PixediOtto
Draft.This document is a working version intended to communicate Pixedi's practices and obligations clearly. It has not yet been finalized by counsel. Pixedi will publish a counsel-reviewed version before live billing opens to non-internal customers.

Privacy Policy

Version v1.0.0-draft · Effective 2026-04-29

1. Who we are

Pixedi is operated by Pixedi Digital Agency, a Turkish entity. This Privacy Policy describes what Pixedi collects, how it flows, why it is collected, who it is shared with, and how long it is kept. Words like “we,” “us,” and “Pixedi” mean the operator; “Customer” means the business that subscribes to Pixedi; “end-visitor” means a person who interacts with the Pixedi widget on the Customer’s site.

2. What we collect

From Customers (account data): business name, owner full name, email, password (stored as a one-way hash), billing address and tax identifiers when provided to Stripe, and an IP address and user-agent captured at signup for fraud-prevention and clickwrap evidence.

From end-visitors (widget data): the content of conversations the end-visitor has with the Pixedi widget; any contact details the end-visitor chooses to share (typically name, email, phone); the IP address and user-agent of the request; the page URL the widget was embedded on; and timestamps. Voice conversations are streamed to OpenAI for real-time inference and a transcript is retained.

Operational telemetry: aggregate metrics about widget load times, conversation length, and tool-use latency, used to monitor service health.

3. Why we collect it

Account data is used to provision the Customer’s tenant, authenticate logins, deliver the service, send service emails (renewal reminders, security alerts), and bill the subscription.

Widget data is processed on the Customer’s behalf to power conversations with end-visitors and to surface captured leads back to the Customer in their dashboard. We do not sell widget data and we do not use widget data to train Pixedi’s own models.

4. Sub-processors

We rely on a small set of third-party services to run Pixedi. Each is bound by its own privacy and security commitments; we engage them under their published Data Processing Addenda where applicable.

Supabase (United States and EU regions) — managed Postgres database and authentication. Stores account data, widget conversations, and lead records.

OpenAI (United States) — large language model inference for text and voice conversations. End-visitor messages and our system prompts are sent over HTTPS for real-time response.

Stripe (United States and EU regions) — payment processing, subscription management, and tax computation. Card data is collected and stored by Stripe; Pixedi receives a token, not the card number.

Vercel (United States) — application hosting and CDN. Serves the dashboard, the widget script, and the API routes.

Cloudflare (global) — bot mitigation (Turnstile) and DDoS protection in front of public endpoints.

Resend (planned, United States) — transactional email delivery for confirmation and renewal emails. Currently not yet active.

5. International data transfers

Because our sub-processors operate in the United States and EU, end-visitor and Customer data crosses jurisdictions. We rely on each sub-processor’s standard contractual clauses or equivalent transfer mechanism. If you operate Pixedi for end-visitors located in jurisdictions with stricter rules (for example the EEA, UK, California), it is the Customer’s responsibility to surface a notice on its own site and obtain end-visitor consent where required by local law.

6. Retention

Account data is retained for the life of the account and for a reasonable period after closure for tax, billing, and dispute purposes — typically up to ten years where required by Turkish accounting law.

Widget data (conversations, leads) is retained as long as the Customer’s account is active. On account closure, widget data is deleted within 30 days unless the Customer has requested an export.

Audit logs (security and billing events) are retained for at least one year and may be retained longer to meet our chargeback-evidence and compliance obligations.

7. Your rights

Customers can update their account details from the dashboard, change their password, and cancel the subscription per the Terms of Service. End-visitors should direct data-subject requests (access, deletion, correction) to the Customer that operates the widget on the site they visited; the Customer is the controller of the conversation. Pixedi will assist Customers in fulfilling those requests in a reasonable manner.

Where a request is sent directly to Pixedi about widget data and we cannot identify the relevant Customer, we may decline the request and direct the requester to the site they visited.

8. Cookies and tracking

The dashboard uses session cookies for authentication. The widget itself does not write cross-site tracking cookies; it uses ephemeral browser storage (sessionStorage) to keep a conversation session alive between page loads.

9. Children

Pixedi is sold for commercial and professional use. The widget is not designed for, and should not be deployed on, services directed at children under 13. Customers are responsible for not embedding Pixedi on services that target children.

10. Security

We follow standard practices: TLS in transit, encryption at rest for managed databases, role-based access for our internal team, audit logging of admin actions, and incident response. No service is perfectly secure; if you discover a vulnerability please email security@pixedi.com.

11. Changes

We may update this Privacy Policy from time to time. The version and effective date at the top of this page reflect the current text. Material changes will be communicated with at least 30 days’ notice to active Customers by email.

12. Contact

Questions about this policy can be sent to privacy@pixedi.com. Pixedi’s Turkish address is published with the e-Arşiv invoices it issues.