Privacy Policy
Last updated: April 13, 2026
Fixxdit ("we," "us," "our") operates the website fixxdit.com and the Fixxdit web application. This privacy policy explains what personal data we collect, why we collect it, how we use it, and your rights.
1. Who we are
Fixxdit is a UX auditing tool operated by Thinesh Balan, based in Malaysia. Our engine infrastructure is hosted in Nuremberg, Germany (EU).
For privacy-related questions, contact us at support@fixxdit.com.
2. What data we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Email, name, profile picture | You or Google OAuth |
| Audit data | URLs you submit, screenshots, audit reports | You provide the URL; we generate the rest |
| Payment data | Stripe customer ID, transaction history | Stripe (we never see your card number) |
| Usage data | Pages visited, session duration | Google Analytics (with your consent) |
| Technical data | IP address, browser type | Automatically collected |
3. Why we collect it
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account | Contract performance |
| Run UX audits you request | Contract performance |
| Process payments via Stripe | Contract performance |
| Send transactional emails | Contract performance |
| Analytics (GA4) | Your consent |
| Prevent fraud and abuse | Legitimate interest |
4. How we use Google data
When you sign in with Google, we receive your name, email, and profile picture. We use this only to create your Fixxdit account and display your identity in the app. We do not sell, share for advertising, or use your Google data for any purpose beyond account management.
5. Who we share data with
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | Tokyo, Japan |
| Stripe | Payment processing | United States |
| Google Analytics | Website analytics (with consent) | United States |
| Anthropic | AI-powered audit analysis | United States |
| Hetzner | Audit engine hosting | Nuremberg, Germany |
| Vercel | Frontend hosting | Global edge |
| Resend | Transactional email | United States |
We do not sell your personal data to anyone.
6. International data transfers
Your data is processed in multiple locations. Screenshots and audit processing happen on our server in Nuremberg, Germany (within the EU). Our database is hosted in Japan, which has an EU adequacy decision. Services in the United States (Stripe, Vercel, Resend, Google Analytics, Anthropic) are covered by the EU-US Data Privacy Framework.
7. Cookies
We use essential cookies for authentication and session management. These do not require consent.
We use Google Analytics 4 for understanding how visitors use Fixxdit. GA4 cookies (_ga, _ga_*) are only set after you give consent. If you decline, GA4 does not load and no tracking occurs.
8. How long we keep your data
| Data | Retention |
|---|---|
| Account and audit data | Until you delete your account |
| Screenshots on our server | Deleted shortly after processing |
| Payment records | 7 years (legal compliance) |
| Analytics data | 14 months (GA4 default) |
| Server logs | 90 days |
9. Your rights
Under the GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing
- Port your data (receive it in a machine-readable format)
- Object to processing based on legitimate interest
- Withdraw consent at any time (e.g., for analytics cookies)
To exercise any of these rights, email us at support@fixxdit.com. We will respond within 30 days.
You also have the right to lodge a complaint with a data protection authority. If you are in the EU, you may contact your local supervisory authority.
10. Payment processing
We use Stripe to process payments. Your card details are entered directly into Stripe's secure form — we never see, receive, or store your card number. Stripe processes your payment and shares with us only a transaction ID, payment status, and the last 4 digits of your card. See Stripe's Privacy Policy for details.
11. Data security
We protect your data with HTTPS encryption, short-lived authentication tokens, row-level security policies, and atomic database transactions. Our audit engine is isolated from user data. No system is 100% secure — if we discover a breach affecting your data, we will notify you and the relevant authorities within 72 hours as required by GDPR.
12. Children
Fixxdit is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we make changes, we will update the date at the top. For significant changes, we will notify you by email or a notice on the website.
14. Contact us
If you have questions about this policy or your personal data, email us at support@fixxdit.com.