Privacy Policy

FixRep SAS

Effective date: March 29, 2026

1. Introduction

This Privacy Policy describes how FixRep SAS ("FixRep", "we", "us", or "our") collects, uses, stores, and shares personal data in connection with the FixRep platform (the "Service"). FixRep is a software-as-a-service platform that collects publicly available online reviews and generates AI-powered response suggestions for plumbing contractors.

We are committed to protecting your privacy and processing personal data in compliance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR") and applicable French data protection legislation, including the amended Loi Informatique et Libertés of January 6, 1978.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for the processing of your personal data is:

FixRep SAS

Registered in France

Email: privacy@fixrep.nanocorp.app

For any questions or requests regarding the processing of your personal data, you may contact us at the email address above.

3. Categories of Personal Data Collected

3.1 Account Data

When you create an account on FixRep, we collect:

• Full name and surname
• Email address
• Password (stored in hashed form)
• Business name, address, and contact details of your plumbing company
• Phone number (if provided)

3.2 Payment Data

When you subscribe to a paid plan, payment is processed by our payment processor, Stripe, Inc. We do not store your full credit card number. We may receive and store:

• Last four digits of your payment card
• Card type and expiration date
• Billing address
• Stripe customer identifier
• Transaction history and invoice records

3.3 Publicly Available Review Data

In the course of providing the Service, we collect publicly available review data from third-party platforms, including Google Maps and Yelp. This data may include:

• Reviewer display names or pseudonyms
• Review text content
• Star ratings or scores
• Dates and timestamps of reviews
• Reviewer profile identifiers visible on the public platform

This data is publicly accessible on the source platforms and is collected solely to enable the core functionality of the Service.

3.4 AI-Generated Response Content

We store the AI-generated rebuttal drafts and response suggestions created through the Service, including:

• Generated response text
• Associated review references
• User edits and customizations to generated content
• Generation timestamps and parameters

3.5 Usage and Analytics Data

When you use the FixRep dashboard, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Pages viewed and features used within the Service
• Session duration and frequency of use
• Referral source
• Device identifiers

3.6 Cookie Data

We use cookies and similar tracking technologies on our website and dashboard. For details, please refer to Section 12 (Cookie Policy) below.

4. Legal Bases for Processing

We process personal data on the following legal bases under Article 6(1) of the GDPR:

4.1 Performance of a Contract (Article 6(1)(b))

We process your account data and service-related data as necessary for the performance of the contract between you and FixRep, including:

• Creating and managing your account
• Providing the review monitoring and AI response generation service
• Processing your subscription and delivering the features of your chosen plan
• Communicating with you about your account and the Service

4.2 Legitimate Interest (Article 6(1)(f))

We process publicly available review data on the basis of our legitimate interest in providing our Service. Specifically:

• Scraping of publicly available reviews: The collection and analysis of reviews that are publicly posted on Google Maps and Yelp constitutes a legitimate interest for FixRep and its customers. These reviews are already publicly accessible to anyone, and our processing does not adversely affect the reasonable expectations of the reviewers who chose to publish their opinions publicly. We have conducted a balancing test to ensure that this processing does not override the fundamental rights and freedoms of the data subjects concerned.
• Fraud prevention and security: Protecting the Service and our users against fraud, abuse, and security threats.
• Service improvement: Analyzing usage patterns to improve the quality and functionality of the Service.

4.3 Consent (Article 6(1)(a))

We rely on your consent for:

• The use of non-essential cookies and tracking technologies
• Sending marketing communications and newsletters
• Any other processing activity for which consent is specifically requested

You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal obligations, including:

• Retention of invoices and payment records as required by French commercial and tax law
• Responding to lawful requests from judicial or administrative authorities
• Compliance with applicable anti-money laundering regulations

5. Data Recipients and Third-Party Sharing

We share personal data with the following categories of recipients, strictly to the extent necessary for the purposes described in this Privacy Policy:

5.1 Stripe, Inc.

Payment processing is handled by Stripe, Inc. Stripe receives your payment data to process transactions, manage subscriptions, and issue invoices. Stripe acts as an independent data controller for payment data. For more information, see Stripe's Privacy Policy.

5.2 OpenAI / Anthropic

AI-generated response content is produced using large language model services provided by OpenAI, L.L.C. and/or Anthropic, PBC. Review data and contextual information are transmitted to these providers to generate response suggestions. These providers act as data processors and process data in accordance with their data processing agreements with FixRep. We do not use API configurations that allow these providers to train their models on your data.

5.3 Vercel, Inc.

Our Service is hosted on infrastructure provided by Vercel, Inc. Vercel processes data as a data processor on our behalf in the course of hosting and delivering the Service.

5.4 Google / Yelp

FixRep accesses publicly available review data from Google Maps (operated by Google LLC) and Yelp (operated by Yelp Inc.). These platforms are the public sources from which review data is collected. FixRep does not transmit your personal account data to these platforms.

5.5 Other Recipients

We may also share data with:

• Professional advisors (legal counsel, accountants, auditors) under obligations of confidentiality
• Competent authorities when required by law or valid legal process
• A successor entity in the event of a merger, acquisition, or sale of all or substantially all of our assets, subject to this Privacy Policy continuing to apply

We do not sell personal data to third parties.

6. International Data Transfers

Some of our data processors, including Stripe, OpenAI, Anthropic, and Vercel, are established in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for personal data transferred to the United States.
• Supplementary measures: Where necessary, we implement additional technical and organizational measures to ensure an adequate level of protection, in line with the recommendations of the European Data Protection Board (EDPB).
• EU-U.S. Data Privacy Framework: Where applicable, we may also rely on the adequacy decision for transfers to certified entities under the EU-U.S. Data Privacy Framework.

You may obtain a copy of the applicable transfer safeguards by contacting us at privacy@fixrep.nanocorp.app.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to applicable legal obligations:

At the end of the applicable retention period, personal data is securely deleted or anonymized.

8. Your Rights Under the GDPR

Under the GDPR (Articles 15 to 22), you have the following rights with respect to your personal data:

8.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to receive a copy of that data along with information about the processing.

8.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data concerning you and to have incomplete data completed.

8.3 Right to Erasure (Article 17)

You have the right to request the deletion of your personal data where, among other grounds, the data is no longer necessary for the purposes for which it was collected, you withdraw your consent, or the data has been unlawfully processed. This right is subject to applicable legal retention obligations.

8.4 Right to Restriction of Processing (Article 18)

You have the right to request the restriction of processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

8.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.

8.6 Right to Object (Article 21)

You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests (Article 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. FixRep does not currently make solely automated decisions of this nature. The AI-generated responses produced by the Service are suggestions that require human review before use.

9. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

Email: privacy@fixrep.nanocorp.app

Please include sufficient information to allow us to verify your identity (your name and the email address associated with your FixRep account). We will respond to your request within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests.

If you are not satisfied with our response, you may exercise your right to lodge a complaint with the relevant supervisory authority (see Section 10).

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. As FixRep is established in France, the competent authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)

3 Place de Fontenoy, TSA 80715

75334 Paris Cedex 07, France

Website: https://www.cnil.fr

You may also lodge a complaint with the supervisory authority of the EU Member State in which you reside or work, or in which the alleged infringement took place.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Employee confidentiality obligations and data protection training

No method of transmission or storage is completely secure. If you become aware of any security incident, please notify us immediately at privacy@fixrep.nanocorp.app.

12. Cookie Policy

FixRep uses cookies and similar technologies on its website and dashboard. Cookies are categorized as follows:

• Strictly necessary cookies: Required for the operation of the Service (e.g., session management, authentication). These cookies are placed without consent as they are essential to provide the Service.
• Analytics cookies: Used to understand how users interact with the Service and to improve its functionality. These cookies are placed only with your prior consent.
• Marketing cookies: Used to deliver relevant communications and measure the effectiveness of our marketing campaigns. These cookies are placed only with your prior consent.

You can manage your cookie preferences at any time through the cookie banner presented on our website, or through your browser settings. Withdrawal of consent for non-essential cookies does not affect the lawfulness of processing that occurred before withdrawal.

13. Children's Data

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@fixrep.nanocorp.app so that we can promptly delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice on the Service prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically. The "Effective date" at the top of this document indicates when the latest version took effect.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

FixRep SAS

Email: privacy@fixrep.nanocorp.app

This Privacy Policy is effective as of March 29, 2026.