Privacy Policy

Last Updated: March 1, 2026 · Effective Date: March 1, 2026

This Privacy Policy describes how Rex Fit ("we," "us," or "our") collects, uses, discloses, and protects your information when you use the Rex mobile application (the "App"). Rex Fit is operated by Jessica He as a sole proprietorship. By using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

We take your privacy seriously. Rex is a fitness and nutrition tracking application, and we understand that health and fitness data is deeply personal. This policy is designed to be transparent about exactly what data we collect, why we collect it, who we share it with, and what rights you have.

If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

1. Information We Collect

We collect information in the following categories:

1.1 Account Information

When you create an account, we collect:

Authentication credentials via third-party OAuth providers (Google Sign-In or Apple Sign-In). We do not directly collect or store your password.
User ID — a unique identifier assigned by our authentication provider (Clerk).
Email address — provided by your OAuth provider during sign-in.
Name — if provided by your OAuth provider or entered by you in your user profile.

1.2 Health and Fitness Data

If you choose to connect Apple Health, we may read the following data from your device's health platform:

Step count
Active calories burned
Basal energy burned
Heart rate and resting heart rate
Sleep analysis (total sleep, deep sleep, REM sleep duration)
Body mass (weight)
Height
Workout records (type, duration, calories)
Walking/running distance

We may also write workout data (exercise type, duration, calories burned) to Apple Health so your Rex workouts appear alongside your other health data.

Important: Health data access is entirely optional. You must explicitly grant read and write permissions separately through your device's system-level health settings. You can revoke these permissions at any time through your device settings.

1.3 User-Provided Fitness and Nutrition Data

When you use the App, you may manually enter:

Meal logs — food names, calorie counts, macronutrient breakdowns (protein, carbohydrates, fat), meal times
Workout logs — exercise names, sets, reps, weights, duration, workout type
Body measurements — weight history, waist, chest, bicep, and other body measurements
Personal records — strength milestones for various exercises
Fitness profile — height, weight, gender, activity level, fitness goals, preferred unit system
Calorie and macronutrient goals
Grocery lists and pantry items
Meal plans and workout plans
Saved meals and recipes
Custom exercises

1.4 AI Interaction Data

When you use the AI chat feature ("Ask Rex"), we collect:

Text messages you send to the AI assistant
Chat history between you and the AI assistant
Voice recordings — if you use voice input, audio is recorded temporarily and transcribed; the audio itself is not stored after transcription
Food images — if you photograph food for nutritional analysis, the image is sent for analysis but is not permanently stored by us
AI memory notes — the AI may remember preferences you share (e.g., dietary restrictions, food preferences) to personalize future interactions

1.5 Device and Technical Information

We automatically collect limited technical information for crash reporting and app stability:

Device type and operating system version
App version
Crash logs and error stack traces
App environment (development or production)

We do not collect: device advertising identifiers, precise geolocation, browsing history, contacts, call logs, SMS messages, or information from other apps on your device.

1.6 Barcode Scan Data

If you scan food barcodes, the barcode number is sent to a third-party food database to retrieve nutritional information. We do not store barcode scan history.

2. How We Use Your Information

2.1 Core App Functionality

To authenticate your account and maintain your session
To track and display your meals, workouts, and fitness progress
To calculate and display nutritional and fitness statistics
To sync health data from your device's health platform (if you opt in)
To store your preferences, goals, and saved content

2.2 AI-Powered Features

To generate personalized greetings and fitness suggestions based on your activity, nutrition, and health data
To provide conversational AI coaching for meal planning, workout guidance, and fitness questions
To analyze food images for nutritional estimates
To transcribe voice input for hands-free meal and workout logging
To remember your stated preferences for a more personalized experience

2.3 App Stability and Improvement

To identify and fix crashes and bugs via crash reporting
To monitor app performance and reliability

2.4 What We Do NOT Use Your Data For

We do not sell your personal information to anyone, for any reason
We do not use your data for advertising or ad targeting
We do not use your health data for insurance underwriting, employment decisions, or any purpose unrelated to providing the App's functionality
We do not use Apple HealthKit data for marketing or advertising purposes
We do not share Apple HealthKit data with third parties for their independent use

3. How We Share Your Information

We share your information only with the following third-party service providers, solely to operate the App:

3.1 Clerk (Authentication)

What we share: OAuth authentication tokens, user ID
Purpose: User account creation, login, and session management
Privacy policy: clerk.com/legal/privacy

3.2 Google Gemini API (AI Features)

What we share: When you use AI features, your chat messages, user context (including nutrition data, workout data, fitness goals, and — if you have connected Apple Health — health metrics such as steps, active calories, sleep duration, and resting heart rate), food images, and voice recordings are sent to Google's Gemini API through our backend server
Purpose: To generate personalized AI responses, analyze food images, and transcribe voice input
Important: We send health and fitness context to the AI to provide personalized coaching. If you do not wish for your health data to be included in AI interactions, disconnect Apple Health in the App's Settings before using AI features
Privacy policy: policies.google.com/privacy

3.3 Sentry (Crash Reporting)

What we share: Crash reports, error stack traces, device type, and OS version
What we filter out before sending: We actively strip the following from crash reports before transmission: authentication tokens, health data (heart rate, weight, calories, steps, sleep data), email addresses, usernames, and IP addresses
Purpose: To identify and fix app crashes and bugs
Privacy policy: sentry.io/privacy

3.4 Open Food Facts (Barcode Lookups)

What we share: Food product barcode numbers
Purpose: To retrieve nutritional information for scanned food products
Privacy policy: openfoodfacts.org/terms-of-use

3.5 Amazon Web Services (Backend Hosting & Cloud Storage)

What we share: All data sent to our backend API (chat messages, user context, images, audio) passes through our server hosted on AWS EC2. Your fitness and nutrition data (meals, workouts, goals, profile) is also stored in a PostgreSQL database hosted on AWS for cloud sync and backup.
Purpose: Server infrastructure to proxy requests to AI services, and to provide cloud storage for data sync across devices
Privacy policy: aws.amazon.com/privacy

3.6 RevenueCat (Subscription Management)

What we share: Anonymous app user ID, purchase receipts, subscription status
Purpose: Managing in-app subscriptions, processing payments, and restoring purchases
Important: Payment processing is handled entirely by Apple through the App Store. We do not collect or store your payment method, credit card number, or billing address. RevenueCat receives only purchase receipts to verify subscription status.
Privacy policy: revenuecat.com/privacy

3.7 Apple / Google (OAuth Providers & Payment Processing)

What we share: Authentication flows route through Apple Sign-In or Google Sign-In. Subscription payments are processed entirely by Apple through the App Store.
Purpose: Secure account authentication and payment processing

We do not share, sell, rent, or trade your personal information with any other third parties. We do not share any Apple HealthKit data with third parties for advertising, marketing, or data brokerage purposes.

4. Apple HealthKit Compliance

4.1 HealthKit Data Use

In compliance with Apple's HealthKit guidelines:

We will not use HealthKit data for advertising or similar services
We will not sell HealthKit data to advertising platforms, data brokers, or information resellers
We will not use HealthKit data for purposes unrelated to providing health and fitness functionality within the App
We will not disclose HealthKit data to any third party without your explicit, affirmative consent, except as necessary to provide the App's core health and fitness features as described in this Privacy Policy
We read health metrics (steps, heart rate, sleep, etc.) from Apple Health and write workout data (exercise type, duration, calories) to Apple Health — each requires separate permission that you control
You may disconnect Apple Health at any time in the App's Settings, which will immediately stop all HealthKit data access

5. Data Storage and Security

5.1 Local and Cloud Storage

Your fitness and nutrition data (meals, workouts, body measurements, goals, preferences) is stored locally on your device for instant access and also synced to our cloud servers (PostgreSQL database on AWS) for backup and cross-device access. Chat history and AI memory are stored locally on your device.

Authentication tokens are stored in your device's secure enclave (iOS Keychain) using encrypted storage.

5.2 Data in Transit

All data transmitted between the App and our servers is encrypted using HTTPS (TLS 1.2 or higher).

5.3 Backend Security

Our backend server implements:

Authentication verification on all API endpoints
Rate limiting to prevent abuse
CORS restrictions
Encrypted database connections (SSL/TLS)
User data isolation — each user can only access their own data
Chat messages and voice/image data are proxied to the AI service and not permanently retained on our servers

5.4 Security Limitations

While we implement reasonable security measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data. You use the App at your own risk.

6. Data Retention

6.1 Local and Cloud Data

Data stored locally on your device persists until you delete the App or clear its data. Data synced to our cloud servers persists until:

You delete specific data within the App (e.g., deleting a meal log), which removes it from both local and cloud storage
You request complete account deletion by contacting us at [email protected]

6.2 Account Data

Your Clerk account data is retained as long as your account is active. You may request account deletion by contacting us at [email protected].

6.3 AI Service Data

Chat messages, images, and audio sent to Google's Gemini API are subject to Google's data retention policies. Please refer to Google's AI terms of service and privacy policy for details on how Google handles this data.

6.4 Crash Reports

Crash report data sent to Sentry is retained according to Sentry's data retention policies (typically 90 days for error events on the free tier).

7. Your Rights and Choices

7.1 Access and Control

You have the following rights regarding your data:

Access: You can view all your fitness, nutrition, and profile data within the App at any time
Correction: You can edit or update your profile information, meal logs, workout logs, and other data within the App
Deletion: You can delete individual data entries (meals, workouts, etc.) within the App. To request complete account deletion, contact us at [email protected]
Health Data Disconnection: You can disconnect Apple Health at any time in the App's Settings, which immediately stops all health data access
Notification Control: You can enable or disable push notifications through your device settings

7.2 California Residents — CCPA Rights

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: You have the right to request that we disclose what personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it
Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
Right to Opt-Out of Sale: We do not sell your personal information. If this changes in the future, we will provide a "Do Not Sell My Personal Information" mechanism
Shine the Light: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing

To exercise your CCPA rights, contact us at [email protected]. We will respond within 45 days.

Categories of Personal Information Collected (per CCPA definitions):

CCPA Category	Examples	Sold?	Shared for Business Purpose?
Identifiers	User ID, email address	No	Yes (Clerk, Google)
Health information	Steps, heart rate, sleep, weight	No	Yes (Google Gemini, for AI features only)
Internet/electronic activity	Crash logs, device type	No	Yes (Sentry)
Fitness activity	Meals, workouts, goals	No	Yes (Google Gemini, for AI features only)
Audio/visual	Voice recordings, food photos	No	Yes (Google Gemini, for AI features only)
Inferences	AI-generated fitness suggestions	No	No

7.3 Additional State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have additional rights including data portability and the right to opt out of profiling. Contact us at [email protected] to exercise these rights.

7.4 International Users

The App is primarily designed for users in the United States. If you access the App from outside the United States, your data may be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the App, you consent to this transfer. If you are located in the European Economic Area (EEA) or United Kingdom (UK), please note that we may not fully comply with GDPR requirements at this time. If GDPR compliance is important to you, please contact us at [email protected] before using the App.

8. Children's Privacy

The App is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

9. Third-Party Links and Services

The App may contain links to or integrations with third-party services (Apple Health, Google Sign-In, Apple Sign-In). These third-party services have their own privacy policies, which we encourage you to review. We are not responsible for the privacy practices of any third-party services.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

Updating the "Last Updated" date at the top of this policy
Providing an in-app notification of the changes (for material changes)

Your continued use of the App after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Rex Fit Support
Email: [email protected]

For privacy-specific inquiries, please include "Privacy" in the subject line.

12. Summary of Data Practices

Data Type	Collected?	Stored Where	Shared With	Can You Delete?
Email / User ID	Yes	Clerk (cloud)	Clerk, OAuth provider	Yes (contact us)
Apple HealthKit data	Only if you opt in	Device only (not stored by us)	Google Gemini (for AI features)	Disconnect in Settings
Meals, workouts, goals	Yes (you enter it)	Your device + our cloud servers	Google Gemini (when using AI)	Yes (in-app)
Weight / body measurements	Yes (you enter it)	Your device + our cloud servers	Not shared	Yes (in-app)
Chat messages	Yes (when using AI)	Your device (local) + Google Gemini	Google Gemini	Yes (in-app)
Voice recordings	Temporarily	Not stored after transcription	Google Gemini	Automatic
Food photos	Temporarily	Not stored after analysis	Google Gemini	Automatic
Crash reports	Automatic	Sentry (cloud)	Sentry (PII stripped)	N/A
Barcode scans	Temporarily	Not stored	Open Food Facts	Automatic
Subscription status	Yes	RevenueCat (cloud) + device	RevenueCat, Apple	Via App Store