Privacy Policy

Repixa Inc.
Last Updated: March 3, 2026

Introduction & Identity of the Controller
Scope & Data Subject Categories
Our Role Under Data Protection Law
Information We Collect
Purpose & Legal Basis for Processing
AI Model Training & Improvement
Cookies & Tracking Technologies
Data Retention
Payment Processing
Subprocessors & Third-Party Services
International Data Transfers
Security Measures
Your Rights
California Privacy Rights (CCPA/CPRA)
Do Not Track
Children's Privacy
Automated Decision-Making & Profiling
Changes to This Policy
Contact Information

1. Introduction & Identity of the Controller

Repixa Inc. ("Repixa", "we", "our", "us") provides AI-powered automated demo execution and browser automation services for B2B businesses. This Privacy Policy explains how we collect, use, process, store, transfer, and protect personal data in connection with our website and platform.

Company	Repixa Inc.
Address	28 Geary St Suite 650-1680, San Francisco, CA 94108, United States
Email	privacy@repixa.io
Website	https://repixa.io

By using our services, you acknowledge the practices described in this Privacy Policy. Where required by applicable law, we will obtain your explicit consent before processing your personal data.

2. Scope & Data Subject Categories

This Privacy Policy applies to the following categories of individuals:

CustomersBusinesses and individuals who have contracted to use Repixa's platform directly.
Website Visitors Individuals who visit repixa.io or related Repixa web properties.
End Users / ProspectsThird-party individuals such as sales prospects who interact with Repixa AI agents during demo sessions initiated by our customers. These individuals have not directly contracted with Repixa. Their data is processed on behalf of our customers under the applicable Data Processing Agreement (DPA). Customers, acting as Data Controllers, are responsible for establishing a lawful basis for such processing and for directing Repixa's activities within the scope of the demo session.
Authorized Representatives Employees or agents acting on behalf of customer organizations.

3. Our Role Under Data Protection Law

Repixa operates in different legal capacities depending on the processing activity. The role is determined by the facts of each activity, not solely by contractual designation.

3.1 Where Repixa Acts as a Data Processor

When executing automated demo sessions on behalf of customers, Repixa acts as a Data Processor, processing personal data solely according to the documented instructions of the customer (Data Controller). Where required by applicable law or contractual arrangements, such processing may be governed by a Data Processing Agreement (DPA), which customers may request by contacting privacy@repixa.io.

3.2 Where Repixa Acts as a Data Controller

Repixa acts as an independent Data Controller, determining its own purposes and means for the following activities:

Account registration and management
Website usage analytics and cookie data
Security monitoring, abuse detection, and fraud prevention
Internal operational and infrastructure logs
De-identified or aggregated data used for product improvement and AI model development
Direct communications with customers about Repixa products and services
Legal, compliance, and regulatory obligations

For these activities, Repixa bears direct, independent data protection obligations regardless of any customer relationship.

3.3 Customer Responsibilities

Customers acting as Data Controllers are responsible for:

(a) directing Repixa's processing activities within the scope of the services provided;
(b) establishing and maintaining a lawful basis for processing prospect and end-user data before initiating demo sessions;
(c) complying with applicable data protection laws in their own jurisdiction.

These responsibilities are independent of and do not limit Repixa's own obligations as a Controller under Section 3.2.

4. Information We Collect

4.1 Account Information

Full name
Business email address
Company name and size
Login credentials (stored in hashed form)

4.2 Technical & Usage Information (collected as Controller)

IP address
Device type, browser type, and operating system
Session metadata and timestamps
Performance metrics and error logs
Referrer URLs and navigation paths

4.3 Demo & Interaction Data (collected as Processor, on behalf of customers)

During automated demo sessions, Repixa processes the following on behalf of the customer:

Browser automation logs and action execution records
Interaction history and session-level activity data
System-generated transcripts of conversations
Technical interaction metadata

This data may contain personal information relating to prospects. Processing is governed by the applicable DPA and conducted solely under customer instructions.

Separately, Repixa processes certain technical data derived from demo sessions in its capacity as Controller (e.g., for security monitoring and platform reliability), as described in Section 3.2.

4.4 Audio & Voice Data

If voice-enabled features are activated:

Voice input during demo sessions
Speech-to-text transcripts
Audio interaction metadata

Prior to any voice-enabled session, prospects are shown the following notice:

"By starting, you agree to our Privacy Policy & Terms. This session may be recorded."

This notice serves as an informational disclosure but is not relied upon as the sole or complete consent mechanism for all jurisdictions. Customers are independently responsible for satisfying voice and recording consent requirements in their jurisdiction and their prospects' jurisdiction, including, where applicable, California's Invasion of Privacy Act (Penal Code § 632) and equivalent state or national recording laws.

Repixa may process and store audio recordings for purposes such as live demo interaction, speech-to-text transcription, quality assurance, debugging, analytics, and customer-requested session replay functionality.

Repixa does not generate, store, or use voiceprints or other biometric identifiers derived from voice for the purpose of identifying individuals.

4.5 Data from Third-Party Sources (GDPR Article 14)

In certain cases, customers may provide Repixa with prospect information sourced from third parties or publicly available sources prior to a demo session (e.g., for session personalization). Repixa processes such data as a Data Processor on behalf of the customer. The customer, as Data Controller, is responsible for compliance with GDPR Article 14, which requires informing data subjects of processing not collected directly from them — including the data categories, purposes, legal basis, recipients, retention periods, and data source — within one month of collection or at the time of first contact with the data subject.

4.6 Website Usage Data (collected as Controller, with consent where required)

Page views and referrer information
Device and browser information
Geographic location at country/city level
Cookie and analytics data (see Section 7)

5. Purpose & Legal Basis for Processing

5.1 Where Repixa Acts as Controller

Personal Data	Purpose	Legal Basis
Account & contact data	Account creation and platform access	Contractual necessity (Art. 6(1)(b))
Account & contact data	Customer communications and support	Contractual necessity (Art. 6(1)(b))
Technical & usage data	Platform operation and reliability	Legitimate interests (Art. 6(1)(f))
Technical & usage data	Security monitoring and abuse prevention	Legitimate interests (Art. 6(1)(f))
IP address, device data	Website provision and response to requests	Legitimate interests (Art. 6(1)(f))
Analytics & cookie data	Website performance analysis	Consent (Art. 6(1)(a))
De-identified session data	AI model improvement and product development	Legitimate interests (Art. 6(1)(f))
All data types	Legal and regulatory compliance	Legal obligation (Art. 6(1)(c))
Contact information	Marketing communications (where opted in)	Consent (Art. 6(1)(a))

Note on Legitimate Interests: Where we rely on legitimate interests, we have assessed that our interests are not overridden by the rights and interests of the data subjects concerned. Data subjects may object to such processing at any time (see Section 13).

5.2 Where Repixa Acts as Processor (on behalf of customers)

When processing prospect and end-user data during demo sessions, the legal basis is determined and maintained by the customer as Data Controller. Repixa processes such data solely on customer instructions and applicable contractual arrangements.

6. AI Model Training & Improvement

When Repixa uses data to improve its AI systems, it acts as a Data Controller for that purpose. The following rules apply:

Identifiable customer and prospect data processed as a Data Processor is not used for AI model training unless: (a) it has been effectively anonymized or aggregated such that no individual can reasonably be re-identified, or (b) the customer has provided explicit written authorization.
Raw session transcripts, recordings, and personally identifiable interaction data are not used for model training without satisfying condition (a) or (b) above.
Data used for model improvement is subject to internal access controls, role-based permissions, and data minimization practices.
Repixa does not use customer or prospect data for third-party advertising purposes under any circumstances.
Enterprise customers may contact privacy@repixa.io to discuss data processing preferences or to opt out of the use of anonymized data derived from their sessions for model improvement.

7. Cookies & Tracking Technologies

Cookie Type	Purpose	Consent Required
Essential	Authentication, session management	No
Functional	User preferences (theme, language)	No
Analytics	Website usage analysis	Yes
Marketing	Not currently used	N/A

Non-essential cookies are activated only upon explicit user consent. Users may manage cookie preferences at any time via our cookie consent banner, "Cookie Settings" in the website footer, or browser-level settings.

Consent for analytics cookies may be withdrawn at any time without affecting prior lawful processing.

8. Data Retention

Data Category	Retention Period
Account data	Duration of active account + 90 days post-termination
Authentication and access logs	30 days
Session execution logs (technical)	30 days from session completion
Session transcripts (raw)	90 days from session completion, or until customer deletion
Session recordings (audio/video)	90 days from session completion, or until customer deletion
De-identified telemetry & analytics	12 months from collection
Cookie consent records	12 months
Legal and compliance records	As required by applicable law (typically 5–7 years)
Payment and billing records	As required by applicable tax and financial law

Data may be deleted upon verified request, subject to legal retention obligations. Customers may submit deletion requests for processor-mode data in accordance with applicable contractual arrangements and legal requirements.

9. Payment Processing

Repixa does not store, transmit, or process full payment card information on its own systems. Payment transactions are handled by industry-standard third-party payment processors that maintain PCI-DSS compliant environments. Repixa retains only limited non-sensitive billing and transaction metadata (such as transaction reference IDs, billing status, and invoice amounts) necessary for accounting, fraud prevention, customer support, and operational purposes.

10. Subprocessors & Third-Party Services

Repixa may engage carefully selected third-party service providers and subprocessors to support the delivery, operation, security, hosting, analytics, communications, AI functionality, storage, customer relationship management, and payment processing of its services.

All subprocessors are contractually required to:

process data only for authorized service-related purposes;
implement appropriate technical, organizational, and administrative security safeguards;
maintain confidentiality obligations regarding customer data; and
provide appropriate contractual protections consistent with applicable data protection laws.

Repixa’s subprocessors and service providers may include:

Railway (cloud infrastructure and hosting)
Vercel (application delivery and frontend hosting)
OpenAI (AI processing services)
Anthropic (AI processing services)
Deepgram (speech recognition and transcription services)
ElevenLabs (voice synthesis services)
Supabase (database and storage services)
Google Workspace (communications and productivity services)
HubSpot (customer relationship management and engagement services)
Stripe (payment processing and billing services)

Customer data processed by subprocessors may be transferred to or processed in the United States or other jurisdictions where Repixa or its service providers operate, subject to applicable contractual and legal safeguards.

Repixa may update its subprocessors from time to time as operational requirements evolve. Where required by applicable law or contractual obligations, Repixa will provide reasonable advance notice of material subprocessor changes.

11. International Data Transfers

Repixa is headquartered in the United States. Personal data may be transferred to and processed in countries that may not provide the same level of data protection as the data subject's country of residence.

Safeguards for EEA, UK, and Swiss Residents:

Where required, Repixa implements the following transfer mechanisms:

Standard Contractual Clauses (SCCs) as adopted by the European Commission
UK International Data Transfer Addendum (IDTA) where applicable
Transfer Impact Assessments (TIAs) conducted on a case-by-case basis for high-risk transfers

EU Representative (Article 27 GDPR):

Repixa does not currently maintain a designated EU representative. Repixa has assessed that its current processing of EEA personal data does not meet the threshold for mandatory Article 27 designation — specifically, it is not carried out on a large scale, does not involve special category data systematically, and does not involve regular monitoring of individuals in the EEA. Repixa will reassess this position as its EEA operations grow and will appoint a representative if and when required. EEA residents may direct inquiries to privacy@repixa.io.

12. Security Measures

Repixa implements appropriate technical and organizational measures to protect personal data, including:

Encryption in transit (TLS 1.2+) and at rest for stored data
Role-based access controls and principle of least privilege
Multi-factor authentication for internal systems
Security monitoring, alerting, and incident logging
Data minimization and pseudonymization practices
Vendor security assessments for all subprocessors
Staff confidentiality obligations and need-to-know access controls

No method of transmission or storage is 100% secure. In the event of a personal data breach likely to result in risk to the rights and freedoms of individuals, Repixa will:

Notify the relevant supervisory authority within 72 hours of becoming aware, where required by law
Notify affected data subjects by email without undue delay, where required by law
Document all breaches internally, regardless of notification obligation

13. Your Rights

13.1 Rights Under GDPR (EEA Residents)

Right	Article	Description
Right of Access	Art. 15	Obtain confirmation of processing and receive a copy of your data
Right to Rectification	Art. 16	Request correction of inaccurate or incomplete data
Right to Erasure	Art. 17	Request deletion where data is no longer necessary or consent is withdrawn
Right to Restriction	Art. 18	Request suspension of processing in certain circumstances
Right to Data Portability	Art. 20	Receive your data in a structured, machine-readable format
Right to Object	Art. 21	Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent	Art. 7(3)	Withdraw consent at any time without affecting prior lawful processing
Right to Lodge a Complaint	Art. 77	Lodge a complaint with your national supervisory authority

To lodge a complaint with an EU supervisory authority, visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en

To exercise any right: privacy@repixa.io
Response time: Within 30 days. In complex cases, up to 3 months with prior notification.

Important: Where Repixa processes your data as a Data Processor on behalf of a customer, rights requests relating to that data must be directed to the relevant customer (Data Controller). Repixa will assist customers in fulfilling such requests in accordance with the DPA.

13.2 Rights Under UK GDPR

UK residents have equivalent rights under the UK GDPR and Data Protection Act 2018. Complaints may be directed to the Information Commissioner's Office (ICO) at ico.org.uk.

13.3 Rights Under Swiss Law

Swiss residents have equivalent rights under the revised Federal Act on Data Protection (revFADP). Complaints may be directed to the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

14. California Privacy Rights (CCPA/CPRA)

The CCPA/CPRA applies to businesses meeting specific thresholds: annual gross revenues exceeding $26.625 million, processing personal information of 100,000 or more California residents or households annually, or deriving 50% or more of annual revenues from selling or sharing personal information.

To the extent Repixa meets these thresholds, California residents have the following rights:

Right	Description
Right to Know	Request disclosure of categories and specific pieces of personal information collected, used, or disclosed
Right to Delete	Request deletion of personal information, subject to legal exceptions
Right to Correct	Request correction of inaccurate personal information
Right to Opt Out	Repixa does not sell or share personal information as defined under CCPA/CPRA
Right to Limit	Limit use of sensitive personal information where applicable
Right to Non-Discrimination	Repixa will not deny or degrade service for exercising CCPA/CPRA rights

Even where statutory thresholds do not currently apply, Repixa voluntarily extends these rights to California residents as part of its commitment to privacy.

To exercise California rights: privacy@repixa.io

15. Do Not Track

Repixa does not currently respond to browser-based "Do Not Track" (DNT) signals, as no uniform industry standard for DNT compliance exists. This Policy will be updated if our practices change.

16. Children's Privacy

Repixa's services are directed exclusively at business users and are not intended for individuals under the age of 16. Repixa does not knowingly collect personal information from children under 16. If we become aware that personal information of a minor has been collected, we will take prompt steps to delete it.

To report a concern: privacy@repixa.io

17. Automated Decision-Making & Profiling

Repixa does not subject individuals to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant effects, unless:

(a) it is necessary for entering into or performing a contract;
(b) it is authorized by applicable law; or
(c) the individual has given explicit consent.

Where automated processing occurs within demo sessions (e.g., AI agent responses), such processing is conversational and assistive in nature and does not produce decisions with legal or similarly significant effects on data subjects.

18. Changes to This Policy

Repixa may update this Privacy Policy from time to time. The latest version will always be posted at repixa.io/privacy with an updated "Last Updated" date and version number.

For material changes, including changes to processing purposes, legal bases, subprocessors, or data subject rights, Repixa will provide customers with at least 30 days' advance written notice where practicable.
Continued use of the services after the effective date of any update constitutes acknowledgment of the revised Policy.

19. Contact Information

For all privacy-related inquiries, rights requests, complaints, or DPA requests:
Email: privacy@repixa.io
Website: https://repixa.io
Repixa Inc.
28 Geary St, Suite 650-1680
San Francisco, CA 94108
United States

Table of Contents