Privacy Policy

Hixi Studio ("we," "us," or "our") operates Reelyt ("the Service"), an AI-powered Creator Operating System. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at reelyt.app, our mobile applications, and our cloud-based services.

By using Reelyt, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

We are committed to transparency: we collect only what we need, use it only for the purposes stated here, and give you control over your data.

We collect information in the following categories:

2.1 Account Information

• Email address
• Authentication method (email/password, Google Sign-In, Apple Sign-In)
• User ID generated by Firebase Authentication
• Profile display name and avatar (optional)

2.2 Content DNA & Identity Data

• Your positioning statement and content pillars
• Voice profile preferences (tone, energy, formality, storytelling tendency, emoji usage)
• Audience persona descriptions
• Branding assets: uploaded logo, selected primary/accent colors, font preference, creator name/handle
• Preferred content formats and posting goals

2.3 User Content

• Ideas captured in the Idea Board
• Drafts, generated content, and published posts
• Calendar entries and scheduling preferences
• Content series outlines and configurations
• Carousel designs, slide content, and rendered slide images
• Generated images and visual assets
• Voice adaptation scripts and delivery markers
• Refinement instructions and custom prompts

2.4 Usage & Activity Data

• Feature usage (which tools you use, how often)
• Credit consumption per operation type
• Generation history (timestamps, operation types, models used)
• Streak data (consecutive posting days, milestones achieved)
• Calendar activity (scheduled, generated, posted content counts)
• Idea board interactions (captures, expansions, archives)
• Session duration and frequency
• Client version and device type (Flutter mobile vs. Web)

2.5 Platform Connection Data

• OAuth tokens for X (Twitter) and LinkedIn
• Platform usernames and profile identifiers
• X plan selection (Basic, Premium, Premium+) for character limit optimization
• Posting history via connected platforms

2.6 Billing & Payment Data

• Subscription tier, billing cycle, and renewal dates
• Credit balance (plan, top-up, trial, bonus)
• Transaction history (payments, top-ups, credit deductions)
• Payment method tokens (processed by Dodo Payments — we do not store full credit card numbers)

2.7 Technical Data

• IP address (for rate limiting and security)
• Browser type and version (web users)
• Operating system and device model (mobile users)
• Firebase Cloud Messaging (FCM) tokens for push notifications
• Crash logs and error reports (if you opt in)

We use your information for the following purposes:

3.1 To Provide the Service

• Authenticating your account and maintaining your session
• Generating personalized AI content based on your Content DNA
• Storing and organizing your ideas, drafts, and published content
• Enabling calendar planning, auto-planning, and scheduling
• Rendering carousel slides and generating images
• Posting content directly to your connected X and LinkedIn accounts
• Tracking streaks and sending milestone celebrations
• Providing content memory, gap analysis, and repetition warnings

3.2 To Manage Billing & Credits

• Processing subscription payments and renewals
• Tracking credit consumption and balances
• Enabling credit top-up purchases
• Generating invoices and billing records
• Detecting and preventing payment fraud

3.3 To Improve the Service

• Analyzing feature usage to prioritize development
• Evaluating AI output quality (formatting, voice alignment, engagement correlation)
• Training and fine-tuning our internal prompt templates and generation pipelines
• Identifying and fixing bugs, performance issues, and usability problems

We only use anonymized or aggregated data for training and improvement. We do not use your specific content to train third-party AI models without your explicit consent.

3.4 To Communicate With You

• Sending account notifications (subscription renewals, payment failures, credit warnings)
• Sending product updates, new feature announcements, and tips
• Sending streak reminders and daily content nudges (if enabled)
• Responding to support requests

You can opt out of marketing communications at any time. Transactional emails (billing, security) cannot be opted out of.

3.5 For Security & Compliance

• Detecting and preventing unauthorized access, abuse, and fraud
• Enforcing rate limits and concurrent job caps
• Complying with legal obligations and responding to lawful requests
• Maintaining audit trails for billing and credit transactions

Reelyt relies on third-party AI providers to generate content, images, and insights. When you use AI-powered features, your data is transmitted to these providers for processing.

4.1 Text Generation Providers

4.2 Image Generation Providers

4.3 What Data Is Shared With AI Providers

When you request AI generation, we send the following to the relevant provider:

• A compressed version of your Content DNA (voice profile, pillars, audience)
• The specific idea, instruction, or source content you are generating from
• Recent content history (last 5 posts, topic summaries only)
• Platform-specific formatting rules (character limits, style constraints)
• For images: inferred or customized prompts describing the desired visual

We do not share your billing information, password, full content library, or platform OAuth tokens with AI providers.

4.4 AI Provider Data Handling

• OpenAI: May retain API inputs/outputs for up to 30 days for abuse monitoring. Does not use API data to train models unless you opt in.
• Anthropic: Does not use API data to train models. Retains data per their data retention policy for service operation.
• Google: Does not use API data to train models. Processes data per Google Cloud terms.
• Replicate / Ideogram: Process image generation requests and do not retain prompts or outputs for model training.

We route requests to providers based on operation type, cost, and availability. You cannot select a specific provider for individual requests in V1.

4.5 Our Commitment

We do not use your content to train or fine-tune third-party AI models without your explicit consent. We may use anonymized patterns (e.g., "users with pillar X often generate format Y") to improve our internal systems.

5.1 Where Your Data Is Stored

Reelyt uses Firebase (Google Cloud Platform) as its primary infrastructure:

• Firestore: Structured data (user profiles, Content DNA, ideas, content, calendar, billing, jobs, notifications)
• Cloud Storage (GCS): Generated images, carousel slide PNGs, user logos and brand assets
• Cloud Functions: Backend logic, API endpoints, async job processing
• Firebase Auth: Authentication credentials and session management
• Pub/Sub: Async job queues for AI generation and notifications

Data is stored in Google Cloud regions. By default, data is stored in the region closest to your location for performance. Backup copies may exist in multi-region storage for disaster recovery.

5.2 Security Measures

• Encryption at rest: All data in Firestore and Cloud Storage is encrypted using AES-256.
• Encryption in transit: All communications between your device and our servers use TLS 1.3.
• Authentication: Firebase Authentication with secure JWT tokens (1-hour expiry, auto-refresh).
• Access control: Firestore Security Rules enforce that users can only read/write their own data.
• Input validation: All API endpoints validate and sanitize inputs to prevent injection attacks.
• Rate limiting: 60 requests per minute per user to prevent abuse.
• Credit checks: All AI operations require pre-authorization before any provider is called.

5.3 Data Breach Response

In the unlikely event of a data breach affecting your personal information, we will:

• Notify affected users within 72 hours of discovery
• Provide details on what data was involved and what steps we are taking
• Report to relevant authorities as required by law
• Take immediate steps to contain and remediate the breach

We retain your data for as long as your account is active. After account deletion or termination:

Account Deletion: You can delete your account at any time from Profile → Settings → Delete Account. Deletion is irreversible. We begin the deletion process immediately, though complete removal from all backup systems may take up to 30 days.

Paused Accounts (Post-Trial): If your account is paused after a trial expires without subscription, your data is retained for 90 days in a read-only state. After 90 days, it is scheduled for deletion.

7.1 What We Use

Reelyt uses minimal cookies and tracking technologies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Functional cookies: Remember your preferences (theme, notification settings, calendar view). These improve your experience.
• Analytics cookies: Help us understand how users interact with the Service (feature usage, drop-off points). We use privacy-focused analytics that do not track you across the web.

7.2 Third-Party Cookies

Our payment processor (Dodo Payments) may set cookies during checkout. Firebase Authentication sets session cookies. These are necessary for service operation.

7.3 Your Choices

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in or using core features.

We do not use:

• Advertising cookies or trackers
• Social media pixel trackers
• Cross-site tracking technologies

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access & Portability

You can request a copy of all data we hold about you. We will provide it in a structured, machine-readable format (JSON) within 30 days. You can initiate this from Profile → Settings → Export Data.

8.2 Correction

You can update your account information, Content DNA, and preferences at any time through the Service interface.

8.3 Deletion (Right to be Forgotten)

You can delete your account and all associated data at any time. See Section 6 for retention details. Certain data (billing records) must be retained for legal compliance.

8.4 Restriction & Objection

You can object to our use of your data for analytics or model improvement purposes. To do so, contact us at privacy@reelyt.app. This will not affect your ability to use the Service.

8.5 Withdraw Consent

Where we rely on consent (e.g., for marketing communications or optional analytics), you can withdraw it at any time through your account settings or by contacting us.

8.6 Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority:

• EU/EEA: Your national Data Protection Authority (DPA)
• UK: Information Commissioner's Office (ICO)
• US (California): California Attorney General or California Privacy Protection Agency
• Other jurisdictions: Contact your local privacy regulator

8.7 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and share
• Delete your personal information (with exceptions)
• Opt out of the sale or sharing of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

To exercise CCPA rights, contact us at privacy@reelyt.app with "CCPA Request" in the subject line.

Reelyt is operated from the United States. If you access the Service from outside the US, your data will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate (including Google Cloud Platform regions).

For EU/EEA and UK Users:

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data outside the European Economic Area. Google Cloud Platform provides these safeguards as part of their Data Processing Terms.

For All International Users:

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions, which may have different data protection laws than your country of residence.

Reelyt is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at privacy@reelyt.app and we will promptly delete such information.

If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

The Service integrates with and links to third-party services:

11.1 Social Media Platforms

Direct posting to X and LinkedIn is subject to their respective privacy policies and terms. When you connect an account, you authorize us to act on your behalf within the scope you grant.

11.2 Payment Processor

Payments are processed by Dodo Payments. Your payment information is handled according to their privacy policy and security standards. We do not store full credit card numbers.

11.3 AI Providers

See Section 4 for details on how OpenAI, Anthropic, Google, Replicate, and Ideogram handle data shared with them for content generation.

11.4 External Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or Service features. When we make material changes:

• We will post the updated policy on this page with a revised "Last Updated" date.
• We will notify you via email or in-app notification at least 30 days before material changes take effect.
• For significant changes affecting how we use your data, we will request your renewed consent.

Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 48 hours. For urgent matters (data breaches, account security), we prioritize response within 4 hours.