Privacy Policy
Last updated · 2026-05-03
This Privacy Policy explains how Rexa ("we", "us") processes personal data when you use the Rexa receipt and expense workflow service (the "Service"). Rexa is operated by Rexa B.V. (incorporation pending), Amsterdam, the Netherlands. We are the controller of the data described in section 2 and a processor of the customer data described in section 3.
1. Who this applies to
This policy applies to: visitors of the marketing site (rexa.one), individuals signing up for or invited to a workspace, and end users whose data is processed within a customer's workspace (cardholders, approvers, finance staff).
2. Data we collect as a controller
When you sign up or visit the site:
- Account data: email, password (hashed), TOTP secret (encrypted), email verification timestamp.
- Session data: IP address, user agent, last-seen timestamp. Used for revocable session management; retained 90 days.
- Marketing data: pages visited, referring URL, anonymized analytics. We do not use third-party tracking pixels.
Lawful basis
- Performance of contract — providing the Service you signed up for.
- Legitimate interest — securing the Service against abuse.
- Consent — for the optional AI assistant; per-tenant opt-in and revocable at any time.
3. Data we process on customers' behalf
Inside a workspace, we process card transactions, receipts, OCR output, expense explanations, approval decisions, comments, and audit events on behalf of the customer ("Workspace Data"). The customer is the controller of Workspace Data and signs a Data Processing Agreement (DPA) with us before production use. See the DPA.
We never store the full Primary Account Number (PAN) of any payment card. Card identifiers in our database are last-4 only, normalized at the adapter boundary.
4. Data residency
Workspace Data is stored exclusively in the European Union (Postgres + S3 in eu-central-1, application servers on Fly.io's Amsterdam region). Where AI features are explicitly opted-in by the customer, prompts and snapshots may transit to Anthropic in the United States under a Data Processing Addendum and the EU SCCs. Customers can disable AI features per workspace at any time without losing other functionality.
5. Sub-processors
A complete list of sub-processors is published at /legal/subprocessors. Customers will be notified of new sub-processors at least 30 days in advance and can object during that window.
6. Retention
Workspace Data is retained for as long as necessary to provide the Service and to meet financial-record retention obligations (in the Netherlands, 7 years per Algemene wet inzake rijksbelastingen art. 52 and BW art. 2:10). Free-text fields that contain incidental personal data (notes, comments, OCR payloads) are scrubbed at user erasure or 30 days after a user leaves a workspace, whichever comes first. Session and security logs are retained for 90 days. Audit events tied to financial records are retained for 7 years.
7. Your rights (GDPR Art. 15–22)
You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data. The Service exposes one-click data export and erasure under /settings. For requests we can't fulfil through the UI, contact privacy@rexa.one. We will respond within 30 days.
You can lodge a complaint with the Dutch supervisory authority (Autoriteit Persoonsgegevens) at any time.
8. Security
We document our security posture publicly at /security. Highlights: AES-256-GCM envelope encryption at rest, KMS-wrapped keys in production, Postgres row-level security, append-only audit log enforced at the SQL layer, argon2id password hashing, TOTP 2FA, revocable JWT sessions.
9. International transfers
Where data leaves the EU (currently: optional Anthropic AI calls), we rely on the EU Standard Contractual Clauses (2021/914) and the relevant Transfer Impact Assessment maintained on file.
10. Cookies
We use a small number of strictly-necessary cookies for authentication and CSRF protection. We do not use cookies for advertising or third-party tracking.
11. Changes
Material changes to this policy will be communicated to workspace administrators by email and announced in-app at least 30 days before they take effect.
12. Contact
Privacy questions: privacy@rexa.one. Security issues: security@rexa.one. Data Protection Officer: appointment pending; in the meantime, the founder serves as point of contact for data-protection matters.