Privacy Policy

Fixt is a privacy-focused keyboard for iOS and Android that helps people communicate more intentionally, particularly in emotionally charged conversations. As you type, an on-device natural language model evaluates the emotional tone of your message and provides a subtle visual signal. When you choose, Fixt can also generate an AI-assisted rewrite of a message, so you can revise the tone without losing your meaning. Fixt is designed so that the analysis of what you type happens on your device, and so that the text of your messages is never logged, stored on our servers, or used to train artificial intelligence models.

This Privacy Policy applies to all users of the Service, regardless of location, and is supplemented by jurisdiction-specific disclosures (California, EEA/UK/Switzerland, and other U.S. states) below. By installing, accessing, or using the Service, you acknowledge that you have read and understood this Privacy Policy.

We recommend reading this policy alongside our in-app privacy disclosures and any consent prompts shown to you during onboarding. Where there is any conflict between this policy and a more specific notice given to you at the time of data collection, the more specific notice controls for that particular use of your data.

Fixt is the operator of the Service and acts as the “data controller” under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, and as the “business” under the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”), with respect to the personal information described in this policy. This means Fixt determines the purposes and means of processing your personal information.

For any privacy-related inquiry, including to exercise the rights described in this policy, please contact us at timeli2026@gmail.com. Fixt is a small organization and has not formally appointed a Data Protection Officer because our core activities do not require one under Article 37 of the GDPR. The contact above is the appropriate channel for all data-protection matters and will be answered by a person with authority to act on your request.

To make this policy easier to read, the following capitalized terms have the meanings given below.

Fixt runs as a custom keyboard extension on your iPhone or Android device. When you type in a text field where Fixt is the active keyboard, an on-device natural language model evaluates the emotional tone of your draft message in real time. This analysis is performed entirely on your device using a model that is bundled with the app. Your message text is not sent to our servers, to any third-party server, or to any AI provider for tone scoring.

If the on-device model detects elevated emotional tone, Fixt displays a subtle visual signal so you can choose whether to revise. You may also choose to request an AI-generated rewrite suggestion. Only in that specific case, and only with your explicit prior consent, does the current draft text leave your device. The narrow flow for AI rewrites is described in the “Third-party services” section below.

The Fixt keyboard cannot read messages in other apps, your conversation history, your contacts, your photos, your location, or any data outside the active text field you are currently typing in. Fixt does not log keystrokes.

We collect only the information we need to provide and improve the Service. The categories below describe what we collect, why we collect it, and how we collect it. We do not collect any personal information that is not described in this section.

For purposes of the California Consumer Privacy Act, the table below identifies which of the statutory categories of personal information we collect about consumers, the sources from which we collect each category, the business and commercial purposes for which we collect it, and the categories of third parties to which we disclose it for business purposes. We do not sell or share personal information for cross-context behavioral advertising.

Fixt does not knowingly collect, use, or disclose “sensitive personal information” as that term is defined under the CCPA or “special categories of personal data” under the GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation).

Because we do not collect sensitive personal information, we do not use or disclose it for any purpose that would trigger a right to limit its use or disclosure under California law.

We use the personal information described above for the following purposes:

• To provide the Service. Authenticating you, syncing your subscription, displaying your personal history, and generating AI rewrites that you request.
• To improve the Service. Diagnosing crashes and performance issues, understanding which features are used (in aggregate), and making informed product decisions. We do not use the text of your messages for any improvement purpose.
• To communicate with you. Sending account, security, billing, and other transactional emails; responding to your support requests; notifying you of material changes to this policy.
• To protect the Service and our users. Detecting and preventing fraud, abuse, security incidents, and violations of our terms.
• To comply with legal obligations. Including tax, accounting, and law enforcement obligations in jurisdictions where we operate.

We do not use your information for advertising, profiling for marketing purposes, or any purpose materially different from what is described above without first notifying you and, where required, obtaining your consent.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following lawful bases under Article 6 of the GDPR (and equivalent provisions of the UK GDPR) to process your personal information:

• Performance of a contract (Art. 6(1)(b)): to create and maintain your account, to provide the Service you have subscribed to, and to deliver requested rewrite suggestions.
• Consent (Art. 6(1)(a)): for optional features such as transmitting message text to our AI provider for rewrite suggestions, and for any optional analytics that require consent under local law. You may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, debug failures, conduct aggregate analytics that do not include message text, and improve the Service. Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms and have concluded that our processing does not override them. You may object to such processing as described under “Your privacy rights” below.
• Compliance with legal obligations (Art. 6(1)(c)): to meet our obligations under applicable law, including tax, accounting, and consumer protection law.

Fixt uses automated language models in two distinct ways. Because we want you to understand how each works and the controls available to you, we describe them separately.

We rely on a small number of carefully selected service providers to operate the Service. Each one is bound by a written data processing agreement that requires them to process your information only on our instructions, to apply appropriate security safeguards, and to assist us in honoring your rights. The list below is current as of the effective date of this policy.

We may engage additional service providers in the future. When we do, we will update this list and, where required by law, notify you in advance of any material change.

The Fixt mobile applications do not use browser cookies. They use a minimal amount of on-device storage (such as the iOS Keychain and Android Keystore) to remember your authentication state and your in-app preferences. This storage is local to your device.

Our marketing website uses only strictly necessary cookies and similar technologies required to deliver the site and to remember your preferences. We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies. If we add any analytics cookies in the future, we will request your consent in advance where required by law.

We retain personal information only for as long as is necessary for the purposes for which it was collected, including to provide the Service to you, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. The general criteria we apply to determine retention periods are:

• the nature and sensitivity of the data;
• the purpose for which we hold it and whether we can achieve that purpose with less data or for a shorter period;
• any minimum retention period required by law (for example, tax and accounting records); and
• whether you have requested deletion.

Fixt is built around the principles of privacy by design and data minimization: we collect only the information we need to deliver the Service, we keep sensitive content (like the text of your messages) on your device by default, and we apply the least permissive access controls compatible with operating the Service. We apply industry-standard administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, accidental loss, alteration, or disclosure. These include:

• Encryption in transit. All data exchanged between your device and our servers is protected with TLS 1.2 or higher.
• Encryption at rest. Data stored in our database is encrypted using AES-256 through our managed infrastructure provider.
• Access control. Production systems are accessible only to a small number of authorized personnel, and all access is logged.
• On-device design. Because message text never leaves your device for tone analysis, the most sensitive data simply cannot be compromised through our servers.
• Vendor due diligence. Each of our service providers is bound by a written data processing agreement with appropriate security obligations.

No security measure is perfect, and we cannot guarantee that our safeguards will be effective against every threat. If a data breach affects your personal information, we will notify you and the appropriate supervisory authorities without undue delay and in accordance with the timeframes required by applicable law — including within 72 hours of becoming aware of the breach under Article 33 of the GDPR (and the UK GDPR), within 30 calendar days of discovery for affected California residents under California Civil Code § 1798.82 (as amended by SB 446 effective January 1, 2026), as soon as feasible under Canada’s PIPEDA where there is a real risk of significant harm, within the timeframes set by Australia’s Notifiable Data Breaches scheme, and as required by equivalent laws in Brazil (LGPD), Japan (APPI), South Korea (PIPA), India (DPDP), and other jurisdictions where you reside.

Fixt is operated from the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States by us, and in other countries by our service providers (including Anthropic, Supabase, RevenueCat, Apple, Google, and Vercel). Data protection laws in those countries may differ from the laws of your country.

Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the relevant authority, we rely on appropriate safeguards as required by Article 46 of the GDPR. In practice, this means we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum or UK International Data Transfer Agreement where applicable), supplemented by additional technical and contractual measures where appropriate. You may request a copy of the safeguards we use by contacting us at the email below.

Subject to applicable law and to verification of your identity, you have the rights set out below with respect to the personal information we hold about you. The rights available to you depend on where you live; the jurisdiction-specific sections that follow this one describe additional rights for residents of California, the EEA, the UK, and Switzerland, and residents of other U.S. states with comprehensive privacy laws.

To exercise any of these rights, please email timeli2026@gmail.com. We will respond within the time frame required by applicable law (generally 30 days under the GDPR and 45 days under the CCPA), and we will not charge you a fee unless your request is manifestly unfounded or excessive. To protect your information, we may need to verify your identity before fulfilling certain requests.

You will never be discriminated against for exercising any of your privacy rights. We will not deny you the Service, charge you a different price, or provide you a different level or quality of service because you exercised a right under this policy.

In addition to the rights described above, California residents have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know. To request that we disclose the categories of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, the categories of third parties to whom we have disclosed it, and the specific pieces of personal information we have collected about you.
• Right to delete. To request that we delete the personal information we have collected from you, subject to certain exceptions (for example, to complete a transaction or comply with law).
• Right to correct. To request that we correct inaccurate personal information that we hold about you.
• Right to opt out of sale and sharing. California gives you the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. We do not sell or share personal information, and so there is nothing to opt out of. We have not sold or shared personal information about California residents in the preceding 12 months.
• Right to limit use of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger this right.
• Right to non-discrimination. We will not discriminate against you for exercising any of these rights.

You may exercise any of these rights, or designate an authorized agent to do so on your behalf, by emailing timeli2026@gmail.com. We will acknowledge your request within 10 business days and respond substantively within 45 days as required by law, with an additional 45 days available when reasonably necessary and after notifying you. To protect your information, we will need to verify your identity, which we typically do by asking you to confirm information already associated with your account.

If we deny your request, you may submit a complaint to the California Privacy Protection Agency at cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy/ccpa.

Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the rights described in “Your privacy rights” above apply to you under the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection (FADP), respectively. In addition, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement, if you believe that our processing of your personal data does not comply with applicable law.

A list of EU data protection authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner’s Office (ICO) at ico.org.uk. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch. We would, however, appreciate the opportunity to address your concerns before you approach a regulator, so please consider contacting us first.

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Jersey, Tennessee, and other U.S. states with comprehensive privacy laws have rights similar to those described in “Your privacy rights” above, including the right to access, correct, and delete personal information, the right to opt out of certain processing activities, and the right to data portability. To exercise these rights, please email timeli2026@gmail.com.

We do not engage in “targeted advertising,” “sale of personal data,” or “profiling in furtherance of decisions that produce legal or similarly significant effects” as those terms are defined under applicable state law, so there is nothing to opt out of with respect to those activities.

The Service is available globally through the Apple App Store and Google Play. The rights described in “Your privacy rights” above apply universally where local law recognizes them. The disclosures below summarize additional rights and obligations under several specific national or regional privacy laws that may apply to you.

Fixt is not directed to children and is not intended for use by anyone under the age of 13 (or 16 in the European Economic Area and the United Kingdom). In accordance with the Children’s Online Privacy Protection Act (COPPA) and equivalent laws, we do not knowingly collect personal information from children below those ages. The App Store and Google Play age ratings for Fixt require users to be at least 13 years old.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at timeli2026@gmail.com and we will promptly delete the information and close the account.

Fixt does not track you across other apps or websites. We do not use the iOS Identifier for Advertisers (IDFA), the Android Advertising ID, or any other cross-app tracking technology. Because Fixt does not engage in tracking as defined by Apple’s App Tracking Transparency framework, you will not see an ATT permission prompt when using Fixt.

We honor the Global Privacy Control (“GPC”) signal and other recognized opt-out preference signals (universal opt-out mechanisms) when they are sent by your browser. We treat a GPC signal as a valid request to opt out of any sale or sharing of personal information, as required by the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other comparable state laws. Because we do not sell or share personal information in the first place, this signal does not change our practices, but we recognize and respect it.

We do not sell your personal information for monetary or other valuable consideration, and we do not share it for cross-context behavioral advertising. Because we do not engage in either practice, no opt-out is required under the CCPA, the Colorado Privacy Act, the Connecticut Data Privacy Act, or any other applicable law. If our practices ever change, we will update this policy and provide a clear opt-out mechanism before the change takes effect.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or for other operational or legal reasons. When we make material changes, we will revise the “Last updated” date above and, depending on the nature of the change and where required by law, we will notify you through the app or by email before the change takes effect. We encourage you to review this policy periodically. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated policy, except where the change requires fresh consent under applicable law, in which case we will obtain that consent before relying on the change.

If you have any questions about this Privacy Policy, our privacy practices, or how to exercise any of your rights, please contact us at: