Privacy Policy

Last updated: March 2026

Butler ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights as a user.

1. Data We Collect

• Account information: Your email address and password hash (never stored in plain text).
• Profile data: Name, date of birth, location, work and personal context you choose to share during onboarding. This data is encrypted end-to-end using AES-256-GCM before storage.
• Tasks, goals, and reminders: Content you create within the app.
• Calendar data: Events synced from Google Calendar or Apple Calendar (via an authorised integration you control).
• Conversation history: Messages between you and the Butler AI, stored encrypted to provide context for future conversations.
• Notification preferences: Push subscription tokens, email, and phone numbers you provide for reminders.

2. How We Use Your Data

• To provide and improve the Butler service
• To send reminders and notifications you have requested
• To pass context to the AI (Claude by Anthropic) to generate personalised responses
• To sync with third-party calendar services you have authorised

We do not sell your data. We do not use your data to train AI models.

3. AI Processing

Butler uses the Claude API (by Anthropic) to generate AI responses. Relevant portions of your encrypted profile and conversation context are decrypted in-memory and sent to the Claude API solely to generate a response. Anthropic's own privacy policy applies to API usage. We do not store raw data on Anthropic's infrastructure.

4. Third-Party Integrations

• Google Calendar: Accessed via OAuth 2.0. We only request the minimum permissions needed to read and write calendar events. You can disconnect at any time from Settings.
• Apple Calendar: Accessed via CalDAV using an app-specific password you provide. Credentials are encrypted before storage.
• SendGrid: Used to deliver email reminders and notifications.
• Twilio: Used to deliver SMS and WhatsApp reminders (only if you provide a phone number).

5. Data Security

All profile data, conversation history, and calendar credentials are encrypted using AES-256-GCM with per-user keys derived via HKDF. Access tokens use short-lived JWTs. All data is transmitted over HTTPS.

6. Data Retention

Your data is retained for as long as your account is active. You may request a full export or delete your account at any time from the Settings page. Account deletion removes all personal data within 30 days.

7. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to access, correct, port, and erase your personal data. To exercise these rights, use the data export and account deletion features in Settings, or contact us at privacy@rexe.au.

8. Cookies

Butler does not use tracking cookies. Authentication tokens are stored in your browser's localStorage and are not accessible to third parties.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or in-app notice.

10. Contact

Questions? Email us at privacy@rexe.au.