PixediReelio
Drafted internally. Drafted by Pixedi engineering. This pack has not been reviewed by external counsel. We will publish counsel-reviewed versions when any trigger in docs/37 §7 fires.

Privacy Policy

Version v1.1.0 · Effective 2026-05-12 · Last updated 2026-05-12

1. Who we are

This Privacy Policy describes how Pixedi Digital Agency Limited, a private limited company incorporated in England and Wales (company number 16968210) with its registered office at Flat 5-7 Leamington Road, Stockport, England, SK5 6BD ("Pixedi," "we," "us"), collects, uses, shares, and retains personal data in connection with the Aristo AI receptionist service (the "Service").

Throughout this Policy: "Customer" means the business that subscribes to the Service. "Visitor" means an individual who interacts with the Pixedi widget on a Customer's website. Questions about this Policy may be sent to support@pixedi.com.

2. Roles (controller and processor)

For personal data Pixedi collects directly from the Customer (account details, billing details, login activity, security events, support correspondence, and the Customer's direct relationship with Pixedi), Pixedi is the data controller.

For personal data submitted by Visitors through a Customer's website widget (chat messages, voice transcripts, contact details Visitors choose to share, and similar conversation data), the Customer is normally the controller and Pixedi acts as processor on the Customer's behalf. The terms of that processing are set out in the Data Processing Addendum at /legal/dpa.

3. What we collect

Through Visitor interactions with the widget, Pixedi processes: chat messages exchanged with Aristo; voice transcripts where voice is enabled; the name, email address, and phone number a Visitor chooses to share; the page URL the widget was loaded on; IP address; user-agent; and timestamps. Voice conversations may be streamed to OpenAI for real-time processing. Raw voice audio is not stored by Aristo. If raw audio storage is ever introduced in a future version, launch is blocked until this Policy, the Data Processing Addendum, retention rules, and consent language are updated to reflect it.

Through Customer use of the Service, Pixedi processes: the Customer's organisation profile and business details; the Aristo widget configuration; account credentials (passwords are stored as one-way hashes); billing metadata returned by Stripe (Pixedi does not see or store full card numbers); IP address and user-agent at signup and login; and security and audit events.

Operational telemetry: aggregated metrics about widget load times, conversation length, and tool-use latency, used to monitor service health and reliability.

4. Why we use this data

We process this data to: provide and operate the Service; handle Visitor conversations and capture leads on behalf of the Customer; route enquiries and surface leads in the Customer's dashboard; send notification emails to the Customer; authenticate Customer logins; manage billing and renewals; prevent abuse, fraud, and security incidents; secure the Service; respond to Customer support requests; and improve Service configuration and reliability.

5. Sub-processors

Pixedi relies on the following third-party sub-processors to operate the Service. Each is engaged under written terms and where applicable under each provider's Data Processing Addendum or equivalent.

OpenAI (United States) — AI text and real-time voice processing.

Stripe Payments UK, Ltd. (United Kingdom) — billing, payment processing, fraud and risk scoring.

Neon (Germany, Frankfurt region) — primary Postgres database hosting.

Better Auth — authentication library; runs on the same Neon database, in the same Neon region.

Cloudflare, Inc. (global edge) — DNS, web application firewall, content delivery, and Turnstile bot mitigation.

Resend (Ireland, eu-west-1 region) — transactional email delivery.

Google LLC (United States) — Google Calendar booking redirect and booking integration; only invoked when a Customer enables booking.

CapRover on Contabo VPS (Germany) — application hosting and orchestration for the Service.

A structured, machine-readable Sub-processors page is maintained at /legal/subprocessors and lists each sub-processor's purpose, region, categories of data, and transfer mechanism.

6. International data transfers

Pixedi's primary database and email delivery are hosted in the European Union (Germany and Ireland). Some sub-processors operate outside the United Kingdom and the European Economic Area, including in the United States. Where personal data is transferred outside the United Kingdom or the EEA, the transfer is supported by an appropriate safeguard, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or another lawful mechanism made available by the relevant sub-processor.

If you operate the Service for Visitors located in jurisdictions with stricter rules, it is the Customer's responsibility to provide an appropriate notice on its own website and obtain Visitor consent where required by local law.

7. Retention

Chat transcripts and lead records: retained while the Customer's account is active, unless deleted earlier by the Customer or required to be kept longer for legitimate business, billing, security, or legal reasons.

Deleted Customer account data: deleted or anonymised within 90 days of account closure, except records that we are required or permitted to retain for billing, tax, legal, security, or audit purposes.

Technical logs (application, network, infrastructure): retained for 30 to 90 days unless needed for ongoing security or incident investigation.

Billing and accounting records: retained for the period required by United Kingdom business and tax record-keeping duties.

Backups: deleted on the normal backup rotation cycle.

8. Your rights

Where Pixedi is the controller of your personal data, you have rights under United Kingdom data protection law to: access your personal data; correct inaccurate data; have data deleted; object to or restrict certain processing; obtain your data in a portable format where applicable; and withdraw consent for processing that relies on consent. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been breached.

Where Pixedi is the processor — typically for Visitor data submitted through a Customer's widget — Visitors should send rights requests to the Customer that operates the widget on the site they visited; the Customer is the controller of that conversation. Pixedi will assist the Customer in fulfilling such requests in a reasonable manner. Requests sent directly to Pixedi about Visitor data may be redirected to the relevant Customer where we cannot identify the requester ourselves.

9. Cookies and tracking

The Pixedi dashboard uses session cookies for authentication. The widget itself does not write cross-site tracking cookies; it uses ephemeral browser storage (sessionStorage) to keep a Visitor's conversation session alive between page loads on the Customer's site.

10. Security

We use standard practices to protect personal data: TLS in transit, encryption at rest for managed databases, role-based access for our internal team, audit logging of administrator actions, and incident response. No service is perfectly secure; vulnerability reports may be sent to support@pixedi.com.

11. Changes to this Policy

We may update this Policy from time to time. The version, effective date, and last-updated date at the top of this page reflect the current text. Material changes — including the addition of a new sub-processor or a meaningful change in the categories of personal data processed — will be communicated to active Customers by email or through the dashboard with at least thirty days' notice where reasonably practicable.

12. Contact

Questions and data-protection rights requests may be sent to support@pixedi.com. Our registered office for written correspondence is Flat 5-7 Leamington Road, Stockport, England, SK5 6BD, United Kingdom.