Privacy Policy
Introduction
Rexxly, LLC, a Georgia limited liability company (“Rexxly,” “we,” “us,” or “our”), operates https://rexxly.com and provides subscription-based social media and digital content services to customers worldwide (the “Services”). This Privacy Policy describes how we collect, use, disclose, retain, transfer, and safeguard personal information and explains the rights available to individuals under applicable privacy, consumer, and data protection laws.
Plain English. We’re a global service. This document tells you what data we collect, how we use it, who we share it with, how long we keep it, and what rights you have.
Scope & Roles (Controller vs. Processor)
This Policy applies to (i) visitors to our website, (ii) customers/subscribers, and (iii) individuals whose data is processed as part of campaign assets and deliverables. For our own website, accounts, billing, and support, Rexxly acts as a controller. When we process personal data strictly on a customer’s documented instructions (e.g., audience lists, assets, or workflows), Rexxly acts as a processor/service provider. A Data Processing Addendum (DPA) is available upon request for enterprise customers.
Plain English. Sometimes the data is ours to decide how to use (controller). Sometimes we only handle it for you under your instructions (processor). If you need a DPA, we’ll provide one.
Key Definitions
“Personal Information/Personal Data (PI)” means information that identifies, relates to, or can reasonably be linked to an individual. “Sensitive Personal Information (SPI)” includes special categories under GDPR/UK GDPR, the California CPRA, Brazil LGPD, and similar laws (e.g., precise location, government IDs, biometric/health data, financial account credentials). “Processing” means any operation on PI (collection, storage, use, disclosure, transfer, deletion). “Applicable Law” includes U.S. federal/state laws (e.g., CPRA), GDPR/UK GDPR, LGPD (Brazil), PIPEDA (Canada), PDPA (Singapore), POPIA (South Africa), and other relevant laws.
Plain English. “Personal information” is anything that can identify you. “Sensitive” information is extra-protected. “Processing” covers anything we do with data.
Notice at Collection
4.1 Categories of PI We Collect
We collect: Identifiers (name, email, phone, account IDs, IP, device IDs); Commercial/Billing data(subscription history, invoices, payment tokens via our processors); Internet/Activity data (pages viewed, referral URLs, timestamps, cookie IDs, logs); Professional data (company, role, industry); User Content (logos, text, images, videos you upload); and Inferences/analytics derived from site and campaign interactions. We do not intentionally collect SPI in the ordinary course. If SPI is provided for a narrow purpose (e.g., compliance), we limit its use and do not use it to infer characteristics.
Plain English. We collect accounts, billing, usage, and work files. We generally avoid sensitive data; if you give us any, we lock it down and don’t use it for profiling.
4.2 Sources of PI
PI is collected (i) directly from you (forms, onboarding, support, uploads), (ii) automatically via cookies/SDKs/logs, (iii) from service providers/partners (payments, analytics, ad platforms), and (iv) from public sources (business sites, social media you make public).
Plain English. You give us data, our systems collect some automatically, trusted vendors share necessary info, and some data is public.
4.3 Purposes of Processing
We process PI to (a) provide, maintain, and improve the Services; (b) create, manage, and deliver campaigns; (c) authenticate users and prevent fraud/security incidents; (d) process payments and manage subscriptions; (e) provide support and service communications; (f) send marketing communications subject to opt-out; and (g) comply with legal obligations, enforce Terms, and protect rights.
Plain English. We use data to run Rexxly, produce your content, keep accounts secure, take payments, help you, and meet legal duties.
4.4 Retention
We retain PI only as long as needed for the purposes above or to meet legal/tax requirements: account identifiers (life of account + 2 years); billing/transactions (7 years for audit/tax); analytics/logs (12–24 months); campaign assets (engagement term + 2 years); support (3 years from last interaction); SPI (if collected) only as necessary, typically < 1 year unless law requires longer. When PI is no longer needed, we delete, anonymize, or de-identify it.
Plain English. We keep data only as long as needed, then we securely remove or de-identify it.
Lawful Bases (GDPR/UK GDPR/LGPD; consent regimes in other regions)
Where required (e.g., EU/UK/Brazil), we process PI on: contractual necessity (accounts, Services, payments); legitimate interests (security, fraud prevention, product improvement, B2B relationship management) balanced against data subjects’ rights; consent (marketing, certain cookies); and legal obligations (tax, accounting, lawful requests). In Canada (PIPEDA), we rely on express or implied consent; in Singapore (PDPA) and South Africa (POPIA), consent or other permitted grounds (e.g., legitimate interests/contractual necessity).
Plain English. We need a legal reason to use data, usually to run your account, improve the service, follow the law, or because you said “yes.”
Cookies, Pixels & Similar Technologies
We use cookies and similar tools to authenticate sessions, remember preferences, measure performance, and support marketing. You may manage cookies through your browser or any in-product controls we provide. Where legally required, we obtain consent for non-essential cookies. We honor Global Privacy Control (GPC) signals by treating them as valid opt-outs of “sale”/“sharing” under CPRA.
Plain English. Cookies help the site work and improve. You can control them. If your browser sends a GPC signal, we treat it as an opt-out.
Disclosures of PI (No Sale/Share for Ads)
We disclose PI to service providers/processors (hosting, storage, analytics, payments, communications, error monitoring) under contracts that prohibit use for their own purposes; to professional advisers (lawyers, auditors, insurers) under confidentiality; to authorities when required by law; and to business transferees in mergers/acquisitions/asset sales. We do not sell PI for monetary consideration and do not “share” PI for cross-context behavioral advertising under CPRA. If this changes, we will update this Policy and provide “Do Not Sell or Share” and any “Limit Sensitive PI” links.
Plain English. We share data with vendors who help run Rexxly, with advisors, and when the law requires. We don’t sell or share your data for ads.
Security & Breach Notification
We maintain administrative, technical, and physical safeguards appropriate to risk, including access controls, encryption in transit and at rest (where appropriate), vulnerability management, and incident response. We will notify customers and/or regulators of a personal data breach without undue delay as required by Applicable Law (e.g., Georgia breach rules, GDPR/UK breach timelines, LGPD/POPIA requirements).
Plain English. We protect data with industry-standard security. If a qualifying breach occurs, we’ll notify you and authorities as the law requires.
International Transfers
Because Rexxly operates globally, PI may be transferred to jurisdictions with different protections (including the U.S.). For restricted transfers (e.g., from the EEA/UK/Brazil), we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum (IDTA), adequacy decisions where available, and supplementary measures as needed. Transfer details are available upon request, subject to redactions.
Plain English. Data may move across borders. When it does, we use approved legal tools (like SCCs) to protect it.
Your Privacy Rights (How to Exercise Them)
10.1 California (CCPA/CPRA)
California residents may know/access categories/specific PI, delete PI (subject to exceptions), correcting accurate PI, opt out of sale/share (not applicable, we do not sell/share), limit SPI (not applicable, we do not use SPI to infer characteristics), and exercise rights without discrimination. Submit requests to privacy@rexxly.comwith subject “California Request.” We verify requests reasonably (e.g., account/email checks). Authorized agents must provide written permission; we may require you to verify directly. We respond within 45 days, extendable once by 45 days with notice.
Plain English. In California you can ask what we have, get it corrected or deleted, and opt out (we don’t sell/share anyway).
10.2 EU/EEA & UK (GDPR/UK GDPR)
Individuals have rights to access, rectify, erase, restrict, object (including to direct marketing/legitimate interests), portability, and to withdraw consent without affecting past processing, and to complain to a supervisory authority. Submit requests to privacy@rexxly.com. Where legally required, we will identify our EU/UK representative or DPO in this Policy.
Plain English. In the EU/UK you have robust rights, ask for your data, fix it, delete it, or object to how it’s used.
10.3 Brazil (LGPD)
Data subjects may request confirmation of processing, access, correction, anonymization, blocking or deletion, portability, information on sharing, and revocation of consent. Contact privacy@rexxly.com to exercise LGPD rights.
Plain English. In Brazil you can see, fix, move, or delete your data and ask who it’s shared with.
10.4 Canada (PIPEDA)
Individuals may access and correct PI and may withdraw consent subject to legal/contractual limits. We will explain consequences of withdrawal where relevant.
Plain English. In Canada you can see and correct your data and withdraw consent (we’ll explain any service impacts).
10.5 Singapore (PDPA) & South Africa (POPIA)
Individuals may access and correct PI and withdraw consent. Complaints may be directed to the PDPC(Singapore) or Information Regulator (South Africa) after contacting us.
Plain English. In Singapore/SA you can access/correct data, withdraw consent, and complain to your regulator if we can’t resolve it.
10.6 Other U.S. States (VA, CO, CT, UT, TX, etc.)
Individuals may have rights to access, correct, delete, portability, and opt out of targeted advertising/profiling. We provide an appeals process for denied requests, email privacy@rexxly.com with the subject “Privacy Appeal.”
Plain English. Many U.S. states offer similar rights; if we deny a request, you can appeal.
Request Workflow (All Regions). Email privacy@rexxly.com describing your request and jurisdiction. We verify identity, respond within the legal timeframe, and track requests for compliance. We minimize identity data collected during verification and delete it when verification is complete.
Children’s Data
The Services are not directed to children under 13 (or 16 in jurisdictions with stricter minimums). We do not knowingly collect PI from children. If you believe a child provided PI, contact privacy@rexxly.com and we will delete it.
Plain English. We don’t target kids. Tell us if we’ve received a child’s info and we’ll remove it.
Data Minimization; Purpose Limitation; Automated Decisions
We collect only PI necessary for stated purposes and do not process it for materially different or incompatible purposes without notice and, where required, consent. Rexxly does not engage in solely automated decision-making that produces legal or similarly significant effects on individuals.
Plain English. We take only what we need, use it for the reasons we said, and we don’t make big automated decisions about you.
Third-Party Links, SDKs, and Platforms
The Services may link to or integrate third-party sites, SDKs, and platforms (e.g., Meta, TikTok, YouTube, LinkedIn). Those services are governed by their own privacy policies and terms; Rexxly is not responsible for their practices. Campaigns executed on third-party platforms are also subject to those platforms’ rules.
Plain English. Other sites and apps have their own rules. Check their policies when you use them.
Accountability & Records; Sub-processors; DPIAs
We maintain records of processing activities, sub-processors, and privacy requests to demonstrate compliance. We use sub-processors under written contracts with confidentiality, security, and data protection obligations equivalent to ours. Where required, we conduct Data Protection Impact Assessments (DPIAs) and transfer impact assessments.
Plain English. We keep compliance records, vet our vendors, and run formal risk assessments when the law requires.
Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated by posting a notice on the Site or emailing account holders. The “Last Updated” date reflects the latest version. If Rexxly becomes subject to GDPR/UK GDPR requirements to appoint an EU/UK representative or a Data Protection Officer, we will update this Policy to include those details.
Plain English. We’ll tell you about important updates. If we ever need an EU/UK rep or DPO, we’ll add their info here.
Contact Us
To ask questions or exercise rights, contact:
Email: privacy@rexxly.com
Plain English. Email us for any privacy question or rights request; we’ll help.
Appendix, CPRA “Notice at Collection”
In the past 12 months we collected the following CPRA categories: Identifiers (account, service delivery, security, marketing) disclosed to service providers/advisors/authorities as required; Commercial Information (billing, fraud prevention, support) disclosed to payment processors/accountants; Internet Activity (analytics, performance, security) disclosed to analytics/monitoring vendors; Professional Information (B2B relations, onboarding) disclosed to service providers; User Content (campaigns/deliverables) disclosed to hosting/storage vendors; Inferences(service/UX improvement) disclosed to analytics vendors; Sensitive PI (rare; narrow legal purpose) disclosed only to limited service providers. We do not sell or share PI, and we do not use Sensitive PI to infer characteristics.
Plain English. Here’s the CPRA summary: what we collect, why, who sees it, and a clear “no sale/share.”