Privacy Policy

Last Updated on August, 30, 2025

Effective Date: August 30, 2025

1. Introduction

Welcome to FixFirst.io (“FixFirst”, “we”, “our”, or “us”).
We value your privacy and are committed to protecting your personal data.

This Privacy Policy explains how we collect, use, and safeguard your information when you use our website, software, and related services in the EU, UK, and worldwide.

By using our services, you agree to the practices described in this Privacy Policy.

2. Data Controller & Contact

FixFirst (FixFirst.io)
Rheinsberger Straße 76/77
c/o Factory
10115 Berlin, Germany
Email: hello@fixfirst.io

3. Data We Collect

  • Provided by you: account details (name, email, phone, address), support requests, business partner data, job applications.

  • Automatically collected: IP address, device/browser type, session logs, cookie IDs, consent status.

  • Payments: processed via Stripe, PayPal, Apple Pay, Google Pay. FixFirst does not store full payment details.

  • Communications & Marketing: newsletter sign-ups, marketing consents, feedback forms, survey responses.

4. Purposes & Legal Bases

We process personal data only where a legal basis exists under GDPR/UK GDPR:

  • Service delivery & contracts (Art. 6(1)(b))

  • Security, fraud prevention, aggregated analytics (Art. 6(1)(f))

  • Consent-based processing (cookies, newsletters, marketing) (Art. 6(1)(a))

  • Legal obligations (e.g. accounting, tax retention) (Art. 6(1)(c))

5. Cookies & Tracking

  • Necessary cookies: session management, login, security (always active).

  • Optional cookies: analytics and marketing, only with explicit consent.
    You may withdraw consent at any time via our cookie banner.

6. Sub-processors and Service Providers

We only share data with trusted service providers (sub-processors) when necessary to deliver our services.
All are bound by GDPR-compliant Data Processing Agreements and safeguards such as Standard Contractual Clauses (SCCs) for international transfers.

Infrastructure & Hosting

  • Google Cloud Platform (EU) – hosting, databases, storage

  • Microsoft Azure (EU) – hosting, compute, storage

  • Amazon Web Services (EU) – hosting, backups

Communication & Productivity

  • Slack (US/EU) – team communication

  • Google Workspace (EU/US) – email, docs, file storage

  • Microsoft 365 (EU/US) – email, productivity

Payments

  • Stripe (EU/US) – payment processing

  • PayPal (EU/US) – payment processing

  • Apple Pay / Google Pay (EU/US) – payment initiation

Email & Marketing

  • SendGrid (US) – transactional emails

  • Mailchimp (US) – newsletters, marketing

  • HubSpot (US/EU) – CRM & marketing automation

Forms & Surveys

  • Jotform (EU/US) – forms, surveys

  • Typeform (Spain/EU) – forms, surveys

  • Paperform (Australia) – forms, surveys

Analytics & Tracking

  • Google Analytics (EU/US) – website analytics (consent-based, IP anonymized)

  • Hotjar (Malta/EU) – behavior analytics

AI & Automation

  • OpenAI (US) – language model API, text processing

  • Make.com (EU/US) – automation & integrations

  • Vapi (US) – AI voice & conversational processing

  • Zapier (US) – automation & integrations

Maps & Location

  • Google Maps (EU/US) – maps & location lookup

Website & App Tools

  • Framer (EU/US) – website hosting & forms

  • Glide (US/EU) – app platform

Social Media & Advertising

  • Meta (Facebook, Instagram) (US/EU) – social media ads, analytics

  • LinkedIn (Microsoft) (US/EU) – social media ads, analytics

  • TikTok (Global/US/EU) – social media ads, analytics

  • X (Twitter) (US) – social media ads, analytics

  • YouTube (Google) (EU/US) – ads, analytics, embeds

Recruitment & HR Tools

  • Join.com (EU/Germany) – job applications & recruitment platform

  • Xing (EU/Germany) – recruitment & professional networking

7. International Data Transfers

Data is primarily processed within the EU/EEA.
Where transfers to third countries occur, we rely on SCCs and supplementary measures to ensure protection.

8. Retention

  • Accounts/contracts: duration of service + statutory retention periods

  • Support requests: usually up to 12 months

  • Logs: short rotation cycles

  • Job applications: 6 months (or up to 24 months with consent for talent pool)

  • Cookies: until withdrawn or expired

9. Your Rights

You have the right to:

  • Access your data (Art. 15 GDPR)

  • Rectify inaccuracies (Art. 16 GDPR)

  • Request erasure (Art. 17 GDPR)

  • Restrict processing (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Object to processing, incl. marketing (Art. 21 GDPR)

  • Withdraw consent anytime (Art. 7(3) GDPR)

  • Lodge a complaint with your local supervisory authority (Art. 77 GDPR)

Contact us at hello@fixfirst.io to exercise your rights.

10. Security

We implement industry-standard measures:

  • TLS encryption in transit

  • Encryption at rest

  • Role-based access controls

  • Two-factor authentication for admins

  • Regular backups & GDPR-compliant incident response

11. Communication & Marketing

  • Contact requests are processed to handle support and service inquiries.

  • Newsletters are sent only with consent; unsubscribe anytime via the link in each email.

12. Recruitment

Applicant data is used only for recruitment decisions and stored up to 6 months.
With explicit consent, we may store applications in a talent pool for up to 24 months.

Recruitment data may also be processed via Join.com and Xing, which act as service providers in this context.

13. Program-specific Notices

For certain programs or partnerships (e.g. voucher schemes), additional privacy notices may apply. These will be provided as addenda.

14. Changes

We may update this Privacy Policy when necessary.
Significant changes will be communicated via email or through our platform.