Privacy Policy

1. Who we are

fixGDPR (“we”, “us”, “our”) operates the website fixgdpr.xyz, a GDPR compliance checking tool. We are the data controller for the personal data described in this policy. Contact us at: fixgdpr@gmail.com

2. What data we collect

3. Legal basis for processing

• Contract — processing your scans and delivering results you requested
• Legitimate interest — IP-based rate limiting to prevent abuse
• Consent — marketing communications (if you opt in)

4. How we use your data

• To run compliance scans and show you results
• To provide your dashboard and scan history
• To process payments for Pro/Agency plans
• To send transactional emails (scan complete, billing)
• To prevent abuse via rate limiting

We do not sell your data, use it for advertising, or share it with third parties beyond what is listed below.

5. Third-party processors

SCCs = Standard Contractual Clauses (EU transfer mechanism)

6. Data retention

• Anonymous scan results: deleted after 30 days
• Account scan history: kept while your account is active, deleted within 30 days of account deletion
• IP addresses for rate limiting: in-memory only, reset hourly
• Payment records: 7 years (legal requirement)

7. Data subject rights (GDPR Art. 15–22)

As a data subject, you have the following rights under GDPR:

• Right to access — request a copy of your personal data we hold (Art. 15)
• Right to rectification — correct inaccurate or incomplete data (Art. 16)
• Right to erasure (“right to be forgotten”) — request deletion of your data (Art. 17)
• Right to portability — receive your data in a machine-readable format (Art. 20)
• Right to object — object to processing based on legitimate interest (Art. 21)
• Right to restriction — request we limit processing of your data (Art. 18)

To exercise any right, email fixgdpr@gmail.com. We respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.

8. Browser Extension

The fixGDPR browser extension (available for Chrome and Firefox) sends the URL of the active tab to fixgdpr.xyz to perform a compliance scan. Specifically:

• Only the URL of the page you choose to scan is transmitted
• No browsing history is collected or stored
• No data is collected from pages you visit without clicking the extension
• Scan results are stored the same way as web scans (see Section 2)

9. Cookies & Analytics

We use essential cookies required for authentication (session token via Clerk). We also use PostHog for product analytics — this is opt-in only. No analytics data is collected until you explicitly accept cookies via the consent banner. You can withdraw consent at any time by clicking “Reject All” in the cookie banner.

We do not use advertising or tracking cookies. No data is shared with advertising networks.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know — request disclosure of the personal information we collect, use, and share
• Delete — request deletion of your personal information
• Correct — request correction of inaccurate personal information
• Opt out of sale/sharing — we do not sell or share your personal information with third parties for cross-context behavioral advertising
• Non-discrimination — we will not discriminate against you for exercising your rights

Do Not Sell or Share My Personal Information: fixGDPR does not sell or share personal information as defined under CCPA/CPRA. No action is required to opt out.

To exercise your rights, email fixgdpr@gmail.com. We will respond within 45 days.

11. Changes to this policy

We may update this policy. Material changes will be notified by email (for account holders) or by a notice on this page. Continued use after changes constitutes acceptance.