Rexlore Privacy Policy
Last updated: May 24, 2026
Rexanite Studio ("we", "our", "us") operates the Rexlore mobile application ("App"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have. It applies to all users worldwide, including those in the European Union and EEA (GDPR), the United Kingdom (UK GDPR), California (CCPA/CPRA), Canada (PIPEDA), Australia (Privacy Act 1988), and all other jurisdictions.
1. Data Controller
The entity responsible for processing your personal data is:
Rexanite Studio
Email: support@rexanite.com
For EU/EEA/UK users, Rexanite Studio acts as the data controller under applicable data protection law. We do not currently have a designated Data Protection Officer (DPO); all privacy inquiries can be directed to the email above.
2. What Data We Collect
a. Account Information
Rexlore offers three ways to use the App:
- Guest (anonymous) mode: When you launch the App without signing in, Firebase Authentication automatically creates a temporary anonymous account and assigns you a unique anonymous user ID. No email address, name, or any identifying information is collected. This anonymous ID is used only to associate your local progress data on your device.
- Email & password sign-in: We collect your email address and a securely hashed password, processed by Firebase Authentication. Your email is used solely for account authentication and password recovery.
- Google Sign-In: We receive a Google ID token from your Google account, your display name, and your profile picture URL, which are processed by Firebase Authentication. These are used solely for account creation and identification.
b. Progress & Activity Data
The following in-app data is generated as you use the App and is stored on your device and, for signed-in users, synced to the cloud:
- Lesson and chapter completion status, stars earned, and best scores.
- In-app currency balances (diamonds and gold) and total XP earned.
- Daily streak count and best streak record.
- Per-question statistics: number of correct and incorrect answers, and when a question was last seen.
- Boost usage counts (skip, reveal, hint).
- Last active date.
For guest users, this data is stored locally on your device only. It is linked to your anonymous Firebase account ID but never leaves your device to any server other than Firebase Authentication's anonymous account registration. If you uninstall the App, this data is deleted.
For signed-in users, this data is stored on your device and synced to Google Firebase Firestore (a cloud database) so your progress is available across your devices. When you delete your account from the Settings screen, both the local and cloud copies are permanently and immediately deleted.
c. App Preferences
We store the following settings locally on your device using an encrypted local store (DataStore). This data never leaves your device:
- Language preference.
- Dark mode toggle.
- Onboarding and initial assessment completion flags.
- Ad consent status (as recorded by the Google User Messaging Platform).
d. Subscription & Purchase Data
If you purchase a Rexlore Plus subscription, the transaction is processed by the Google Play Store. We use RevenueCat to verify entitlements and manage your subscription status. RevenueCat may collect your purchase receipt, subscription status, entitlement expiration dates, and an identifier mapped to your Firebase user ID. We do not have access to your payment card number, bank details, or any other financial information.
e. Device, Technical & Advertising Data
The App does not include any third-party crash reporting or analytics SDK. We collect no custom usage events or behavioral analytics.
We use Firebase App Check (via Play Integrity) to verify that requests come from a genuine instance of our App and not from a fraudulent source. App Check does not collect personal data; it exchanges a device integrity token with Google's servers solely for this security purpose.
If you are not a Rexlore Plus subscriber, we display advertisements through Google AdMob. AdMob may collect:
- A device advertising identifier (Android Advertising ID), which you can reset or limit at any time via your Android device settings.
- General device information (model, OS version, network connection type).
- Approximate (city-level) location derived from your IP address — precise GPS location is not collected.
- Interactions with ads (impressions, clicks, view duration).
Ad Mediation Partners. When AdMob serves you an ad, the request may be routed through one of our integrated mediation networks. Each mediation partner is an independent data controller and may collect technical identifiers (Android Advertising ID, IP address, device model, OS version) to deliver and measure ads. Our integrated mediation partners are AppLovin, Meta Audience Network, and Unity Ads. Their privacy practices are governed by their own privacy policies, linked in Section 5. Your ad consent choice in the User Messaging Platform (UMP) form applies uniformly across AdMob and all listed mediation partners.
For users in the EEA, UK, and Switzerland, we use Google's User Messaging Platform (UMP) to request your consent before showing personalized ads. You can review or change your ad consent at any time from the Settings → Ad preferences screen inside the App. Users outside these regions may receive non-personalized ads by default.
f. Data We Do NOT Collect
- We do not collect precise GPS or background location.
- We do not access your camera, microphone, contacts, calendar, or media files.
- We do not use any AI or machine learning APIs (no data is sent to external AI services).
- We do not collect analytics or behavioral event data.
- We do not collect crash reports via third-party services.
- We do not track your behavior across other apps or websites for our own marketing.
- We do not collect biometric or health data.
- We do not sell, rent, or trade your personal data to any third party.
3. How We Use Your Data
We use the data we collect for the following purposes:
- To create and maintain your account and authenticate your identity.
- To save and sync your lesson progress, streaks, rewards, and statistics across your devices when you are signed in.
- To verify and manage your Rexlore Plus subscription entitlements.
- To deliver rewarded ad experiences (where you choose to watch an ad to earn in-game currency).
- To display ads to non-Premium users (personalized only with your consent in regulated regions; otherwise non-personalized).
- To protect the integrity of our backend services via Firebase App Check.
- To comply with legal obligations where applicable.
We do not use your progress or activity data for profiling, targeted advertising, or any automated decision-making that produces significant legal effects on you.
4. Legal Basis for Processing (GDPR / UK GDPR)
For users in the EEA and United Kingdom, we rely on the following legal bases under GDPR / UK GDPR:
- Performance of a contract (Art. 6(1)(b)) — to provide account creation, authentication, cloud sync, and subscription management.
- Legitimate interests (Art. 6(1)(f)) — to operate and improve the App, prevent abuse, ensure security via App Check, and show non-personalized ads to free-tier users. Our legitimate interests do not override your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable law.
- Consent (Art. 6(1)(a)) — for personalized advertising in regulated regions. You may withdraw consent at any time from Settings → Ad preferences without affecting prior processing.
5. Third-Party Services & Data Processors
We share limited data with the following trusted service providers, who process data on our behalf:
- Google Firebase Authentication — account management and authentication (email/password, Google Sign-In, and anonymous accounts). Privacy Policy
- Google Sign-In — optional social login via Google Credential Manager. Privacy Policy
- Google Firebase Firestore — cloud storage of progress and activity data for signed-in users. Anonymous and guest data is not synced to Firestore. Privacy Policy
- Firebase App Check (Play Integrity) — device integrity verification to protect our backend from abuse. Does not collect personal data. Privacy Policy
- Google AdMob — display advertising (interstitial and rewarded ads) for non-Premium users. Consent is collected via Google's User Messaging Platform in regulated regions. Privacy & Terms
- AppLovin Corporation (MAX Mediation) — ad serving and measurement via the AppLovin mediation adapter for non-Premium users. Privacy Policy
- Meta Platforms, Inc. (Meta Audience Network) — ad serving via the Meta Audience Network mediation adapter for non-Premium users. Privacy Policy
- Unity Technologies ApS (Unity Ads) — ad serving via the Unity Ads mediation adapter for non-Premium users. Privacy Policy
- RevenueCat — subscription entitlement management for Rexlore Plus. Privacy Policy
- Google Play Store — app distribution and payment processing. Privacy Policy
We do not share your personal data with any other third parties except where required by law.
6. International Data Transfers
Our third-party service providers (Google, RevenueCat) may process your data in countries outside your own, including the United States. Where such transfers occur from the EEA or UK, they are governed by appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), Adequacy Decisions, or other lawful transfer mechanisms. By using the App, you acknowledge that your data may be transferred internationally subject to these protections.
7. Data Retention
- Anonymous (guest) account data — the anonymous Firebase UID and associated local data are retained until you uninstall the App or upgrade to a signed-in account. If you upgrade, your anonymous account is linked and retained as your signed-in account.
- Account data (Firebase Authentication) — retained until you delete your account. Upon deletion from Settings, your Firebase account is permanently removed.
- Progress & activity data — for signed-in users, stored on your device and in Firebase Firestore; both copies are permanently deleted when you delete your account from the Settings screen.
- App preferences — stored locally on your device only; deleted when you uninstall the App or delete your account.
- Advertising data (AdMob) — retained by Google per Google's data retention policy. You can reset your Android Advertising ID at any time via your device settings.
- Subscription data (RevenueCat) — retained per RevenueCat's data retention policy, typically as long as necessary for legal and financial compliance.
- Technical data exposed to platform services — retention is governed by each platform's own policies (Google Play Store, Firebase).
8. Your Rights
All Users
- Access & correction — view and update your account information within the App at any time.
- Deletion — delete your account and all associated data (local and cloud) from Settings → Delete Account. This action is immediate and irreversible.
- Data portability — contact us to request a copy of your personal data in a structured, machine-readable format.
- Ad preferences — review or change your ad consent at any time from Settings → Ad preferences.
EEA & UK Users (GDPR / UK GDPR)
In addition to the above, you have the right to:
- Restrict processing — request that we limit how we use your data in certain circumstances.
- Object to processing — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (including ad personalization), withdraw it at any time.
- Lodge a complaint — file a complaint with your local supervisory authority. A list of EU DPAs is available at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.
To exercise any of these rights, contact us at support@rexanite.com. We will respond within 30 days.
California Users (CCPA / CPRA)
As a California resident, you have the right to:
- Know what personal information we collect and how it is used.
- Request deletion of your personal information.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information — we do not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination for exercising your privacy rights.
To submit a request, contact us at support@rexanite.com. We will verify your identity and respond within 45 days.
Canada (PIPEDA)
Canadian users may request access to or correction of their personal information, or withdraw consent to processing (subject to legal or contractual restrictions), by contacting us at support@rexanite.com.
Australia (Privacy Act 1988)
Australian users may request access to or correction of personal information we hold about them. If you believe we have breached the Australian Privacy Principles, you may contact us to make a complaint. We will respond within 30 days. If unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Children's Privacy
Our App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will take immediate steps to delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@rexanite.com.
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), encrypted local storage, Firebase App Check for backend integrity verification, and access controls. Automatic cloud backup and device-to-device transfer of app data are intentionally disabled to prevent exfiltration of sensitive tokens. However, no method of transmission over the Internet or electronic storage is 100% secure. We encourage you to use a strong, unique password and to contact us immediately if you suspect unauthorized access to your account.
11. Notifications & Communications
Rexlore may request permission to send notifications on your device. Any notifications are used only to remind you of your learning streaks or lesson availability as configured within the App. We do not send marketing emails or push notifications without your explicit consent. You can manage notification permissions at any time through your device settings.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will update the "Last updated" date at the top of this page and, where feasible, notify you via an in-app notice. Your continued use of the App after such changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Rexanite Studio
Email: support@rexanite.com
We are committed to resolving privacy concerns promptly and transparently.