This policy explains how Phixe handles information from the public website, booking flow, and scoped engagements. It should be read together with trust and data handling, which covers access, testing rules, evidence handling, and what we will not do during an assessment.
What this policy covers
This policy covers:
- Public website visits to
phixe.io. - Booking and inquiry data submitted through the scheduler or contact path.
- Engagement administration data such as scope notes, business contact details, access coordination, and report delivery.
- Assessment evidence created during authorized work: request traces, test inputs, screenshots where needed, logs, finding notes, retest evidence, and remediation context.
Client contracts, NDAs, statements of work, and data processing agreements may add stricter rules. When they do, the signed agreement controls the engagement.
Website analytics
Phixe uses privacy-conscious analytics to understand how the site is found, which pages lead to booking interest, and whether technical content is useful. Analytics may collect page URL, referrer, UTM parameters, browser metadata, coarse location derived from network information, and interaction events such as clicking a booking link.
The analytics loader respects Global Privacy Control, Do Not Track, and a local opt-out flag named phixe_analytics_opt_out. If any of those signals is present, PostHog and Google Analytics do not load. Session recording is disabled. Person profiles are limited to identified use cases. The site may load Google Analytics only when the production environment is configured with a GA4 property, and only behind the same privacy guard.
Analytics controls
Use these controls to store an analytics preference in this browser. Global Privacy Control and Do Not Track still override a local allow choice.
Checking analytics preference...
Booking data
The booking page can load a third-party scheduler, but it does not load the embedded scheduler until you choose to open it. If you open the scheduler here or in a new tab, the scheduler processes the information needed to schedule the call and may show its own privacy notice. The embedded scheduler is loaded with a no-referrer policy. Phixe uses booking information to prepare for the call, follow up, scope possible work, and keep records of business communication.
Do not submit secrets, credentials, regulated production data, or full customer datasets through the booking form. A short product description, deadline, and security-review context are enough for first contact.
Client and assessment data
For scoped work, we collect only what is needed to perform the engagement and produce useful evidence. That may include system diagrams, endpoint lists, tool inventories, prompts, test accounts, representative logs, request traces, screenshots, findings, fix notes, and retest results.
The default rules are:
- Use staging or isolated environments where possible.
- Use least-privilege, time-boxed credentials.
- Keep client code, prompts, logs, and datasets out of third-party AI tools unless written approval says otherwise.
- Capture enough evidence to reproduce a finding without collecting full datasets when a representative sample is enough.
- Keep reports and evidence bounded to the agreed scope.
Subprocessors and service providers
Phixe uses service providers for hosting, website analytics, scheduling, and normal business operations. The public site currently relies on Vercel for hosting, PostHog for analytics, Calendly for scheduling, and Google services only where configured for fonts or analytics.
Where an engagement requires additional tools, the statement of work names the tool class and the data it may touch. Client data does not move into a new tool category silently.
Retention
Website analytics are retained according to the analytics provider configuration. Booking and business correspondence are retained as long as needed for follow-up, records, and legitimate business administration.
Engagement evidence is retained according to the signed agreement. At the end of an engagement, credentials are revoked and working data is deleted or returned as agreed. The final report and necessary evidence may be retained where needed to support retest, audit trail, legal obligations, or the client’s buyer-facing security review.
Disclosure
Phixe does not publish client names, traces, screenshots, prompts, or commercial details without written permission. If testing identifies an issue that affects a third party, the responsible disclosure process described on trust and data handling applies.
Your choices and requests
You can avoid the embedded scheduler by not loading it on the booking page. You can also use Global Privacy Control, Do Not Track, or the analytics controls on this page to suppress analytics on future page loads. To ask for access, correction, deletion, or restriction of information associated with you, use the contact path at book a call and identify the message as a privacy request.
If the information is held under a client agreement, the agreement may define who can authorize the request and how deletion, return, or retention works.
Changes
This policy may change as Phixe’s tooling or engagement model changes. The current version is dated July 8, 2026.