This Privacy Policy describes how RexyServer ("we," "our," or "the server") handles information when you operate this software. We are committed to your privacy. This policy is written in plain language because you deserve to understand it.
RexyServer runs entirely on your hardware. We have no servers that receive your data. We do not collect personal information. We do not sell data. We do not run analytics. We do not use your data to train any machine learning or AI models. The data RexyServer processes — your media files, library catalog, reading and listening progress, user accounts you create — lives entirely on the machine you're running RexyServer on. None of it is transmitted to us. We do not even know that you are running RexyServer.
When you operate RexyServer, the following data is stored locally on the machine you're running it on:
All of this data lives on your machine and nowhere else. We do not have a copy. We have no way to retrieve, view, or recover any of it. If you delete RexyServer, that data is gone unless you have your own backup.
RexyServer issues outbound network requests only in the following circumstances, all initiated by your configuration:
RexyServer does not make outbound requests for any other purpose. No analytics, no telemetry, no "check for permission to run" pings, no anonymous usage statistics.
For server administrators monitoring household activity: RexyServer maintains a local security audit log that records authentication events including failed login attempts and pairing failures. These entries include the IP address of the device that initiated the request. This log is stored locally in the same SQLite database as the rest of your library catalog and is visible only to administrators of your RexyServer instance via the Activity Log view in the library window. The log is never transmitted off your machine.
If you operate RexyServer for a household with multiple users, you should be aware that you are recording the source IP of every device that interacts with your server, including theirs. This is a normal security practice for self-hosted servers, but is disclosed here so household members are not surprised that their device IPs appear in your administrative records.
When RexyServer fetches metadata from a third-party provider, that provider receives certain information as part of the request:
Each provider has its own privacy policy that governs how it handles this information. RexyServer is not responsible for the practices of any third-party provider. You can disable any provider individually from Settings if you do not want RexyServer to contact it on your behalf.
Most importantly: when an authenticated API is involved (ComicVine, Marvel, AniList, MyAnimeList, League of Comic Geeks), the API credentials are ones you obtained directly from that provider under your own name. You are the registered API consumer in your relationship with that provider, not RexyServer or its developer.
RexyServer is designed for local-network and trusted-VPN use. It does not expose itself to the public internet, and we strongly recommend against doing so via port forwarding or reverse proxy. If you want access from outside your home, use Tailscale (or a similar trusted mesh-VPN solution): install it on the Mac running RexyServer and on the devices that need remote access, and your devices will reach the server over an encrypted private network — without opening any ports.
Whatever networking choice you make is your responsibility. RexyServer does include several defensive features regardless: TLS encryption with certificate pinning, per-device API keys, an admin elevation token that defaults to 5 minutes, and rate limiting on authentication endpoints. These are reasonable defenses but are not a substitute for proper network security practice.
RexyServer includes an optional bug report feature accessible from Help & Feedback. If you choose to use it, RexyServer composes an email in your default mail client with a diagnostic bundle attached. The bundle includes:
The bundle does not include your IP address, your library contents, your stored credentials, your user accounts, or any information that identifies what's in your library. You can review the full contents of the attachment before choosing to send the email. Diagnostic data is never collected or transmitted automatically — it is only sent when you explicitly send the bug report email yourself.
RexyServer is intended for adults who self-host their own media server. We do not knowingly collect any information from children under the age of 13. Operating a self-hosted media server is not typical for children. If you are a parent or guardian and a child has installed and configured RexyServer, you are responsible for ensuring their use complies with applicable law.
Because we do not collect or store your data on any infrastructure we control, there is no central database that can be breached. The data that RexyServer stores on your machine uses standard macOS security mechanisms: SQLite database files in the user-specific Application Support directory (protected by macOS file permissions), API credentials in the macOS Keychain, and TLS connections to client devices using certificates generated locally on first run.
The security of your machine is your responsibility. RexyServer cannot protect data on a compromised machine. You are responsible for keeping macOS updated, using strong account passwords, applying FileVault disk encryption if appropriate, and following standard local-machine security practices.
Since all data is stored locally on your machine, you have complete control over it at all times. You can:
If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar privacy laws, you have the following rights:
In practice, because RexyServer collects almost no personal data and stores nothing on our infrastructure, most of these rights are satisfied automatically. If you contact us via email, that email address and message content is the only personal data we may hold. You can request deletion at any time by emailing rexyviewapp@gmail.com.
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale or sharing of personal information. Because RexyServer does not collect, sell, or share personal information, these rights are satisfied by default. You can contact us at rexyviewapp@gmail.com to exercise any of these rights.
If we make material changes to this Privacy Policy, the updated text will appear in a new release of RexyServer and the Last Updated date at the top of this document will reflect the most recent revision. We encourage you to review this policy when you update RexyServer. Continued use of RexyServer after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, please contact us at rexyviewapp@gmail.com.