Privacy Policy

This Privacy Policy explains how Bixel, Inc. (“Bixel,” “we,” “our,” or “us”) collects, uses, shares, and protects personal information when you visit bixel.com, create an account, subscribe to emails, or otherwise interact with our services (together, the “Service”). It applies to information we collect through the Service, through direct correspondence with you, and through limited third-party sources used to operate the Service.

It does not apply to our crawling of publicly accessible web pages. Our crawler, BixelBot, reads public HTML and does not collect information about individuals visiting those pages. See Section 10 for detail, and see /bot for the crawler’s full posture.

By using the Service you acknowledge that your personal information will be processed as described in this Policy. If you do not agree, please do not use the Service.

We collect three categories of information:

Information you provide

Account data

Email address, display name, password hash (via Supabase Auth), and optional profile fields. Required to create and maintain an account.

Subscription email

Email address provided to newsletter, waitlist, and saved-item features. Used only for the purpose you submitted it.

Billing data

Billing name, address, and the last four digits and expiration of your payment method. Full card numbers are handled by our payment processor and never reach our servers.

Support correspondence

Messages you send to any of our mailboxes, including attachments and metadata, for as long as the conversation remains operationally relevant.

Opt-out submissions

Domains submitted to the crawler opt-out form, plus the contact email and reason you optionally provide, logged with a timestamp and the submitting IP.

Information collected automatically

Server logs

IP address, User-Agent, request path, referer, timestamp, and response status. Retained per Vercel defaults. Used for abuse prevention, security, and debugging.

Analytics

Aggregate page views, load times, and device class via Vercel Analytics and Speed Insights. No cookies, no fingerprinting, no cross-site tracking.

Session cookies

A Supabase Auth session token set only after you sign in. Stored in a secure, HTTP-only cookie. Expires at sign-out or at session TTL, whichever is earlier.

Approximate location

Country and rough region inferred from IP address for latency routing and abuse defense. No precise geolocation is requested or stored.

Information from third parties

• Payment processor. Our payment processor (currently Stripe) confirms successful or failed charges and returns tokenized references to your payment method.
• Email provider. Our email provider (currently Resend) reports delivery events, bounces, and unsubscribe confirmations for email we send.
• Abuse-signal providers. We may consult IP-reputation and abuse-feedback services to identify credential-stuffing or mass-signup attempts.

We use a deliberately small number of cookies and similar technologies. They fall into two categories:

• Strictly necessary. Session cookies that keep you signed in after authentication, CSRF tokens, and security cookies. These are required for the Service to function and cannot be turned off from within the Service. You can still block them at the browser level; the Service may stop working if you do.
• Analytics. Vercel Analytics collects aggregate, cookieless performance data. No third-party advertising cookies or cross-site trackers are used.

We do not embed third-party advertising pixels, social-media trackers, or data-broker tags on bixel.com.

We use the information described above to:

• Operate, maintain, and improve the Service.
• Authenticate you, provide customer support, and respond to requests you send us.
• Deliver transactional email, including account confirmations, password resets, receipts, and important product notices.
• Deliver marketing email to subscribers who have opted in, and honor unsubscribes promptly.
• Detect, investigate, and prevent abuse, fraud, unauthorized activity, and violations of our Terms of Service.
• Conduct product research and analytics to understand how the Service is used, in aggregate, and to inform feature decisions.
• Comply with legal obligations, enforce our agreements, and protect our legal rights and the rights and safety of others.

We do not use personal information to train general-purpose machine-learning models. We do not sell or rent personal information.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our processing of your personal data relies on one of the following legal bases under the General Data Protection Regulation and the UK GDPR:

Contract

Processing necessary to provide the Service you requested, such as operating your account or fulfilling a paid subscription. Art. 6(1)(b) GDPR.

Legitimate interest

Processing necessary to secure the Service, prevent abuse, measure performance in aggregate, and develop our product. We weigh these interests against your rights and freedoms. Art. 6(1)(f) GDPR.

Consent

Processing based on your consent, such as sending you marketing email after opt-in. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Art. 6(1)(a) GDPR.

Legal obligation

Processing necessary to comply with applicable law, court orders, and lawful requests from public authorities. Art. 6(1)(c) GDPR.

We share personal information only in the following circumstances:

• Service providers. With vendors who process data on our behalf under contractual confidentiality and data-protection obligations, including hosting, authentication, payments, email delivery, analytics, and error monitoring. A current list is maintained in Section 15.
• Legal compliance. When we believe in good faith that disclosure is necessary to comply with applicable law, legal process, or a government request; to enforce our Terms of Service; or to protect the rights, property, or safety of Bixel, our users, or others.
• Business transfers. In connection with a merger, acquisition, financing, due diligence, or sale of all or part of our assets, subject to the continued application of this Policy or equivalent protections.
• With your direction. When you explicitly request or authorize a specific disclosure, such as connecting a third-party integration.
• Aggregate data. We may publish or share information that has been aggregated or de-identified such that it cannot reasonably be used to identify you.

We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

Bixel is operated from the United States. When you use the Service from outside the United States, your personal information is transferred to and processed in the United States and in other countries where our service providers operate. Data-protection laws in those countries may differ from those in your country of residence.

Where required, transfers out of the EEA, UK, or Switzerland are made under approved transfer mechanisms, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, and we apply supplementary technical and organizational measures as appropriate.

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Server logs

Vercel default retention. Short.

Account data

For the life of your account. Deleted within thirty (30) days of account closure, except where retention is required for fraud prevention, legal claims, or tax records.

Email addresses

Until you unsubscribe or request deletion. Unsubscribe suppression lists are retained to honor your choice.

Auth sessions

Until expiry or sign-out.

Billing records

Seven (7) years, as required for tax and accounting compliance.

Support correspondence

Up to twenty-four (24) months after the conversation is closed.

Opt-out records

Indefinitely, so we can continue to honor the opt-out.

Crawl data

Indefinitely, as part of the cross-company reference dataset. The dataset describes companies and their publicly-visible characteristics, not individuals. Companies can claim their profile to review and control what appears, and operators may opt out at any time via /bot.

We take reasonable and appropriate administrative, technical, and organizational measures designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, encryption at rest for sensitive stores, access controls, audit logging, principle-of-least-privilege policies, vendor review, and employee training.

No system is perfectly secure. If you believe your account has been compromised, or if you identify a vulnerability, contact security@bixel.com. We operate a coordinated-disclosure policy and will respond in good faith.

Bixel’s Dataset describes companies and their public-facing web pages. When BixelBot reads a page, it captures the HTML response and the structured observations we organize from it. We do not collect data about people visiting those pages and we do not correlate such visitors with our users.

If you operate a site included in our Dataset and want it removed, the opt-out form at /bot is the fastest path. You can also address robots.txt to BixelBot directly, and we will honor the directive on the next fetch. The crawler’s posture is documented in full at /bot.

Subject to applicable law, you have the rights described below. Some are available to residents of specific jurisdictions, as noted. To exercise any right, email privacy@bixel.com. We may need to verify your identity before acting on a request, typically by confirming access to the email associated with your account.

Everyone

• Access. Request a copy of the personal information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your personal information, subject to exceptions for legal, security, and accounting retention.
• Unsubscribe. Opt out of marketing email at any time via the unsubscribe link in each email.

EEA, UK, and Switzerland (GDPR)

• Restrict or object to processing based on legitimate interest.
• Receive personal data you provided in a portable format and transmit it to another controller where technically feasible.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with your local data-protection authority. We would appreciate the chance to address your concern first via privacy@bixel.com.

California (CCPA / CPRA)

• Right to know the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom we share it.
• Right to delete personal information, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as defined by the CCPA.
• Right to limit the use of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit under the CPRA.
• Right not to be discriminated against for exercising these rights.

If an authorized agent submits a request on your behalf, we will require written proof of authorization and may verify your identity directly.

Other U.S. states

Residents of other U.S. states with comprehensive privacy statutes, including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and others as those laws come into force, have rights similar to those listed above. We honor those rights on the same terms, to the extent applicable law requires.

The Service is not directed to children under thirteen (13), and we do not knowingly collect personal information from children under thirteen. If you believe a child under thirteen has provided personal information to us, contact privacy@bixel.com and we will promptly investigate and delete the information where appropriate.

Different browsers offer different privacy controls. Because there is no industry-wide standard for how to interpret “Do Not Track” signals, we do not respond to them. We do honor the Global Privacy Control (GPC) signal for the limited purpose of opting you out of any activity that would constitute a “sale” or “sharing” under the CCPA. Because we do not sell or share personal information as defined by the CCPA, the GPC signal has no additional effect on our processing.

The Service contains links to third-party websites, documents, and screenshots of third-party pages captured for evidentiary purposes. Those third parties operate under their own privacy policies and security practices. We do not control and are not responsible for those third parties.

We use a small number of service providers to operate the Service. Each operates under a data-processing agreement and uses personal information only for the purposes described below.

AWS

Crawler infrastructure (compute and static egress IP for BixelBot). United States.

Vercel

Application hosting, edge delivery, logging, and analytics. United States.

Supabase

Database and authentication. United States.

Resend

Transactional and marketing email delivery.

Stripe

Payment processing for paid tiers, if and when offered.

This list is maintained in good faith and updated as vendors change. For a current list with data-processing-addendum references, contact privacy@bixel.com.

If we determine that a personal-information breach has occurred and is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required, notify the appropriate supervisory authority within the timelines set by applicable law.

We may revise this Policy from time to time. Material changes are announced on this page with an updated “Last revised” date and, where reasonable, by email to active subscribers or by in-product notice. Minor editorial changes that do not affect your rights are made without separate notice. Your continued use of the Service after a revision becomes effective indicates your acceptance of the revised Policy.

Privacy

privacy@bixel.com

Security

security@bixel.com

Bot questions

bot-abuse@bixel.com

Response time

Two weeks for formal rights requests. Two business days for most operational questions.