Fixr Privacy Policy

1. Who We Are

Fixr, including the Fixr website, Fixr web application, Fixr APIs, the Fixr Assistant browser extension, and related hosted services (together, the "Services"), is provided by:

If you have appointed a data protection officer or privacy lead, you can contact them at: info@datafixr.io

In this Privacy Policy, "Fixr", "we", "us", and "our" mean the entity above.

2. Scope

This Privacy Policy explains how we collect, use, store, share, and otherwise process personal data when you:

• visit the Fixr website;
• create or use a Fixr account;
• use the Fixr web application, APIs, data cleaning tools, list and export tools, and related features;
• install or use the Fixr Assistant browser extension; or
• otherwise interact with Fixr.

This policy covers the Extension and the Fixr platform together.

This policy does not govern third-party websites, services, or pages that you access separately, such as LinkedIn, Companies House, or other external sites, except to the extent that the Extension or Platform reads data from those pages or sends data to or from those services at your request.

3. Data Controller and Processor Roles

For personal data processed to operate Fixr accounts, authentication, workspace administration, usage tracking, security, subscription management, API access, and our own platform operations, DataFixr Ltd is the data controller.

Where a Fixr customer uses the Services to import, upload, extract, clean, enrich, compare, sync, verify, create, update, or export records relating to third-party individuals or businesses, that customer may be the data controller and Fixr may act as a processor or service provider on the customer's behalf, depending on the applicable contract and law.

In some cases, Fixr may also act as controller for data included in Fixr's own service dataset, platform administration records, support records, and security or compliance records.

4. Personal Data We Collect

Depending on how you use the Services, we may collect or process the following categories of personal data.

A. Account and identity data

• Email address
• Password and password setup state
• User ID and authentication/session data
• First name and last name
• Organisation membership
• User role and permissions, such as admin or organisation manager status
• Invitation records and password setup links
• Account status, including disabled or deleted status and related timestamps

We do not intentionally store plain-text passwords in the Fixr application database. Authentication is managed through our authentication provider.

B. Organisation and workspace data

• Organisation name
• Organisation website / company URL
• Postal address details, including first line, second line, city, county, and post code
• Workspace and organisation identifiers
• API key metadata, such as API key prefix, hashed API key, revoked status, creation date, and creator
• Workspace user roster and roles
• Subscription and tier records, including plan, billing cycle dates, credit allowance, credits used, proration, status, and change notes

The current codebase shows subscription and credit tracking records, but does not show direct collection of payment card details.

C. Browser extension data and local browser storage

When you use the Fixr Assistant browser extension, we may process:

• Your email address and password when logging in through the Extension
• Access tokens, refresh tokens, expiry timestamps, and basic account details returned by the Fixr backend
• Configured Fixr backend/base URL
• Extension session state stored in browser extension storage
• Tab-specific extracted data, comparison state, selected fields, host information, enrichment progress, and related runtime state

D. Website and web application preference/storage data

When you use the Fixr website or web app, we may use:

• Authentication cookies needed to keep you signed in
• Basic UI preference cookies or local storage, such as sidebar and theme preferences
• Local browser storage used to remember visual preferences

E. Company, contact, and business record data

Fixr may store, display, compare, create, update, import, export, clean, or otherwise process business records, including:

Company data, such as:

• Company name
• Website URL and normalized website host
• LinkedIn URL
• Industry and final industry
• City and country/region
• Company size
• Founded year
• Description
• Email address
• Phone number
• Live/dead or status information
• Keywords
• Source metadata and enrichment timestamps
• Verification status and timestamps for phone verification
• Third-party or CRM identifiers where available, such as record IDs

Contact data, such as:

• First name and last name
• Job title
• Company name
• Associated company record
• LinkedIn URL
• Email address
• Phone number
• Industry
• Seniority
• ICP / segmentation metadata
• Keywords
• Source metadata and enrichment timestamps
• Verification status and timestamps for phone verification

F. Data extracted from supported web pages by the Extension

When you activate the Extension on supported pages, it may read data from the page's DOM, structured metadata, visible text, page title, meta tags, JSON-LD data, links, and user-selected text.

The current codebase is designed primarily around LinkedIn company pages and LinkedIn individual profile pages, and may support other configured domains.

This may include:

• company information visible on the page;
• individual/contact information visible on the page;
• public business contact details shown on the page; and
• comparison or enrichment data generated from those page reads.

The Extension reads available browser page content and visible DOM. It does not perform OCR on images, PDFs, or canvas content.

G. Uploaded and imported data

If you upload a CSV file or submit data through APIs or forms, we may process:

• file name;
• CSV contents and headers;
• row counts;
• company/contact data contained in the upload;
• cleaned, normalized, validated, deduplicated, or enriched output; and
• change previews, warnings, or quality statistics generated by the tool.

Based on the current codebase, the CSV cleaning tool processes uploaded CSV content in request memory and returns cleaned output, while separately logging usage metadata such as file name, row count, organisation, user, and credits used.

H. Search, list, export, and usage data

We may process:

• search terms and filters you enter;
• list names, entity types, and list membership;
• selected record IDs for export or list actions;
• export context, including whether premium fields were requested;
• usage history, such as file name, search query, number of rows, entity type, credits used, fields requested/delivered, timestamps, and related context metadata.

I. Public registry and lookup data

If you use Companies House or related lookup features, we may process and return public registry data, including:

• company search queries and company numbers;
• company profile information;
• registered office address details;
• officers data;
• persons with significant control data; and
• related public filing metadata.

This data may include personal data about officers or controllers, such as names, roles, appointment dates, nationality, country of residence, occupation, and partial date-of-birth information where available from the public source.

J. Phone verification and enrichment data

If you use phone verification or re-verification features, we may process:

• the phone number submitted or stored on the relevant record;
• normalized phone number data;
• verification provider responses;
• summary indicators, such as whether a number appears possible, mobile, active, UK-based, or on the TPS;
• phone verification status, timestamps, and retry timing.

K. Technical, security, and operational data

The Services and our providers may process limited technical data necessary to operate and secure the Services, such as:

• IP address
• request metadata
• browser, device, or extension version information
• server and access logs
• API key usage
• session and token data
• error and troubleshooting information

Based on the current codebase, we do not intentionally include third-party advertising SDKs, client-side analytics trackers, or crash-reporting SDKs in the Extension or web app. Our infrastructure providers may still generate standard operational logs.

5. Sources of Personal Data

We may collect personal data:

• directly from you;
• from your employer, workspace owner, or organisation administrator;
• from browser extension page reads that you trigger on supported pages;
• from CSV uploads, API requests, forms, and manual data entry;
• from existing records in your Fixr workspace;
• from public sources and registries, such as Companies House;
• from verification or enrichment providers used when you request those features; and
• from our authentication, hosting, and infrastructure providers.

6. How We Use Personal Data and Legal Bases

If UK GDPR or EU GDPR applies, we generally rely on the following legal bases.

To provide the Services

This includes:

• creating and administering accounts;
• authenticating users and maintaining sessions;
• inviting users and enabling password setup;
• storing and managing organisations, workspaces, roles, lists, and API access;
• searching, comparing, matching, creating, updating, exporting, and displaying records;
• processing CSV cleaning, normalization, validation, deduplication, and enrichment requests;
• supporting Extension page extraction and comparison workflows;
• verifying phone numbers and performing public registry lookups; and
• providing usage, credit, and subscription functionality.

Legal basis: performance of a contract, or steps taken at your request before entering into a contract.

To operate, secure, monitor, and improve the Services

This includes:

• role-based access control;
• fraud, abuse, and misuse prevention;
• debugging, support, and reliability;
• usage reporting and audit-friendly history; and
• maintaining searchable indexes, normalized fields, and derived metadata.

Legal basis: our legitimate interests in operating a secure, reliable, and effective service.

To comply with law and protect rights

This includes:

• responding to lawful requests;
• enforcing our terms and policies; and
• maintaining records for compliance, accounting, tax, security, and dispute resolution.

Legal basis: compliance with legal obligations and our legitimate interests in defending rights and claims.

To process customer-directed third-party data

Where customers use Fixr to process business contact or company data, uploaded files, extension extracts, or API submissions, we process that data under the customer's instructions and the legal basis applicable to the customer's use.

Where consent applies

If we rely on consent for a specific activity, we will ask for it where required by law, and you can withdraw that consent at any time for future processing.

7. How We Share Personal Data

We do not sell personal data collected through the Services.

We do not share personal data for cross-context behavioral advertising.

We may share personal data in the following circumstances:

With your organisation and workspace users

If you use Fixr through a business account, your organisation, workspace administrators, or authorised managers may access account, usage, list, export, and workspace data associated with your organisation.

With Fixr personnel and platform administrators

Authorized Fixr personnel may access relevant data where needed to administer the platform, provide support, investigate incidents, enforce policies, or maintain security.

With service providers and subprocessors

We may use service providers for hosting, authentication, infrastructure, database services, email delivery, logging, and support. Based on the current platform, this may include providers such as:

• Supabase for authentication, database, and related backend services
• Vercel or similar hosting/deployment infrastructure
• service providers used by our authentication provider for account emails and invitation/password setup flows

With feature-specific third parties when you use those features

• Companies House for company lookup and public registry data
• e164.com, HLRLookup, and TPSUnlimited for phone validation and verification-related checks
• the Fixr backend configured in the Extension, if the Extension is pointed at a specific environment

For legal reasons and business transfers

We may disclose data if required by law, regulation, court order, or lawful request, or where necessary to protect rights, safety, property, or support a merger, acquisition, financing, restructuring, or sale of assets.

8. International Transfers

Data processed locally by the Extension is stored in your browser profile or extension storage on your device.

Data processed by the web app, APIs, authentication systems, hosting providers, and feature-specific providers may be processed in countries where those providers operate.

Where required by applicable law, we will use appropriate safeguards for international transfers, such as adequacy decisions, standard contractual clauses, or equivalent lawful transfer mechanisms.

9. Data Retention

We retain personal data for no longer than necessary for the purposes described in this policy, unless a longer period is required or permitted by law.

In general:

• web app authentication cookies remain until logout, expiry, or deletion;
• local browser preferences remain until you clear them;
• extension storage remains until you change it, clear it, or uninstall the Extension;
• uploaded CSV contents processed by the cleaning endpoint are handled transiently to provide the requested output, while usage metadata may be logged;
• account, organisation, subscription, list, record, and usage history data may be retained while the account or workspace is active and afterward as needed for audit, security, compliance, dispute resolution, backups, and legal obligations;
• deleted or disabled records may first be flagged as deleted rather than immediately erased.

If you want to publish fixed retention periods, add them here for each category before publication.

10. Security

We use reasonable technical and organisational measures designed to protect personal data, including measures such as:

• HTTPS/TLS for network communication;
• authenticated access controls;
• role-based access controls and row-level access controls where implemented;
• hashed storage of organisation API keys rather than storing the raw key for later display;
• session management and cookie controls; and
• provider-managed authentication and password handling.

No system can guarantee absolute security. You are responsible for keeping your credentials, device, browser profile, and extension environment secure.

11. Your Privacy Rights

Depending on where you live, you may have rights including:

• the right to know whether we process your personal data;
• the right to access personal data;
• the right to correct inaccurate personal data;
• the right to delete personal data, subject to exceptions;
• the right to restrict or object to certain processing;
• the right to data portability;
• the right to withdraw consent where processing is based on consent;
• the right to opt out of sale or sharing, if applicable;
• the right to limit use of sensitive personal information, if applicable;
• the right not to be discriminated against for exercising privacy rights; and
• the right to lodge a complaint with a supervisory authority or regulator.

To exercise your rights, contact us at: info@datafixr.io

If your request relates to data that a Fixr customer controls, we may direct you to that customer as the primary controller.

12. Cookies and Similar Technologies

Extension

The Extension does not rely on ordinary website cookies for its core functionality. It primarily uses browser extension storage and related local storage mechanisms for configuration, session state, and runtime state.

Website and web app

The Fixr website and web app use cookies and similar technologies for purposes such as:

• maintaining authenticated sessions;
• remembering basic interface preferences; and
• storing local display preferences such as theme.

If you later add non-essential analytics, advertising, or tracking technologies, you should update this policy and, where required, provide additional notices or consent tools.

13. Automated Processing

Fixr may use automated rules and workflows to search, normalize, validate, deduplicate, compare, verify, or enrich data. This includes matching records by identifiers such as email, phone number, LinkedIn URL, website host, or company data, and generating search indexes or verification flags.

Fixr does not currently appear to use solely automated decision-making that produces legal or similarly significant effects about individuals.

14. Children's Privacy

The Services are intended for business and professional use and are not directed to children. We do not knowingly collect personal data from children in connection with the Services.

15. Your Responsibilities When Using Third-Party Data

If you use Fixr to collect, import, upload, extract, verify, enrich, compare, create, update, or export records about other individuals, you are responsible for ensuring that you have an appropriate legal basis and that your use complies with applicable privacy, employment, marketing, and data protection laws.

You should not upload special category or highly sensitive personal data unless you have a clear lawful basis and the Services are appropriate for that data.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the Services, our providers, applicable law, or our processing practices.

When we make material changes, we will update the effective date and provide additional notice where required.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact: