Privacy Policy

Version 1.2 Effective 19 March 2026 Last amended 1 April 2026

How Fixra collects, processes, stores, and protects personal data, in accordance with the GDPR and the Data Protection Acts 1988–2018.1

Controller Data Categories Lawful Basis Purposes Storage Recipients Retention Your Rights Cookies Breach Supervisory Authority Amendments
01 Data Controller

The data controller for personal data processed through this website and our services is:

Fixra

Dublin, Ireland

jack@fixra.ie · +353 83 144 4927

02 Categories of Personal Data

We collect the following categories of personal data, provided voluntarily by data subjects:

  • Full name, email address, and telephone number
  • Business or trading name and registered address
  • Details of business operations and requirements as communicated to us
  • Correspondence between the data subject and the Controller

We do not collect or process special category data within the meaning of Article 9 GDPR, nor data relating to criminal convictions or offences under Article 10.

03 Lawful Basis for Processing

Personal data is processed on one or more of the following legal bases under Article 6(1) GDPR:

  • Legitimate interest (Art. 6(1)(f)) — responding to business enquiries and providing information about our services.
  • Contractual necessity (Art. 6(1)(b)) — performing obligations under a service agreement with the data subject or their organisation.
  • Consent (Art. 6(1)(a)) — where the data subject has opted in to receive communications. Consent may be withdrawn at any time per Article 7(3).
04 Purposes of Processing

Personal data is processed for the following purposes:

  1. Responding to enquiries submitted via our website or other channels
  2. Preparing proposals, quotations, and project scoping documentation
  3. Delivering, managing, and supporting contracted services
  4. Issuing project updates and operational correspondence
  5. Compliance with applicable legal, tax, and regulatory obligations
05 Data Storage and Technical Measures

All personal data is processed and stored within the European Union, in the AWS eu-west-1 region (Dublin, Ireland), through our data processor Supabase Inc.2

The following technical and organisational measures are implemented in accordance with Article 32 GDPR:

  • Encryption in transit via TLS 1.2 or above
  • Encryption at rest via AES-256
  • Row-level security policies ensuring complete logical data isolation between client organisations
  • Role-based access controls limiting access to authorised personnel only
  • Automatic daily backups with point-in-time recovery capability

No personal data is transferred to, or processed in, any jurisdiction outside the European Economic Area. Where AI-assisted features are available, all processing is performed by EU-hosted providers exclusively. Personal data is not used for the purpose of training machine learning or AI models.

06 Recipients and Third-Party Processors

We do not sell, rent, lease, or otherwise disclose personal data to third parties for their own commercial or marketing purposes.

Personal data may be shared with the following categories of recipients, each acting as a data processor under a written Data Processing Agreement in accordance with Article 28 GDPR:

  • Infrastructure providers — database hosting, authentication, and application deployment
  • Transactional email providers — email dispatch services

Personal data may also be disclosed where required by applicable law, regulation, or order of a court of competent jurisdiction.

07 Retention Periods

We retain personal data for no longer than is necessary for the purposes for which it was collected:

  • Enquiry data: retained for a maximum of 24 months following the most recent interaction with the data subject.
  • Client and project data: retained for the duration of the service agreement plus 7 years thereafter, in accordance with Section 886 of the Taxes Consolidation Act 1997.3
  • Sandbox and trial data: automatically deleted 90 days after last use, unless converted to a client engagement.

Data subjects may request earlier erasure at any time, subject to any overriding statutory retention obligations.

08 Data Subject Rights

Under Chapter III of the GDPR, data subjects may exercise the following rights:

  • Right of access (Article 15) — to obtain confirmation of processing and a copy of personal data held
  • Right to rectification (Article 16) — to have inaccurate or incomplete data corrected
  • Right to erasure (Article 17) — to request deletion of personal data, subject to applicable exceptions
  • Right to restriction of processing (Article 18) — to limit processing in specified circumstances
  • Right to data portability (Article 20) — to receive data in a structured, commonly used, machine-readable format
  • Right to object (Article 21) — to object to processing carried out on the basis of legitimate interest
  • Right to withdraw consent (Article 7(3)) — without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any right, contact jack@fixra.ie. Requests will be acknowledged within 5 working days and responded to within one calendar month.

09 Cookies and Tracking

This website uses only strictly necessary cookies as defined under the ePrivacy Directive (2002/58/EC). We do not use analytics, advertising, or third-party tracking technologies of any kind.

10 Personal Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Data Protection Commission within 72 hours in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to data subjects, we will communicate the breach to affected individuals without undue delay.

11 Supervisory Authority

Data subjects who believe that their rights under data protection law have been infringed may lodge a complaint with:

Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

www.dataprotection.ie · +353 1 765 0100

12 Amendments

This policy may be amended from time to time. Material amendments will be notified via our website. The version number and effective date stated at the head of this document reflect the most recent revision.

1.References to "GDPR" refer to Regulation (EU) 2016/679, as applied in Ireland by virtue of the European Communities Act 1972 and the Data Protection Act 2018.

2.Supabase Inc. acts as data processor under a Data Processing Agreement. Underlying infrastructure is provided by Amazon Web Services EMEA SARL, with data residency in eu-west-1 (Dublin).

3.Section 886 of the Taxes Consolidation Act 1997 requires retention of records relevant to tax liability for not less than 6 years. A 7-year period is applied as a precautionary measure.