Privacy Policy

Fixra — fixra.ie

Version 1.2 · Effective 19 March 2026 · Last amended 1 April 2026

This policy describes how Fixra (“the Controller”, “we”, “us”) collects, processes, stores, and protects personal data obtained through fixra.ie and related services, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Acts 1988–2018.1

1. Data Controller

The data controller for personal data processed through this website and our services is:

Fixra

Dublin, Ireland

jack@fixra.ie · +353 83 144 4927

2. Categories of Personal Data

We collect the following categories of personal data, provided voluntarily by data subjects:

Full name, email address, and telephone number
Business or trading name and registered address
Details of business operations and requirements as communicated to us
Correspondence between the data subject and the Controller

We do not collect or process special category data within the meaning of Article 9 GDPR, nor data relating to criminal convictions or offences under Article 10.

3. Lawful Basis for Processing

Personal data is processed on one or more of the following legal bases under Article 6(1) GDPR:

Legitimate interest (Art. 6(1)(f)) — responding to business enquiries and providing information about our services. We have conducted a legitimate interest assessment and concluded that processing does not override the data subject’s rights.
Contractual necessity (Art. 6(1)(b)) — performing obligations under a service agreement with the data subject or their organisation.
Consent (Art. 6(1)(a)) — where the data subject has opted in to receive communications. Consent may be withdrawn at any time per Article 7(3), without affecting the lawfulness of processing carried out prior to withdrawal.

4. Purposes of Processing

Personal data is processed for the following purposes:

Responding to enquiries submitted via our website or other channels
Preparing proposals, quotations, and project scoping documentation
Delivering, managing, and supporting contracted services
Issuing project updates and operational correspondence
Compliance with applicable legal, tax, and regulatory obligations

5. Data Storage and Technical Measures

All personal data is processed and stored within the European Union, in the AWS eu-west-1 region (Dublin, Ireland), through our data processor Supabase Inc.2

The following technical and organisational measures are implemented in accordance with Article 32 GDPR:

Encryption in transit via TLS 1.2 or above
Encryption at rest via AES-256
Row-level security policies ensuring complete logical data isolation between client organisations
Role-based access controls limiting access to authorised personnel only
Automatic daily backups with point-in-time recovery capability

No personal data is transferred to, or processed in, any jurisdiction outside the European Economic Area. Where AI-assisted features are available, all processing is performed by EU-hosted providers exclusively. Personal data is not used for the purpose of training machine learning or AI models.

6. Recipients and Third-Party Processors

We do not sell, rent, lease, or otherwise disclose personal data to third parties for their own commercial or marketing purposes.

Personal data may be shared with the following categories of recipients, each acting as a data processor under a written Data Processing Agreement in accordance with Article 28 GDPR:

Infrastructure providers — database hosting, authentication, and application deployment
Transactional email providers — email dispatch services

Personal data may also be disclosed where required by applicable law, regulation, or order of a court of competent jurisdiction.

7. Retention Periods

We retain personal data for no longer than is necessary for the purposes for which it was collected:

Enquiry data: retained for a maximum of 24 months following the most recent interaction with the data subject.
Client and project data: retained for the duration of the service agreement plus 7 years thereafter, in accordance with Section 886 of the Taxes Consolidation Act 1997.3
Sandbox and trial data: automatically deleted 90 days after last use, unless converted to a client engagement.

Data subjects may request earlier erasure at any time, subject to any overriding statutory retention obligations.

8. Data Subject Rights

Under Chapter III of the GDPR, data subjects may exercise the following rights:

Right of access (Article 15) — to obtain confirmation of processing and a copy of personal data held
Right to rectification (Article 16) — to have inaccurate or incomplete data corrected
Right to erasure (Article 17) — to request deletion of personal data, subject to applicable exceptions
Right to restriction of processing (Article 18) — to limit processing in specified circumstances
Right to data portability (Article 20) — to receive data in a structured, commonly used, machine-readable format
Right to object (Article 21) — to object to processing carried out on the basis of legitimate interest
Right to withdraw consent (Article 7(3)) — without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any right, contact jack@fixra.ie. Requests will be acknowledged within 5 working days and responded to substantively within one calendar month, in accordance with Article 12(3) GDPR. Where requests are complex or numerous, this period may be extended by a further two months per Article 12(3), with notification to the data subject.

9. Cookies and Tracking

This website uses only strictly necessary cookies as defined under the ePrivacy Directive (2002/58/EC), as transposed into Irish law by S.I. No. 336/2011 (European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011). We do not use analytics, advertising, or third-party tracking technologies of any kind.

10. Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Data Protection Commission within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to data subjects, we will communicate the breach to affected individuals without undue delay, in accordance with Article 34.

11. Supervisory Authority and Complaints

Data subjects who believe that their rights under data protection law have been infringed may lodge a complaint with the competent supervisory authority:

Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

www.dataprotection.ie · +353 1 765 0100 · info@dataprotection.ie

This right to lodge a complaint is without prejudice to any other administrative or judicial remedy available to the data subject.

12. Amendments to This Policy

This policy may be amended from time to time. Material amendments will be notified via our website. The version number and effective date stated at the head of this document reflect the most recent revision. Continued use of our website or services following any amendment constitutes acceptance of the updated policy.

1.References to “GDPR” throughout this document refer to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as applied in Ireland by virtue of the European Communities Act 1972 and the Data Protection Act 2018 (No. 7 of 2018).

2.Supabase Inc. acts as data processor under a Data Processing Agreement executed in accordance with Article 28 GDPR. Underlying infrastructure is provided by Amazon Web Services EMEA SARL, with data residency in the eu-west-1 (Dublin) availability zone.

3.Section 886 of the Taxes Consolidation Act 1997 (as amended) requires the retention of records relevant to tax liability for a period of not less than 6 years. A 7-year retention period is applied as a precautionary measure.