services.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:
- Updating the "Last Updated" date at the top of this policy
- Providing an in-app notification of the changes (for material changes)
Your continued use of the App after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Jessica He
Email: support@rexfit.app
For privacy-specific inquiries, please include "Privacy" in the subject line.
12. Summary of Data Practices
| Data Type | Collected? | Stored Where | Shared With | Can You Delete? |
|---|---|---|---|---|
| Email / User ID | Yes | Clerk (cloud) | Clerk, OAuth provider | Yes (contact us) |
| HealthKit / Health Connect data | Only if you opt in | Device only (not stored by us) | Google Gemini (for AI features) | Disconnect in Settings |
| Meals, workouts, goals | Yes (you enter it) | Your device (local) | Google Gemini (when using AI) | Yes (in-app) |
| Weight / body measurements | Yes (you enter it) | Your device (local) | Not shared | Yes (in-app) |
| Chat messages | Yes (when using AI) | Your device (local) + Google Gemini | Google Gemini | Yes (in-app) |
| Voice recordings | Temporarily | Not stored after transcription | Google Gemini | Automatic |
| Food photos | Temporarily | Not stored after analysis | Google Gemini | Automatic |
| Crash reports | Automatic | Sentry (cloud) | Sentry (PII stripped) | N/A |
| Barcode scans | Temporarily | Not stored | Open Food Facts | Automatic |
| Subscription status | Yes | RevenueCat (cloud) + device | RevenueCat, Apple | Via App Store |