Privacy Policy

Last updated: April 14, 2026

1. Introduction

RheXa ("we," "our," or "us") provides an AI-powered email management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at rehxa.com (the "Service").

2. Information We Collect

We collect the following types of information:

  • Account Information: Email address, name, and password when you create an account.
  • Gmail Data: When you connect your Gmail account via OAuth, we access your email messages (subject, body, sender, recipients) to provide AI classification, reply generation, and lead extraction services. We only access data necessary to provide the Service.
  • Knowledge Base Data: Documents, PDFs, and URLs you upload to train the AI for your organization.
  • Usage Data: Information about how you use the Service, including emails processed, replies sent, and feature usage for billing and analytics purposes.
  • Payment Information: Billing details are processed by our payment provider LemonSqueezy. We do not store credit card numbers directly.

3. How We Use Gmail Data

We use your Gmail data exclusively to:

  • Classify incoming emails by category (lead, support, billing, etc.) and urgency
  • Extract lead information from relevant emails
  • Generate AI-powered reply drafts based on your knowledge base
  • Send replies through Gmail on your behalf (only when you approve or enable auto-send)

We do notsell, share, or use your Gmail data for advertising purposes. Your email content is processed by OpenAI's API for AI features and is subject to their data usage policies.

4. Data Storage & Security

  • All data is stored in Supabase (PostgreSQL) with row-level security (RLS) enabled on every table.
  • Gmail OAuth tokens are encrypted using Fernet symmetric encryption before storage.
  • Each organization's data is completely isolated — no organization can access another's data.
  • All communications use HTTPS/TLS encryption in transit.
  • We implement industry-standard security practices including input validation, CORS restrictions, and JWT-based authentication.

5. Data Sharing

We share your data only with:

  • OpenAI: Email content is sent to OpenAI's API for AI classification and reply generation.
  • Google: We interact with Gmail API to read and send emails on your behalf.
  • Supabase: Our database provider where your data is stored securely.
  • LemonSqueezy: Our payment processor for subscription billing.

We do not sell your personal information to third parties.

6. Data Retention & Deletion

We retain your data for as long as your account is active. You can request deletion of your account and all associated data at any time by contacting us at support@rehxa.com. Upon account deletion, we will remove all your data, including email records, knowledge base content, and Gmail tokens, within 30 days.

7. Revoking Gmail Access

You can disconnect your Gmail account at any time from the Settings → Connections page. You can also revoke access through your Google Account security settings at myaccount.google.com/permissions. When access is revoked, we immediately stop accessing your Gmail data and delete stored OAuth tokens.

8. Your Rights

You have the right to:

  • Access and export your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Revoke Gmail access at any time
  • Cancel your subscription at any time

9. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy or your data, contact us at support@rehxa.com.