Privacy Policy

Last updated: April 17, 2026

Summary (TL;DR)

  • Rhys is an AI chat app that lets you talk to multiple AI models and providers. To use Rhys, you create an account with your name, email, and password.
  • Your chat messages are stored in our cloud backend (Supabase, US servers) so they can sync across your devices.
  • When you send a message, the content is forwarded to the AI provider you selected (e.g., OpenAI, Anthropic) so they can generate a response. Each provider handles your data under its own policy.
  • We use PostHog for analytics and Sentry for error and crash reporting.
  • We never sell your personal data. All third-party processors are listed below.
  • You can delete your account and all data at any time via notjust.app/rhys/delete-account.

1. Introduction

This Privacy Policy explains how NOTJUST.DEV, SL ("Company", "we", "us", or "our"), a company registered in C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain, collects, uses, discloses, and protects your information when you use the Rhys mobile application ("App").

We are committed to protecting your privacy in accordance with:

  • GDPR — General Data Protection Regulation (EU) 2016/679
  • LOPDGDD — Spanish Organic Law 3/2018 on the Protection of Personal Data
  • CCPA/CPRA — California Consumer Privacy Act and California Privacy Rights Act
  • COPPA — Children's Online Privacy Protection Act
  • ePrivacy Directive — Directive 2002/58/EC on privacy and electronic communications

By using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller & DPO

The data controller responsible for your personal data is:

NOTJUST.DEV, SL
C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain
NIF: B26785477
Email: support@notjust.app

Data Protection Officer (DPO)
For any privacy-related inquiries or to exercise your data rights, contact our Data Protection Officer at:
Email: support@notjust.app
Please include "DPO" or "Privacy Request" in your subject line.

3. Information We Collect

3.1 Information You Provide

  • Account Information: When you create an account, we collect your name, email address, and password. Your password is hashed and stored securely by our authentication provider (Supabase) — we never see or store your password in plain text.
  • Chat Messages: The messages you write and send to AI models, including any content, prompts, and attachments you include.
  • Chat Metadata: Conversation titles, the AI provider and model selected for each message, timestamps, and conversation organization.
  • Support Requests: Information you provide when contacting our support team.

3.2 Information Collected Automatically

  • Usage & Analytics Data: How you interact with the App, including features used, session duration, screens viewed, actions taken, and subscription/paywall interactions. Collected via PostHog.
  • Device Information: Device type, operating system version, platform (iOS/Android), unique device identifiers, language settings, and mobile network information.
  • Error & Performance Data: Crash reports and performance diagnostics collected via Sentry, including device identifiers and (if you are signed in) your user ID and email address.

3.3 Information We Do NOT Collect

  • We do not collect precise geolocation data.
  • We do not collect biometric data.
  • We do not access your device's camera, microphone, or contacts unless you explicitly attach content from them.
  • We do not use your individual messages to train our own AI models.

4. Legal Bases for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

| Processing Activity | Legal Basis | GDPR Article | |---|---|---| | Account creation and authentication | Performance of a contract | Art. 6(1)(b) | | Storing and syncing your chat messages | Performance of a contract | Art. 6(1)(b) | | Forwarding your messages to AI providers to generate responses | Performance of a contract | Art. 6(1)(b) | | Processing payments and subscriptions | Performance of a contract | Art. 6(1)(b) | | Analytics and App improvement (PostHog) | Legitimate interest | Art. 6(1)(f) | | Error tracking and diagnostics (Sentry) | Legitimate interest | Art. 6(1)(f) | | Fraud prevention and security | Legitimate interest | Art. 6(1)(f) | | Legal compliance | Legal obligation | Art. 6(1)(c) |

Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 10).

5. How We Use Your Information

We use the information we collect to:

  • Create and manage your account
  • Store your chat messages and sync them across your devices
  • Forward the content of your messages to the AI provider you select, so the provider can generate a response
  • Display your conversation history back to you
  • Monitor App performance and fix errors via Sentry
  • Analyze usage patterns and improve the App via PostHog
  • Detect, investigate, and prevent fraud and abuse
  • Respond to support requests
  • Comply with legal obligations

6. AI Providers & Your Messages

Rhys is an AI chat app. To generate responses, we transmit the content you send (your prompts, messages, and any attachments) to the third-party AI provider you select for that conversation or message. Currently supported providers include, for example, OpenAI and Anthropic, and we may add additional providers over time.

Important:

  • When you send a message to a model, that message's content leaves our systems and is processed by the selected provider.
  • Each AI provider processes your data under its own privacy policy and terms, which you should review. These providers may retain the data they receive for their own purposes (such as abuse monitoring or service improvement), subject to their policies.
  • We pass through the provider-generated response and store it alongside your message so you can see your full conversation history.
  • We do not use your individual messages to train our own AI models. Whether a provider uses your data to train their models is governed by that provider's policy and/or the enterprise/API terms we have with them; we select providers and plans with this in mind where possible.

7. Data Sharing & Third-Party Processors

We do not sell your personal information. We share data with the following service providers, who process data on our behalf:

| Processor | Purpose | Data Shared | Location | |---|---|---|---| | Supabase | Database, authentication, storage | Account info (name, email, hashed password), chat messages, metadata | US | | OpenAI | AI model responses (when selected) | Message content sent to the model | US | | Anthropic | AI model responses (when selected) | Message content sent to the model | US | | Other AI providers | AI model responses (when selected) | Message content sent to the model | Varies | | PostHog | Product analytics | Usage data, device info, user ID | US | | Sentry | Crash and error reporting | Crash reports, device info, user ID, email | US | | Apple / Google | App Store, Play Store, payments | Auth tokens, purchase data | US |

We may also disclose your information:

  • To comply with applicable laws, regulations, or legal processes
  • To protect the rights, property, or safety of our Company, our users, or others
  • In connection with a merger, acquisition, or sale of assets (you will be notified in advance)

8. International Data Transfers

Our Company is established in the EU (Spain), but your data is processed by service providers located in the United States and potentially other countries. These transfers are conducted in compliance with the GDPR using one or more of the following safeguards:

  • EU-U.S. Data Privacy Framework (DPF) — where the provider is certified under the DPF
  • Standard Contractual Clauses (SCCs) — approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
  • Your explicit consent to the transfer, where applicable

You may request a copy of the relevant safeguards by contacting us at support@notjust.app.

9. Data Retention

We retain your data for the following periods:

| Data Category | Retention Period | |---|---| | Account data (name, email, hashed password) | Retained while your account is active. Deleted within 30 days of account deletion request. | | Chat messages and metadata | Retained while your account is active. Deleted within 30 days of account deletion request. | | Data held by AI providers | Governed by each provider's retention policy. | | Analytics data (PostHog) | Retained for 12 months, then anonymized or deleted. | | Error logs (Sentry) | Retained for 90 days. |

When you request account deletion, we will permanently delete your personal data within 30 days, except where retention is required by law. You can request account deletion at notjust.app/rhys/delete-account.

10. Your Rights (EU/EEA — GDPR)

If you are located in the EU/EEA, you have the following rights under the GDPR:

  • Access (Art. 15) — Request a copy of the personal data we hold about you
  • Rectification (Art. 16) — Request correction of inaccurate or incomplete data
  • Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
  • Restriction (Art. 18) — Request restriction of processing in certain circumstances
  • Data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format
  • Object (Art. 21) — Object to processing based on legitimate interests, including analytics
  • Withdraw consent (Art. 7) — Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal
  • Lodge a complaint — File a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es or your local supervisory authority

To exercise any of these rights, contact us at support@notjust.app. We will respond within 30 days (or as required by applicable law). We may request verification of your identity before processing your request.

11. Your Rights (California — CCPA/CPRA)

If you are a California resident, you have the following rights:

  • Right to Know — Know what personal information we collect, use, disclose, and sell (we do not sell your data)
  • Right to Delete — Request deletion of your personal information
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out — Opt out of the sale or sharing of personal information (we do not sell or share your data for cross-context behavioral advertising)
  • Non-Discrimination — We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact us at support@notjust.app or submit a deletion request at notjust.app/rhys/delete-account. We will respond within 45 days as required by the CCPA.

Categories of personal information collected (per CCPA Section 1798.100):

  • Identifiers (name, email, device IDs)
  • Internet or electronic network activity (usage data)
  • User-generated content (chat messages)
  • Commercial information (purchase and subscription history)

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing handled by our authentication provider (Supabase)
  • Row Level Security in Supabase — users can only access their own data
  • Access controls and authentication for internal systems
  • Data processing agreements with all third-party processors
  • Regular security assessments

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document the breach, its effects, and remedial actions taken

14. Children's Privacy

  • We do not knowingly collect personal information from children under 13 (as required by COPPA).
  • We do not knowingly collect personal information from children under 16 without parental consent (as required by GDPR Article 8).

If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at support@notjust.app.

15. Cookie & Tracking Policy

The App does not use browser cookies. However, the App uses the following tracking technologies:

  • PostHog SDK: Collects analytics events. An authenticated user identifier is used to link sessions.
  • Sentry SDK: Collects error reports and performance data. Configured to send PII (user ID, email).

These tracking technologies are necessary for the operation and improvement of the App. By using the App, you acknowledge the use of these technologies as described in this policy.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated Privacy Policy in the App
  • Updating the "Last updated" date at the top of this page
  • For material changes affecting your rights, providing in-app notification

We encourage you to review this Privacy Policy periodically. Continued use of the App after changes constitutes acceptance of the updated policy, except where consent is required for specific processing activities.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

NOTJUST.DEV, SL
C/ Balmes 129bis 4º 2ª, 08008 Barcelona, Spain
NIF: B26785477
Email: support@notjust.app

For privacy-specific inquiries, please include "Privacy" or "DPO" in your subject line.