Privacy policy
How we collect, store, and process personal data in line with UK and EU GDPR.
Privacy Policy
Last updated: 03 October 2025
This Privacy Policy explains how Neorex AI Holding B.V. ("rex.ai", "we", "our", "us") processes personal data in accordance with the General Data Protection Regulation (GDPR) and related laws.
1. Who We Are
rex.ai is a news aggregation and content creation business, operated by Neorex AI Holding B.V., registered in Amsterdam, the Netherlands, Dutch Chamber of Commerce no. 96601450.
If you have questions about this policy or your data, contact us at: info@rex.ai
2. Roles Under Data Protection Law
Client as Controller: When you use our Applications and provide personal data (e.g., about employees, customers, or third parties), you remain the controller under GDPR. You are responsible for ensuring that such data is lawfully collected and shared.
rex.ai as Processor: For the purposes of operating our Applications, we act as a processor, handling data strictly in accordance with your instructions and the Agreement.
3. What Data We Collect
We keep our data collection to a minimum. The following personal data may be processed:
Authentication Data (via Auth0) Name, email, login credentials.
Finance Data Contracts, billing contact details, and payment information (held by our finance team).
Company Information Company-related data entered into our Applications.
We do not use our own systems to store personal information beyond authentication and finance records, except as necessary for providing and improving our service.
4. Why We Process Data (Purpose & Lawful Basis)
We only process personal data where lawful and necessary, including:
| Basis | Purpose |
|---|---|
| Contract | To provide secure access to our Applications. |
| Legitimate Interest | To maintain system security, role management, support, and debugging. |
| Legal Obligation | To meet financial and tax recordkeeping requirements. |
| Service Improvement | We may use anonymised or aggregated output from the Applications to improve and optimise our systems (see Article 10 of the Terms and Conditions). |
5. Who Has Access
Access to personal data is restricted and role-based:
Developers Limited access to Auth0 authentication data for debugging.
Finance Team Contracts and billing details for invoicing.
Management Access for account and role management.
We may engage trusted third parties (see Section 6) to support delivery of our services.
6. Third-Party Processors
We rely on carefully selected third-party providers:
| Provider | Purpose |
|---|---|
| Auth0 | Authentication and session management. |
| Google Cloud Platform (GCP) | Hosting. |
| Google Workspace | Business operations (email, document storage). |
If new processors (e.g., analytics tools) are added, this policy will be updated. All such processors are bound by contractual safeguards, including the EU Standard Contractual Clauses where applicable.
7. International Transfers
Some providers (e.g., Auth0, Google) may process data outside the European Economic Area (EEA). Where this occurs, appropriate safeguards such as EU Standard Contractual Clauses (SCCs) are applied to protect your data.
8. Cookies
We only use essential cookies:
Auth0 session cookies For authentication.
TanStack session cookies For session management.
These cookies are cleared upon new login. We do not use advertising or tracking cookies.
9. How Long We Keep Data
| Data Type | Retention Period |
|---|---|
| Auth0 Data | Retained while your account is active. |
| Finance Records | Retained for as long as required under Dutch and EU law (typically 7 years). |
| Other Records | Deleted within 72 hours of an opt-out or deletion request, except for finance data that we must legally retain. |
10. Your Rights
Under GDPR, you may:
- Access, correct, or delete your personal data
- Restrict or object to processing
- Request data portability To exercise your rights, email us at info@rex.ai.
11. Complaints
If you are not satisfied with how we handle your personal data, you may lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.
12. Changes to this Policy
We may update this Privacy Policy from time to time, in line with updates to our services or legal requirements. Any significant changes will be reflected here with an updated "last updated" date.