Routinexa Privacy Policy

Last updated: May 19, 2026

 Summary: Guest users' routine and goal data stays on the device only. Signed-in
      users' data is synced to Firebase Firestore for cross-device backup. We use Firebase for
      authentication, Firestore for cloud sync, Resend for sending 6-digit email sign-in codes,
      RevenueCat for subscription management, Google AdMob for displaying ads to non-Premium users
      (with GDPR consent in regulated regions), and Anthropic's Claude API (accessed via our
      Cloudflare Workers backend) for AI coaching. We do not sell your data and do not track you
      across other apps. You can delete your account and all associated data at any time from the
      Settings screen.

Rexanite Studio ("we", "our", "us") operates the Routinexa mobile application ("App"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have. It applies to all users worldwide, including those in the European Union and EEA (GDPR), the United Kingdom (UK GDPR), California (CCPA/CPRA), Canada (PIPEDA), Australia (Privacy Act 1988), and all other jurisdictions.

1. Data Controller

The entity responsible for processing your personal data is:

Rexanite Studio
Email: [email protected]

For EU/EEA/UK users, Rexanite Studio acts as the data controller under applicable data protection law. We do not currently have a designated Data Protection Officer (DPO); all privacy inquiries can be directed to the email above.

2. What Data We Collect

a. Account Information

If you create an account using Firebase Authentication, we collect your email address and a unique user identifier. If you sign in with Google Sign-In, we additionally receive your display name and profile picture URL, used solely for authentication. You may also use the App as a guest without providing any personal information.

When you sign in with the email verification code option, your email address is transmitted through our backend infrastructure (Cloudflare Workers) to Resend, our transactional email provider, solely for the purpose of delivering the one-time 6-digit sign-in code to your inbox. Resend processes the email address and delivery metadata (timestamps, delivery status) on our behalf as a data processor. We do not use Resend for marketing or any other purpose.

b. Routine & Goal Data

Routines, habits, goals, and completion records you create are stored based on your account status:

Guest mode: data is stored locally on your device only using an on-device database. It never leaves your device.
Signed-in mode: data is stored on your device and synced to Google Firebase Firestore (a cloud database) so your routines and goals are available across your devices and survive a device change. When you delete your account from the Settings screen, both the local and cloud copies are permanently removed.

c. AI Interaction Data

When you use the AI coach or routine analysis features, the content of your messages and relevant routine context (e.g., routine titles) are sent through our backend infrastructure (Cloudflare Workers) to Anthropic PBC's Claude API for AI processing. Anthropic processes these messages only to generate a response and, per Anthropic's Commercial Terms of Service, does not use this data to train its models. We do not permanently store the content of your messages on our servers after the response is returned. A short, on-device cache of recent chat history is kept to provide conversation context. It is automatically reset every 12 hours, and fully removed when you delete your account from the Settings screen or uninstall the App. Chat history is intentionally preserved across sign-out and sign-in so that a returning user can continue their previous conversation.

d. Subscription & Purchase Data

If you purchase a Premium subscription, the transaction is processed by the Google Play Store. We use RevenueCat to verify entitlements and manage subscription status. RevenueCat may collect your purchase receipt, subscription status, and an anonymous device or installation identifier. We do not have access to your payment card number, bank details, or any other financial information.

e. Device, Technical & Advertising Data

The App does not currently embed any third-party crash reporting or analytics SDK. Basic, non-identifying device characteristics (operating system version, app version) that are exposed by the Google Play Store and Firebase as part of normal authentication and app distribution are visible to those services under their own privacy policies.

If you are not a Premium subscriber, we display advertisements through Google AdMob. AdMob may collect:

A device advertising identifier (Android Advertising ID), which you can reset or limit at any time via your device settings.
General device information (model, OS version, network connection type).
Approximate (city-level) location derived from your IP address — precise GPS location is not collected.
Interactions with ads (impressions, clicks, view duration).

Ad Mediation Partners. When AdMob serves you an ad, the request may be routed through one of our integrated mediation networks to fill the placement. Each mediation partner is an independent data controller and may collect technical identifiers (Android Advertising ID, IP address, device model, OS version, and approximate location derived from IP) to deliver and measure ads. Our integrated mediation partners are AppLovin, Meta Audience Network, and Unity Ads. Their privacy practices are governed by their own privacy policies, linked in Section 5. Your ad consent choice in the User Messaging Platform (UMP) form applies uniformly across AdMob and all listed mediation partners.

For users in the EEA, UK, and Switzerland, we use Google's User Messaging Platform (UMP) to request your consent before showing personalized ads. You can review or change your ad consent at any time from the Settings → Ad preferences screen inside the App. Users outside these regions may receive non-personalized ads by default; please refer to your local privacy laws for additional opt-out rights.

f. Data We Do NOT Collect

We do not collect precise GPS or background location.
We do not track your behavior across other apps or websites for our own marketing.
We do not collect biometric or health data.
We do not sell, rent, or trade your personal data to any third party.
We do not store the content of your AI chat messages on our own servers after they have been processed.

3. How We Use Your Data

We use the data we collect for the following purposes:

To create and maintain your account and authenticate your identity.
To sync your routines and goals across your devices when you are signed in.
To verify and manage your subscription entitlements.
To power AI-generated coaching responses and routine suggestions.
To deliver local reminders and notifications you have configured.
To display ads to non-Premium users (personalized only with your consent in regulated regions; otherwise non-personalized).
To diagnose technical issues, fix bugs, and improve the App.
To comply with legal obligations where applicable.

We do not use your routine, goal, or AI chat content for profiling, targeted advertising, or any automated decision-making that produces significant legal effects on you.

4. Legal Basis for Processing (GDPR / UK GDPR)

For users in the EEA and United Kingdom, we rely on the following legal bases under GDPR / UK GDPR:

Performance of a contract (Art. 6(1)(b)) — to provide account creation, authentication, cloud sync, and subscription management.
Legitimate interests (Art. 6(1)(f)) — to operate and improve the App, prevent abuse, ensure security, and show non-personalized ads to free-tier users. Our legitimate interests do not override your rights and freedoms.
Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable law.
Consent (Art. 6(1)(a)) — for personalized advertising in regulated regions and where we otherwise explicitly request your consent. You may withdraw consent at any time from Settings → Ad preferences without affecting prior processing.

5. Third-Party Services & Data Processors

We share limited data with the following trusted service providers, who process data on our behalf:

Google Firebase Authentication — account management and authentication. Privacy Policy
Google Sign-In — optional social login. Privacy Policy
Google Firebase Firestore — cloud storage of routines and goals for signed-in users (guest data is not stored in Firestore). Privacy Policy
Google AdMob — display advertising for non-Premium users. Consent is collected via Google's User Messaging Platform in regulated regions. Privacy & Terms
AppLovin Corporation (MAX Mediation) — ad serving and measurement via the AppLovin mediation adapter for non-Premium users. Privacy Policy
Meta Platforms, Inc. (Meta Audience Network) — ad serving via the Meta Audience Network mediation adapter for non-Premium users. Privacy Policy
Unity Technologies ApS (Unity Ads) — ad serving via the Unity Ads mediation adapter for non-Premium users. Privacy Policy
RevenueCat — subscription entitlement management. Privacy Policy
Cloudflare Workers — backend proxy infrastructure used to route AI requests and email-verification flows securely. Privacy Policy
Resend — transactional email delivery (used solely to send the 6-digit verification code when you sign in with email). Your email address and delivery metadata are processed by Resend on our behalf. Privacy Policy
Anthropic PBC (Claude API) — AI processing of chat messages and routine analysis. Anthropic does not retain message content or use it for model training per its Commercial Terms. Privacy Policy
Google Play Store — app distribution and payment processing. Privacy Policy

We do not share your personal data with any other third parties except where required by law.

6. International Data Transfers

Our third-party service providers (Google, Anthropic, RevenueCat, Cloudflare, Resend) may process your data in countries outside your own, including the United States. Where such transfers occur from the EEA or UK, they are governed by appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), Adequacy Decisions, or other lawful transfer mechanisms. By using the App, you acknowledge that your data may be transferred internationally subject to these protections.

7. Data Retention

Account data (Firebase Authentication) — retained until you delete your account. Upon deletion, your Firebase account is permanently removed.
Routine & goal data — for guests, stored on your device only and deleted when you uninstall the App. For signed-in users, stored on your device and in Firebase Firestore; both copies are deleted when you delete your account from the Settings screen.
AI messages — not permanently stored on our servers. Anthropic processes and discards them per its Commercial Terms. The on-device chat-history cache auto-resets every 12 hours and is fully removed when you delete your account or uninstall the App.
Advertising data (AdMob) — retained by Google per Google's data retention policy. You can reset your advertising ID at any time via your device settings.
Subscription data (RevenueCat) — retained per RevenueCat's data retention policy, typically as long as necessary for legal and financial compliance.
Email verification metadata (Resend) — delivery logs (recipient address, timestamp, delivery status) are retained by Resend per its own retention policy. The 6-digit code itself is short-lived (expires within minutes) and is not stored after verification.
Technical data exposed to platform services — retention is governed by each platform's own data retention policies (Google Play Store, Firebase, AdMob).

8. Your Rights

All Users

Access & correction — view and update your account information within the App at any time.
Deletion — delete your account and all associated data (local and cloud) from Settings → Delete Account. This action is immediate and irreversible.
Data portability — contact us to request a copy of your personal data in a structured, machine-readable format.
Ad preferences — review or change your ad consent at any time from Settings → Ad preferences.

EEA & UK Users (GDPR / UK GDPR)

In addition to the above, you have the right to:

Restrict processing — request that we limit how we use your data in certain circumstances.
Object to processing — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent (including ad personalization), withdraw it at any time.
Lodge a complaint — file a complaint with your local supervisory authority. A list of EU DPAs is available at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California Users (CCPA / CPRA)

As a California resident, you have the right to:

Know what personal information we collect and how it is used.
Request deletion of your personal information.
Correct inaccurate personal information.
Opt out of the sale or sharing of personal information — we do not sell or share your personal information for cross-context behavioral advertising.
Non-discrimination for exercising your privacy rights.

To submit a request, contact us at [email protected]. We will verify your identity and respond within 45 days.

Canada (PIPEDA)

Canadian users may request access to or correction of their personal information, or withdraw consent to processing (subject to legal or contractual restrictions), by contacting us at [email protected].

Australia (Privacy Act 1988)

Australian users may request access to or correction of personal information we hold about them. If you believe we have breached the Australian Privacy Principles, you may contact us to make a complaint. We will respond within 30 days. If unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Children's Privacy

Our App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security reviews. However, no method of transmission over the Internet or electronic storage is 100% secure. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorized access to your account.

11. Notifications & Communications

Routinexa uses only local notifications triggered by reminders you set within the App. We do not send marketing emails or push notifications without your explicit consent. If you consent to receive communications from us and later wish to opt out, you can do so by contacting us at [email protected] or adjusting your device notification settings.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, notify you via an in-app notice. Your continued use of the App after such changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Rexanite Studio
Email: [email protected]

We are committed to resolving privacy concerns promptly and transparently.