Privacy Policy
Effective Date: February 18, 2026
1. Introduction
RoutineXAI (“we,” “us,” or “our”) respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains how we collect, use, disclose, store, and protect your information when you use our website at routinexai.com and our AI-powered routine generation service (collectively, the “Service”).
By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, and password when you create an account
- Profile preferences: Goals, schedule constraints, lifestyle preferences, and other inputs used to generate routines
- Routine data: Routines you generate, accept, and track, including time block completion data, streaks, and progress snapshots
- AI interactions: Prompts, follow-up answers, and feedback you provide to the AI coaching system
- Communications: Messages you send to us via email or support channels
2.2 Information Collected Automatically
- Device & browser data: IP address, browser type, operating system, device type, and screen resolution
- Usage data: Pages visited, features used, time spent, click patterns, and referral sources
- Cookies & similar technologies: Session cookies for authentication, preference cookies for settings. See Section 8 for details.
2.3 Information from Third Parties
We may receive limited information from third-party authentication providers if you choose to sign in via a social login in the future. We do not currently offer social login but may in the future.
3. How We Use Your Information
We use your personal data to:
- Provide the Service: Generate personalized routines, track your progress, deliver AI coaching, and send notifications
- Authenticate your identity: Manage your account and ensure secure access
- Improve the Service: Analyze usage patterns, identify bugs, and develop new features
- Communicate with you: Send service-related emails (e.g., password resets, routine reminders), and respond to your inquiries
- Ensure safety & compliance: Detect fraud, enforce our Terms of Service, and comply with legal obligations
We do not use your personal data for advertising profiling or sell your data to third-party advertisers.
4. AI Data Processing
When you use the routine generation features, the following data is sent to third-party AI providers (currently Together AI and OpenAI) for processing:
- Your stated goals, schedule preferences, and lifestyle constraints
- Follow-up responses for routine refinement
Important points about AI data processing:
- We do not send your name, email, or account credentials to AI providers
- AI providers process data according to their own privacy policies and data processing agreements
- We use API-level integrations, meaning your data is not used to train third-party AI models under our commercial agreements
- AI-generated outputs are stored in our database associated with your account
5. How We Share Your Information
We do not sell, rent, or trade your personal data. We may share data in the following limited circumstances:
- Service providers: Hosting (Railway, Vercel), database (Neon), AI providers (Together AI, OpenAI) — only as necessary to operate the Service, under data processing agreements
- Legal requirements: When required by law, regulation, legal process, or governmental request
- Safety: To protect the rights, property, or safety of RoutineXAI, our users, or the public
- Business transfers: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy
6. Data Storage & Security
Your data is stored in PostgreSQL databases hosted by Neon with encryption at rest and in transit. We implement the following security measures:
- Encryption: All data in transit is encrypted via TLS/SSL. Passwords are hashed using bcrypt with appropriate salt rounds.
- Authentication: JWT-based authentication with secure token handling
- Access controls: Role-based access to internal systems; principle of least privilege
- Infrastructure: Deployed on Railway (API) and Vercel (Web) with security headers, HTTPS enforcement, and DDoS protection
While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
7. Data Retention
We retain your data according to these principles:
- Active accounts: Data is retained for as long as your account is active
- Account deletion: Upon request, we will delete your account and personal data within 30 days, except where retention is required by law
- Inactive accounts: Accounts inactive for more than 24 months may be subject to deletion following prior notice
- Aggregated data: We may retain anonymized, aggregated data indefinitely for analytics and service improvement
8. Cookies & Similar Technologies
We use the following types of cookies:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, session management | Session / 7 days |
| Functional | User preferences, theme settings | 1 year |
| Analytics | Usage patterns, feature adoption (if enabled) | Up to 2 years |
We do not use advertising or tracking cookies. You can control cookies through your browser settings. Disabling essential cookies may impair your ability to use the Service.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
9.1 Rights for All Users
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and personal data
- Export: Request your data in a portable, machine-readable format
9.2 Additional Rights (EU/EEA — GDPR)
- Restriction: Request restriction of processing in certain circumstances
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent at any time where processing is based on consent
- Lodge complaint: File a complaint with your local supervisory authority
Legal basis for processing (GDPR): We process your data based on: (a) contractual necessity (to provide the Service), (b) legitimate interests (to improve the Service and ensure security), and (c) consent (for optional features and communications).
9.3 California Residents (CCPA/CPRA)
- Know: Right to know what personal information is collected, used, shared, or sold
- Delete: Right to request deletion of personal information
- Opt-out: Right to opt out of the sale or sharing of personal information — we do not sell your data
- Non-discrimination: We will not discriminate against you for exercising your privacy rights
To exercise any of these rights, contact us at privacy@routinexai.com. We will respond within 30 days (or as required by applicable law).
10. International Data Transfers
Your data may be processed in the United States and other jurisdictions where our service providers operate. If you are located outside the United States, your data may be transferred to, stored, and processed in a country with data protection laws that differ from those in your jurisdiction.
Where required (e.g., under GDPR), we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection for international data transfers.
11. Children's Privacy
The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will take steps to delete that information promptly.
If you believe a child under 16 has provided us with personal data, please contact us at privacy@routinexai.com.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The “Effective Date” at the top of this page indicates when the latest version became effective.
We encourage you to review this Privacy Policy periodically for any changes.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:
Email: privacy@routinexai.com
For GDPR-related inquiries, you may also contact our designated data protection point of contact at the same email address.