Last updated: 14 May 2026

Privacy notice

Draft. This notice was prepared with the help of an AI assistant against ICO templates and is awaiting review by a qualified solicitor. Do not rely on it for legal advice.
Jump to section

1. Who we are

odel-labs is operated by FIXI Group Limited(“we”, “us”, “our”), a private limited company registered in England and Wales under company number 16725973, with its registered office at 86–90 Paul Street, London EC2A 4NE.

We are the controller of personal data we collect through hellofixi.com and any subdomain operated under the same brand. For data we process on behalf of a customer of the platform, that customer is the controller and we are the processor — our data processing agreement with that customer governs our role.

Contact for privacy matters: privacy@hellofixi.com.

2. Personal data we collect

We collect the following categories of personal data:

  • Account data. Name, email address, password hash, workplace, role, time zone, locale.
  • Authentication data. Sign-in timestamps, IP address of the request, browser fingerprint hash, magic-link tokens, WebAuthn credential identifiers.
  • Billing data. Billing name, billing address, VAT number, the last four digits of any payment card, transaction identifiers held by Stripe.
  • Usage data. Pages visited, features used, error traces, latency measurements. We strip names, emails, IP addresses, and free-text content before structured logging — see section 6.
  • Communication data. Email and chat messages you send to us; tickets you raise.
  • Workspace content. Documents, messages, files, tasks, AI conversations, and other content you put into the platform. Subject to the customer DPA, never the FIXI processor agreement.

3. Why we process it (lawful bases under Article 6 UK GDPR)

PurposeLawful basis
Provide the service you have signed up forPerformance of a contract (Art. 6(1)(b))
Send transactional email (sign-in, billing, security)Performance of a contract (Art. 6(1)(b))
Detect fraud, abuse, and security incidentsLegitimate interests (Art. 6(1)(f))
Comply with HMRC, accounting, and AML obligationsLegal obligation (Art. 6(1)(c))
Send marketing email about features and offersConsent (Art. 6(1)(a)) — withdrawable at any time
Improve our service through aggregated analyticsLegitimate interests (Art. 6(1)(f)) — see section 9

4. How long we keep it

  • Account data: for the life of the account plus 30 days after closure (cooling-off / restoration window).
  • Authentication data: 90 days for security investigation, then deleted.
  • Billing data: six years from the end of the relevant tax year (HMRC requirement).
  • Usage data: 13 months in detailed form, then aggregated and anonymised indefinitely.
  • Communication data: 24 months after the last response, then deleted unless retained for a live legal matter.
  • Workspace content: until the customer deletes it or the customer DPA expires; on customer account closure, soft-deleted for 30 days then purged.

5. Who we share data with

We share personal data only with the sub-processors listed at /sub-processors. We do not sell personal data to third parties under any circumstances. We may disclose data:

  • To respond to a valid law-enforcement request under UK law.
  • To a successor entity in the event of a merger, acquisition, or insolvency, with your continued protection guaranteed under this notice.
  • To a professional adviser (legal, accounting, audit) under contract that requires confidentiality.

6. How we protect personal data

  • All data in transit encrypted with TLS 1.3.
  • All data at rest encrypted by the storage provider (AES-256).
  • PII columns additionally encrypted at the column level using customer-managed keys where the customer DPA requires it.
  • Row-Level Security in the database isolates every customer's workspace.
  • Production access is restricted to a small named set of individuals, gated by hardware security keys, and logged.
  • Structured logs strip names, emails, IP addresses, and free-text content before being written.
  • We publish a security contact at /.well-known/security.txt and triage reports within one working day.

7. International transfers

Personal data is stored in the United Kingdom (London, eu-west-2). Where a sub-processor is established outside the UK or EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. The current location and legal basis for each sub-processor is published on /sub-processors.

8. Your rights under UK GDPR

You have the right to:

  • Be informed about how your data is used (this notice).
  • Access your personal data (Article 15).
  • Correct inaccurate data (Article 16).
  • Have your data erased in defined circumstances (Article 17).
  • Restrict processing (Article 18).
  • Receive your data in a portable format (Article 20).
  • Object to processing based on legitimate interests (Article 21).
  • Withdraw consent for marketing or other consent-based processing.
  • Lodge a complaint with the Information Commissioner's Office at ico.org.uk/make-a-complaint.

To exercise any of these rights, email privacy@hellofixi.com. We respond within one calendar month and never charge for the first request.

9. Cookies and analytics

See our cookie notice for the full list of cookies and analytics tools, including the strictly-necessary cookies that do not require consent and the optional analytics cookies that do.

10. AI processing and automated decisions

Some platform features use AI to draft text, classify content, or recommend actions. We do not make any decision that has a legal or similarly significant effect on you using AI alone — every such recommendation is reviewed by a person before action is taken.

Where you submit content for AI processing, we do not use that content to train any third-party model. Our model providers are listed on /sub-processors and are contractually bound to the same restriction.

11. Changes to this notice

Material changes are notified by email at least 30 days before they take effect. The version history is available on request and will be published in this section once an audit trail is in place.

12. Contact

FIXI Group Limited, 86–90 Paul Street, London EC2A 4NE.
Email: privacy@hellofixi.com.
ICO registration number: TBD — applied for on signup.