Privacy

Last updated: 22 May 2026

This policy explains what personal data Rebuilt processes, why, and the rights you have. Rebuilt is operated from Vienna, Austria, and processes personal data in line with the EU General Data Protection Regulation (GDPR). Provider details are listed in our Impressum.

Data we collect. We collect account data you provide when you sign up or sign in (such as your email address) and authentication data, handled through our authentication and database provider, Supabase. We process content you create in the product, such as path notes, choices, saved cards, and progress. With your consent, we process product-analytics data through PostHog to understand how the beta is used. We may also process basic technical data needed to keep the service secure and stable.

Why we use it and our legal basis. We process account, authentication, and content data to provide the product and your account — that is, to perform our agreement with you (Art. 6(1)(b) GDPR). We rely on your consent (Art. 6(1)(a) GDPR) for analytics and any non-essential cookies, which you can withdraw at any time. We rely on our legitimate interests (Art. 6(1)(f) GDPR) to keep the service secure, prevent abuse, and improve the product, balanced against your rights.

We do not sell your data. We do not sell personal data or run ad-targeting pipelines. Rebuilt is positioned as an educational product, and health-adjacent features are handled with data minimization in mind. We share data only with the service providers that help us run the product (such as Supabase for auth/database, PostHog for analytics, and our transactional email provider), each acting as a processor on our instructions. API keys and service credentials are kept on the server side, not in browser code.

Retention. We keep personal data for as long as your account is active or as needed to provide the product, and afterwards only as long as required to meet legal, accounting, or security obligations, after which it is deleted or anonymized.

Your rights. Subject to applicable law, you have the right to access, rectify, and erase your personal data; to restrict or object to processing; to data portability; and to withdraw any consent at any time without affecting prior processing. To exercise these rights, contact privacy@rebuilt.cards. You also have the right to lodge a complaint with a supervisory authority. In Austria, this is the Austrian Data Protection Authority (Datenschutzbehörde, DSB).

Cookies. We use a small set of essential cookies and, with your consent, analytics storage. See our Cookie policy for details and how to change your choice.

International transfers.Some of our service providers may process data outside the European Economic Area. Where that happens, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or an adequacy decision, to protect your data.

Children. Rebuilt is intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18.

Changes. We may update this policy as the product develops. When we make material changes, we will update the date above and, where appropriate, provide further notice.

Contact. For any data or privacy request, contact privacy@rebuilt.cards. Account and Facebook Login data deletion instructions are available at /legal/data-deletion.