Remi
Privacy Policy
Last updated: 27 February 2026
1. Who we are
Remi ("we", "us", "our") is an AI-powered return reminder service that helps online shoppers track return deadlines. This policy explains how we collect, use, and protect your personal data.
2. Data we collect
- Email address — provided via Google or Microsoft OAuth sign-in.
- Email message metadata — sender, subject, snippet, and date of delivery/order confirmation emails from your Gmail or Outlook inbox. We do not read the full body of unrelated emails.
- OAuth tokens — encrypted at rest and used solely to access your Gmail or Outlook inbox on your behalf.
- Phone number (optional) — if you choose to receive SMS reminders.
- Push notification subscriptions — browser push endpoint and keys.
- Consent records — what you consented to, when, and from which IP address.
3. How we use your data
- Scan your Gmail or Outlook inbox for delivery confirmation emails to identify return deadlines.
- Send you reminders via SMS, email, and/or push notifications before your return windows expire.
- Authenticate your account and maintain your session.
- Improve the accuracy of our AI parsing over time.
4. Sub-processors
We share data with the following third-party services only as necessary to operate Remi:
| Provider | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | US (East) |
| OpenRouter | AI parsing of email metadata | US |
| Telnyx | SMS delivery | US |
| Resend | Email delivery | US |
| Stripe | Payment processing | US |
| Vercel | Application hosting | US |
| Cloudflare | CDN and DNS | Global |
| Gmail OAuth authentication, inbox access & Pub/Sub push notifications | US | |
| Microsoft | Outlook email access & authentication (Entra ID / Graph API) | Global |
5. Legal basis for processing (GDPR)
- Consent — you explicitly consent to inbox scanning before signing in.
- Contract — processing necessary to provide the reminder service you signed up for.
- Legitimate interest — service security, abuse prevention, and improving parsing accuracy.
6. Your rights
Under the GDPR and the Australian Privacy Act 1988, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your account and all associated data.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — revoke your consent at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, email us at [email protected].
7. Data retention
We retain your data for as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days. Aggregated, anonymised analytics data may be retained indefinitely.
8. Cross-border data transfers
Our infrastructure is hosted in the United States (Neon, Vercel). If you access Remi from outside the US (e.g. Australia), your data will be transferred to and processed in the US. We rely on standard contractual clauses and the sub-processor agreements listed above to safeguard your data.
9. Cookies
Remi uses only essential cookies required for authentication (NextAuth session cookie). We do not use any tracking, analytics, or advertising cookies.
10. Security
We protect your data with encryption at rest and in transit, row-level security in our database, encrypted OAuth token storage, and strict Content Security Policy headers. We conduct regular security reviews and follow industry best practices.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of Remi after changes constitutes acceptance of the updated policy.
12. Contact
For privacy enquiries, contact us at [email protected].