relaynix

Privacy Policy

Last updated: 2026-06-17

This Privacy Policy explains how Relaynix ("we", "us", "the Service") collects, uses, stores and shares personal data, and your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spanish data-protection law (LOPDGDD). Relaynix is a multi-tenant SaaS that helps creators and teams produce and publish AI-generated short-form video to social-media accounts they own and control.

1. Who is the data controller

The controller of your personal data is:

(Where we process personal data on behalf of a customer — e.g. public comments on their channels — that customer is the controller and we act as processor under our Data Processing Addendum.)

2. What data we collect

Account data: email address, full name, password hash (bcrypt), 2FA TOTP secret if enabled, billing email, workspace name/slug, locale and timezone, last-login timestamp/IP, and an audit log of security events (sign-ups, password changes, sessions, credential reveals, admin actions).

Workspace integrations — only what you explicitly connect under Settings → Integrations: OAuth tokens or API keys for the AI and social-media providers you choose (Anthropic, OpenAI, ElevenLabs, fal.ai, YouTube, Meta, Threads, Reddit, Pinterest, Telegram, etc.) and the account/ channel/page IDs they return.

Content & metadata: the briefs, prompts, scripts, uploaded files and generated videos you create, plus titles, niche labels and aggregated view/publish counts. For the comment-reply feature we store public comments on your connected posts (author handle, text, timestamp). We never access private inboxes or DMs.

QR scan events (end-viewers): if you enable the optional per-project tracked QR code, each scan of that QR transits our redirect domain (rlnx.net) before forwarding to your link. For each scan we record the time, an approximate country (from Cloudflare's edge), the device/OS family and the referring site — and, instead of the raw IP, a salted, daily-rotated keyed hash of it (never the IP itself). This lets you see where your audience comes from without identifying individual viewers. These events are deleted after 90 days (§7).

Usage & analytics: if you consent (see §9), Google Analytics 4 collects standard usage analytics. Without consent, no analytics cookies are set.

3. Why we use it & our legal basis

We do not sell personal data, run advertising SDKs, or profile the end-viewers of your content.

4. How & where we store it

API keys and OAuth tokens are encrypted at rest with AES-256-GCM under a per-tenant data-encryption key (DEK), itself wrapped by a master key held outside the database. Production data (PostgreSQL, generated assets) is hosted in the EU on Hostinger servers in Vilnius, Lithuania. Encrypted backups are stored in a private Backblaze B2 bucket. Transport is TLS 1.3.

5. Recipients & sub-processors

We share data only with service providers acting on our instructions, each limited to the function described. The full, current list with locations and data scope is in our Data Processing Addendum. In summary: Anthropic / OpenAI (script drafting), ElevenLabs (voiceover), fal.ai / Kling (video generation), YouTube / Meta / Threads / Reddit / Pinterest / Telegram (publishing destinations you connect), Stripe (billing — card data entered directly with Stripe, never seen by us), Resend (transactional email), Cloudflare (CDN/DNS/TLS), Hostinger (EU hosting), Google (Analytics, on consent).

6. International transfers

Primary data stays in the EU (Lithuania). Some sub-processors are outside the EEA (mainly the US). For those transfers we rely on the EU-US Data Privacy Framework adequacy decision where the provider is certified, and otherwise on the European Commission's Standard Contractual Clauses (2021) plus supplementary measures. Copies of the relevant safeguards are available on request.

7. How long we keep it

8. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict or object to processing, the right to data portability, and the right to withdraw consent at any time (without affecting prior processing). You can:

You also have the right to lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

9. Cookies

We use a single essential cookie — whiu_dash (SameSite=None, Secure, HttpOnly) — to keep you signed in; it requires no consent. Analytics (Google Analytics 4 via Google Tag Manager) is loaded only after you accept in the cookie banner; until then, by Consent Mode v2, no analytics cookies are set. You can change your choice any time by clearing site data, and decline without losing any functionality. We use no advertising or third-party tracking cookies.

10. Children

The Service is for users aged 18+ and is not directed at children. We do not knowingly collect data from anyone under 18.

11. Automated decisions

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you.

12. Changes & contact

We will post material changes here and, where appropriate, notify you by email. Privacy: privacy@relaynix.tech · Support: support@relaynix.tech