PHIXE AI Assurance Book a call
PRIVACY

Privacy Policy

How Phixe handles website analytics, booking data, client information, assessment evidence, retention, subprocessors, and privacy requests.

4 min read PrivacyAnalyticsData handlingSubprocessorsRetention

This policy explains how Phixe handles information from the public website, booking flow, and scoped engagements. It should be read together with trust and data handling, which covers access, testing rules, evidence handling, and what we will not do during an assessment.

What this policy covers

This policy covers:

  • Public website visits to phixe.io.
  • Booking and inquiry data submitted through the scheduler or contact path.
  • Engagement administration data such as scope notes, business contact details, access coordination, and report delivery.
  • Assessment evidence created during authorized work: request traces, test inputs, screenshots where needed, logs, finding notes, retest evidence, and remediation context.

Client contracts, NDAs, statements of work, and data processing agreements may add stricter rules. When they do, the signed agreement controls the engagement.

Website analytics

Phixe uses privacy-conscious analytics to understand how the site is found, which pages lead to booking interest, and whether technical content is useful. Analytics may collect page URL, referrer, UTM parameters, browser metadata, coarse location derived from network information, and interaction events such as clicking a booking link.

The analytics loader respects Global Privacy Control, Do Not Track, and a local opt-out flag named phixe_analytics_opt_out. If any of those signals is present, PostHog and Google Analytics do not load. Session recording is disabled. Person profiles are limited to identified use cases. The site may load Google Analytics only when the production environment is configured with a GA4 property, and only behind the same privacy guard.

Analytics controls

Use these controls to store an analytics preference in this browser. Global Privacy Control and Do Not Track still override a local allow choice.

Checking analytics preference...

Booking data

The booking page can load a third-party scheduler, but it does not load the embedded scheduler until you choose to open it. If you open the scheduler here or in a new tab, the scheduler processes the information needed to schedule the call and may show its own privacy notice. The embedded scheduler is loaded with a no-referrer policy. Phixe uses booking information to prepare for the call, follow up, scope possible work, and keep records of business communication.

Do not submit secrets, credentials, regulated production data, or full customer datasets through the booking form. A short product description, deadline, and security-review context are enough for first contact.

Client and assessment data

For scoped work, we collect only what is needed to perform the engagement and produce useful evidence. That may include system diagrams, endpoint lists, tool inventories, prompts, test accounts, representative logs, request traces, screenshots, findings, fix notes, and retest results.

The default rules are:

  • Use staging or isolated environments where possible.
  • Use least-privilege, time-boxed credentials.
  • Keep client code, prompts, logs, and datasets out of third-party AI tools unless written approval says otherwise.
  • Capture enough evidence to reproduce a finding without collecting full datasets when a representative sample is enough.
  • Keep reports and evidence bounded to the agreed scope.

Subprocessors and service providers

Phixe uses service providers for hosting, website analytics, scheduling, and normal business operations. The public site currently relies on Vercel for hosting, PostHog for analytics, Calendly for scheduling, and Google services only where configured for fonts or analytics.

Where an engagement requires additional tools, the statement of work names the tool class and the data it may touch. Client data does not move into a new tool category silently.

Retention

Website analytics are retained according to the analytics provider configuration. Booking and business correspondence are retained as long as needed for follow-up, records, and legitimate business administration.

Engagement evidence is retained according to the signed agreement. At the end of an engagement, credentials are revoked and working data is deleted or returned as agreed. The final report and necessary evidence may be retained where needed to support retest, audit trail, legal obligations, or the client’s buyer-facing security review.

Disclosure

Phixe does not publish client names, traces, screenshots, prompts, or commercial details without written permission. If testing identifies an issue that affects a third party, the responsible disclosure process described on trust and data handling applies.

Your choices and requests

You can avoid the embedded scheduler by not loading it on the booking page. You can also use Global Privacy Control, Do Not Track, or the analytics controls on this page to suppress analytics on future page loads. To ask for access, correction, deletion, or restriction of information associated with you, use the contact path at book a call and identify the message as a privacy request.

If the information is held under a client agreement, the agreement may define who can authorize the request and how deletion, return, or retention works.

Changes

This policy may change as Phixe’s tooling or engagement model changes. The current version is dated July 8, 2026.

Frequently asked

Do you sell personal data?
No. Phixe does not sell personal data and does not run a data brokerage business. Website analytics are used to understand site performance and conversion, not to resell visitor profiles.
Do you paste client data into AI tools?
Not without written approval. Client code, prompts, logs, traces, documents, and datasets stay out of third-party AI tools unless the statement of work explicitly permits a named tool and data class.
Who receives booking information?
Booking information is processed by the scheduler used on /book and by Phixe for scoping, follow-up, and engagement administration. Do not put secrets, credentials, or sensitive production data in the scheduler note field.
How do we make a privacy request?
Use the contact path at /book and identify the request as privacy-related. If we are handling data under an active client agreement, the agreement controls the operational details.

There's a security review between you and your next deal.

Ask how privacy maps to your scope