Privacy Policy

Repixa Inc.
Last Updated: April 3, 2025
Governing Law: State of Delaware, United States
Jurisdiction for Disputes: San Francisco, California

Introduction & Identity of the Controller
Scope & Data Subject Categories
Our Role Under Data Protection Law
Information We Collect
Purpose & Legal Basis for Processing
AI Model Training & Improvement
Cookies & Tracking Technologies
Data Retention
Payment Processing
Subprocessors & Third-Party Services
International Data Transfers
Security Measures
Your Rights
California Privacy Rights (CCPA/CPRA)
Do Not Track
Children's Privacy
Automated Decision-Making & Profiling
Changes to This Policy
Contact Information

1. Introduction & Identity of the Controller

Repixa Inc. ("Repixa", "we", "our", "us") provides AI-powered automated demo execution and browser automation services for B2B businesses. This Privacy Policy explains how we collect, use, process, store, transfer, and protect personal data in connection with our website and platform.

Company Repixa Inc.
Address 28 Geary St Suite 650, San Francisco, CA 94108, United States
Email privacy@repixa.io
Website https://repixa.io

By using our services, you acknowledge the practices described in this Privacy Policy. Where required by applicable law, we will obtain your explicit consent before processing your personal data.

2. Scope & Data Subject Categories

This Privacy Policy applies to the following categories of individuals:

Customers Businesses and individuals who have contracted to use Repixa's platform directly.

Website Visitors Individuals who visit repixa.io or related Repixa web properties.

End Users / Prospects Third-party individuals — such as sales prospects — who interact with Repixa AI agents during demo sessions initiated by our customers. These individuals have not directly contracted with Repixa. Their data is processed on behalf of our customers under the applicable Data Processing Agreement (DPA). Customers, acting as Data Controllers, are responsible for establishing a lawful basis for such processing and for directing Repixa's activities within the scope of the demo session.

Authorized Representatives Employees or agents acting on behalf of customer organizations.

3. Our Role Under Data Protection Law

Repixa operates in different legal capacities depending on the processing activity. The role is determined by the facts of each activity, not solely by contractual designation.

3.1 Where Repixa Acts as a Data Processor

When executing automated demo sessions on behalf of customers, Repixa acts as a Data Processor — processing personal data solely according to the documented instructions of the customer (Data Controller). Such processing is governed by a Data Processing Agreement (DPA) available at repixa.io/dpa. Repixa will not process personal data on behalf of a customer in processor capacity without a valid DPA in place.

3.2 Where Repixa Acts as a Data Controller

Repixa acts as an independent Data Controller — determining its own purposes and means — for the following activities:

Account registration and management
Website usage analytics and cookie data
Security monitoring, abuse detection, and fraud prevention
Internal operational and infrastructure logs
De-identified or aggregated data used for product improvement and AI model development
Direct communications with customers about Repixa products and services
Legal, compliance, and regulatory obligations

For these activities, Repixa bears direct, independent data protection obligations regardless of any customer relationship.

3.3 Customer Responsibilities

Customers acting as Data Controllers are responsible for:

(a) directing Repixa's processing activities within the scope defined in the DPA;
(b) establishing and maintaining a lawful basis for processing prospect and end-user data before initiating demo sessions;
(c) complying with applicable data protection laws in their own jurisdiction.

These responsibilities are independent of and do not limit Repixa's own obligations as a Controller under Section 3.2.

4. Information We Collect

4.1 Account Information

Full name
Business email address
Company name and size
Login credentials (stored in hashed form)

4.2 Technical & Usage Information (collected as Controller)

IP address
Device type, browser type, and operating system
Session metadata and timestamps
Performance metrics and error logs
Referrer URLs and navigation paths

4.3 Demo & Interaction Data (collected as Processor, on behalf of customers)

During automated demo sessions, Repixa processes the following on behalf of the customer:

Browser automation logs and action execution records
Interaction history and session-level activity data
System-generated transcripts of conversations
Technical interaction metadata

This data may contain personal information relating to prospects. Processing is governed by the applicable DPA and conducted solely under customer instructions.

Separately, Repixa processes certain technical data derived from demo sessions in its capacity as Controller (e.g., for security monitoring and platform reliability), as described in Section 3.2.

4.4 Audio & Voice Data

If voice-enabled features are activated:

Voice input during demo sessions
Speech-to-text transcripts
Audio interaction metadata

Prior to any voice-enabled session, prospects are shown the following notice:

"By starting, you agree to our Privacy Policy & Terms. This session may be recorded."

This notice serves as an informational disclosure but is not relied upon as the sole or complete consent mechanism for all jurisdictions. Customers are independently responsible for satisfying voice and recording consent requirements in their jurisdiction and their prospects' jurisdiction — including, where applicable, California's Invasion of Privacy Act (Penal Code § 632) and equivalent state or national recording laws.

Note on Biometric Data: Repixa uses voice data for speech-to-text transcription only. Repixa does not generate, store, or use voiceprints or biometric identifiers derived from voice for the purpose of identifying any individual. Laws specifically governing biometric identification (such as the Illinois Biometric Information Privacy Act) are not triggered solely by Repixa's transcription functionality. Customers who independently generate voiceprints must ensure their own compliance with applicable biometric laws.

4.5 Data from Third-Party Sources (GDPR Article 14)

In certain cases, customers may provide Repixa with prospect information sourced from third parties or publicly available sources prior to a demo session (e.g., for session personalization). Repixa processes such data as a Data Processor on behalf of the customer. The customer, as Data Controller, is responsible for compliance with GDPR Article 14, which requires informing data subjects of processing not collected directly from them — including the data categories, purposes, legal basis, recipients, retention periods, and data source — within one month of collection or at the time of first contact with the data subject.

4.6 Website Usage Data (collected as Controller, with consent where required)

Page views and referrer information
Device and browser information
Geographic location at country/city level
Cookie and analytics data (see Section 7)

5. Purpose & Legal Basis for Processing

5.1 Where Repixa Acts as Controller

Personal Data Purpose Legal Basis Account & contact data Account creation and platform access Contractual necessity (Art. 6(1)(b)) Account & contact data Customer communications and support Contractual necessity (Art. 6(1)(b)) Technical & usage data Platform operation and reliability Legitimate interests (Art. 6(1)(f)) Technical & usage data Security monitoring and abuse prevention Legitimate interests (Art. 6(1)(f)) IP address, device data Website provision and response to requests Legitimate interests (Art. 6(1)(f)) Analytics & cookie data Website performance analysis Consent (Art. 6(1)(a)) De-identified session data AI model improvement and product development Legitimate interests (Art. 6(1)(f)) All data types Legal and regulatory compliance Legal obligation (Art. 6(1)(c)) Contact information Marketing communications (where opted in) Consent (Art. 6(1)(a))

Note on Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and interests of the data subjects concerned. Data subjects may object to such processing at any time (see Section 13).

5.2 Where Repixa Acts as Processor (on behalf of customers)

When processing prospect and end-user data during demo sessions, the legal basis is determined and maintained by the customer as Data Controller. Repixa processes such data solely on customer instructions under the applicable DPA.

6. AI Model Training & Improvement

When Repixa uses data to improve its AI systems, it acts as a Data Controller for that purpose. The following rules apply:

Identifiable customer and prospect data processed as a Data Processor is not used for AI model training unless: (a) it has been effectively anonymized or aggregated such that no individual can reasonably be re-identified, or (b) the customer has provided explicit written consent.
Raw session transcripts, recordings, and personally identifiable interaction data are not used for model training without satisfying condition (a) or (b) above.
Data used for model improvement is subject to internal access controls, role-based permissions, and data minimization practices.
Repixa does not use customer or prospect data for third-party advertising purposes under any circumstances.

Enterprise customers may contact privacy@repixa.io to discuss data processing preferences or to opt out of the use of anonymized data derived from their sessions for model improvement.

7. Cookies & Tracking Technologies

Cookie Type Purpose Consent Required Essential Authentication, session management No Functional User preferences (theme, language) No Analytics Website usage analysis Yes Marketing Not currently used N/A

Non-essential cookies are activated only upon explicit user consent. Users may manage cookie preferences at any time via:

Our cookie consent banner
"Cookie Settings" in the website footer
Browser-level settings

Consent for analytics cookies may be withdrawn at any time without affecting prior lawful processing.

8. Data Retention

Data Category Retention Period Account data Duration of active account + 90 days post-termination Authentication and access logs 30 days Session execution logs (technical) 30 days from session completion Session transcripts (raw) 90 days from session completion, or until customer deletion Session recordings (audio/video) 90 days from session completion, or until customer deletion De-identified telemetry & analytics 12 months from collection Cookie consent records 12 months Legal and compliance records As required by applicable law (typically 5–7 years) Payment and billing records As required by applicable tax and financial law

Data may be deleted upon verified request, subject to legal retention obligations. Customers may submit deletion requests for processor-mode data in accordance with the applicable DPA.

9. Payment Processing

Repixa does not store, transmit, or process payment card information on its own servers. All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. Repixa retains only non-sensitive billing metadata (e.g., transaction reference IDs, invoice amounts) necessary for accounting and support purposes.

10. Subprocessors & Third-Party Services

All subprocessors are bound by written data processing agreements requiring them to: (a) process data only for the purposes of delivering Repixa's services, (b) maintain appropriate technical and organizational security measures, and (c) not engage further subprocessors without Repixa's prior authorization.

Category Subprocessor Function Location Infrastructure & Hosting Railway Backend infrastructure hosting United States Infrastructure & Hosting Vercel Frontend hosting United States Browser Automation Browserbase Cloud browser execution & session capture United States AI / LLM Processing Anthropic, PBC Large language model API United States Speech-to-Text Deepgram Voice transcription United States Text-to-Speech ElevenLabs AI voice synthesis United States Database & Object Storage Supabase, Inc. Structured data & file storage United States Agent Memory Mem0 Contextual memory layer for AI agent United States Payment Processing Stripe, Inc. Payment handling & billing United States

Repixa will provide customers with at least 30 days' advance notice of any material changes to this subprocessor list. The current list is maintained at repixa.io/subprocessors.

11. International Data Transfers

Repixa is headquartered in the United States. Personal data may be transferred to and processed in countries that may not provide the same level of data protection as the data subject's country of residence.

Safeguards for EEA, UK, and Swiss Residents:

Where required, Repixa implements the following transfer mechanisms:

Standard Contractual Clauses (SCCs) as adopted by the European Commission
UK International Data Transfer Addendum (IDTA) where applicable
Transfer Impact Assessments (TIAs) conducted on a case-by-case basis for high-risk transfers

EU Representative (Article 27 GDPR):

Repixa does not currently maintain a designated EU representative. Repixa has assessed that its current processing of EEA personal data does not meet the threshold for mandatory Article 27 designation — specifically, it is not carried out on a large scale, does not involve special category data systematically, and does not involve regular monitoring of individuals in the EEA. Repixa will reassess this position as its EEA operations grow and will appoint a representative if and when required. EEA residents may direct inquiries to privacy@repixa.io.

12. Security Measures

Repixa implements appropriate technical and organizational measures to protect personal data, including:

Encryption in transit (TLS 1.2+) and at rest for stored data
Role-based access controls and principle of least privilege
Multi-factor authentication for internal systems
Security monitoring, alerting, and incident logging
Data minimization and pseudonymization practices
Vendor security assessments for all subprocessors
Staff confidentiality obligations and need-to-know access controls

No method of transmission or storage is 100% secure. In the event of a personal data breach likely to result in risk to the rights and freedoms of individuals, Repixa will:

Notify the relevant supervisory authority within 72 hours of becoming aware, where required by law
Notify affected data subjects by email without undue delay, where required by law
Document all breaches internally, regardless of notification obligation

13. Your Rights

13.1 Rights Under GDPR (EEA Residents)

Right Article Description Right of Access Art. 15 Obtain confirmation of processing and receive a copy of your data Right to Rectification Art. 16 Request correction of inaccurate or incomplete data Right to Erasure Art. 17 Request deletion where data is no longer necessary or consent is withdrawn Right to Restriction Art. 18 Request suspension of processing in certain circumstances Right to Data Portability Art. 20 Receive your data in a structured, machine-readable format Right to Object Art. 21 Object to processing based on legitimate interests or for direct marketing Right to Withdraw Consent Art. 7(3) Withdraw consent at any time without affecting prior lawful processing Right to Lodge a Complaint Art. 77 Lodge a complaint with your national supervisory authority

To lodge a complaint with an EU supervisory authority, visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en

To exercise any right: privacy@repixa.io Response time: Within 30 days. In complex cases, up to 3 months with prior notification.

Important: Where Repixa processes your data as a Data Processor on behalf of a customer, rights requests relating to that data must be directed to the relevant customer (Data Controller). Repixa will assist customers in fulfilling such requests in accordance with the DPA.

13.2 Rights Under UK GDPR

UK residents have equivalent rights under the UK GDPR and Data Protection Act 2018. Complaints may be directed to the Information Commissioner's Office (ICO) at ico.org.uk.

13.3 Rights Under Swiss Law

Swiss residents have equivalent rights under the revised Federal Act on Data Protection (revFADP). Complaints may be directed to the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

14. California Privacy Rights (CCPA/CPRA)

The CCPA/CPRA applies to businesses meeting specific thresholds: annual gross revenues exceeding $26.625 million, processing personal information of 100,000 or more California residents or households annually, or deriving 50% or more of annual revenues from selling or sharing personal information.

To the extent Repixa meets these thresholds, California residents have the following rights:

Right Description Right to Know Request disclosure of categories and specific pieces of personal information collected, used, or disclosed Right to Delete Request deletion of personal information, subject to legal exceptions Right to Correct Request correction of inaccurate personal information Right to Opt Out Repixa does not sell or share personal information as defined under CCPA/CPRA Right to Limit Limit use of sensitive personal information where applicable Right to Non-Discrimination Repixa will not deny or degrade service for exercising CCPA/CPRA rights

Even where statutory thresholds do not currently apply, Repixa voluntarily extends these rights to California residents as part of its commitment to privacy.

To exercise California rights: privacy@repixa.io

15. Do Not Track

Repixa does not currently respond to browser-based "Do Not Track" (DNT) signals, as no uniform industry standard for DNT compliance exists. This Policy will be updated if our practices change.

16. Children's Privacy

Repixa's services are directed exclusively at business users and are not intended for individuals under the age of 16. Repixa does not knowingly collect personal information from children under 16. If we become aware that personal information of a minor has been collected, we will take prompt steps to delete it.

To report a concern: privacy@repixa.io

17. Automated Decision-Making & Profiling

Repixa does not subject individuals to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant effects, unless:

(a) it is necessary for entering into or performing a contract;
(b) it is authorized by applicable law; or
(c) the individual has given explicit consent.

Where automated processing occurs within demo sessions (e.g., AI agent responses), such processing is conversational and assistive in nature and does not produce decisions with legal or similarly significant effects on data subjects.

18. Changes to This Policy

Repixa may update this Privacy Policy from time to time. The latest version will always be posted at repixa.io/privacy with an updated "Last Updated" date and version number.

For material changes — including changes to processing purposes, legal bases, subprocessors, or data subject rights — Repixa will provide customers with at least 30 days' advance written notice where practicable.

Continued use of the services after the effective date of any update constitutes acknowledgment of the revised Policy.

19. Contact Information

For all privacy-related inquiries, rights requests, complaints, or DPA requests:

Email privacy@repixa.io Website https://repixa.io Privacy Policy repixa.io/privacy DPA repixa.io/dpa Subprocessors repixa.io/subprocessors

Repixa does not currently maintain a designated Data Protection Officer (DPO) or EU Article 27 Representative. All privacy inquiries — including those from EEA, UK, and Swiss residents — should be directed to privacy@repixa.io and will be handled promptly.

Repixa Inc. · repixa.io · privacy@repixa.io