Privacy Policy

PhiXtra ("PhiXtra," "we," "our," or "us") operates the website https://phixtra.com and provides AI-powered SaaS tools and WordPress plugins designed to enhance e-commerce and content-management workflows. Our registered business contact is available at the address in Section 16.

For the purposes of applicable data-protection legislation — including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the California Consumer Privacy Act (CCPA) — PhiXtra acts as the Data Controller with respect to personal data processed via our website and SaaS platform. Where our plugins process data solely within a merchant's own WordPress installation and that merchant determines the purpose and means of processing, the merchant is the Data Controller and PhiXtra acts as a Data Processor.

When you visit phixtra.com or interact with our marketing content, we may collect:

3.1 Information You Provide Directly

• Contact enquiries: name, e-mail address, and any message you submit via contact forms.
• Account registration: name, e-mail, and chosen password when creating a PhiXtra portal account.
• Subscription & billing: billing name, payment-card details (processed by our PCI-compliant payment provider; PhiXtra does not store card numbers), and billing address.
• Support communications: any information you share when requesting help.

3.2 Information Collected Automatically

• IP address, browser type and version, operating system, referring URL, pages visited, and timestamps — collected via server logs and analytics software.
• Cookie identifiers and similar tracking technologies (see Section 12).

3.3 Information from Third Parties

We may receive basic profile information (name, e-mail) if you choose to sign in via a third-party OAuth provider (e.g., Google). We use only what is required to create and maintain your account.

4.1 PhiXtra AI Support Widget

This plugin embeds a live-chat interface on the merchant's public-facing website. The following data flows occur:

The plugin does not collect names, e-mail addresses, or session cookies from End Users unless the End User voluntarily types such information into the chat. Merchants who wish to pre-populate the chat with user account data must implement this themselves and must disclose it in their own privacy notices.

4.2 PhiXtra Export Plugin

This plugin is an admin-only tool that runs entirely within the WordPress dashboard. It does not add any functionality to the public-facing website. Only authenticated WordPress users with the manage_woocommerce capability can access it.

Local Export Feature (no external transmission): When a merchant uses the Export tab to download a file (JSON, CSV, XML, or Excel), all processing occurs entirely on the merchant's server. The resulting file is downloaded directly to the admin's device. No data is sent to PhiXtra servers.

Data that can be included in a local export (at the merchant's discretion) includes:

• Products: ID, name, slug, SKU, type, status, descriptions, permalink, image URLs, prices, stock information, categories, tags, attributes, brand terms, custom meta fields, and product variations.
• Customers (PII): User ID, e-mail, username, display name, first and last name, role(s), registration date, billing address (name, company, address lines, city, state, postcode, country), shipping address, phone number, company name, total spent, order count, last order date, and custom user meta fields.
• Orders (PII): Order ID and number, status, creation date, currency, customer ID, customer note, payment method, order totals (subtotal, discount, shipping, tax, total), billing address (including e-mail and phone), shipping address, line items (product IDs, names, SKUs, quantities, totals), coupon codes, shipping methods, and custom order meta fields.
• Posts and Pages: ID, title, slug, status, dates, author ID and name, permalink, excerpt, content (HTML), featured image URL, comment status, parent ID, menu order, page template, categories, tags, and custom meta fields.

PhiXtra Sync Feature (data transmitted to PhiXtra servers): When the merchant enables the Sync tab and provides a bearer token, the plugin transmits store data to https://data.phixtra.com via authenticated HTTPS POST. The following headers are sent with every request:

• Authorization: Bearer <token>
• X-PhiXtra-Tenant: the merchant's site hostname (e.g., myshop.com), used as a tenant identifier.
• X-PhiXtra-Site: the merchant's home URL.

Data transmitted via Sync includes (depending on merchant configuration):

• Products: same fields as the local export, plus AI-search-optimised document objects.
• Posts & Pages: title, content (stripped of HTML), URL, type, and status.
• Orders (optional, disabled by default): order number, status, total, billing name, billing e-mail, billing phone, billing city/postcode/country, shipping city/postcode/country, and line-item summaries.
• Customers (optional, disabled by default): display name, e-mail address, phone number, billing city/postcode/country, and user roles.

Our hosted infrastructure at chat.phixtra.com, data.phixtra.com, and portal.phixtra.com processes data as follows:

• Authentication & account data: e-mail, hashed password, API keys issued to merchants.
• Chat data: messages sent by End Users to AI agents, AI-generated responses, and request metadata (timestamp, API key identifier, tenant hostname). Messages may be retained for quality improvement, abuse prevention, and model evaluation (see Section 10).
• Indexed documents: product, post, page, and optionally order/customer data synced by the Export Plugin, stored in Azure AI Search infrastructure to power on-site search and AI assistant responses.
• Usage and telemetry: API call volumes, error rates, latency metrics, and other operational data used to monitor service health. This data does not contain message content.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• To create, maintain, and secure your PhiXtra account.
• To process subscription payments and issue invoices.
• To operate and deliver the AI Support Widget service, including routing chat messages to AI models and returning responses.
• To index merchant store data in Azure AI Search so that their AI assistants can answer product and content questions accurately.
• To diagnose faults, investigate errors, and maintain service reliability.
• To send transactional e-mails (account creation, password reset, invoices, service changes).
• To send promotional communications where you have given consent or where we have a legitimate interest and you have not opted out.
• To comply with applicable law, including responding to valid legal process.
• To aggregate and anonymise usage data for product analytics and business reporting (the output contains no personally identifiable information).
• To train or evaluate AI models only where we have a lawful basis and appropriate safeguards, and we will not use End User chat content for AI training without explicit consent or a clear contractual basis with the merchant.

We do not sell Personal Data. We do not share Personal Data with third parties for their own marketing purposes. We may share data in the following limited circumstances:

8.1 Service Providers (Sub-processors)

We engage trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Microsoft Azure — cloud infrastructure hosting, Azure AI Search (for indexed product/content data), and Azure OpenAI or similar AI services for generating chat responses.
• Payment processors — e.g., Stripe, for handling subscription payments securely.
• E-mail service providers — for transactional and marketing e-mail delivery.
• Analytics providers — for aggregated, anonymised website analytics.
• Customer support tools — ticketing and help-desk software.

A current list of sub-processors is available upon written request to our Data Protection contact (see Section 16).

8.2 Legal Disclosures

We may disclose Personal Data if required by law, court order, or a regulatory authority, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, Personal Data may be transferred to the acquiring entity, subject to the same commitments as set out in this policy.

8.4 Merchant-to-PhiXtra Data Flow

When a merchant enables the PhiXtra Sync feature, they act as a Data Controller and PhiXtra acts as a Data Processor in respect of any personal data (e.g., customer or order records) included in the synced payload. This relationship is governed by a Data Processing Agreement available at phixtra.com/dpa.

PhiXtra's infrastructure is hosted on Microsoft Azure. Data may be stored and processed in data centres within the European Economic Area (EEA), the United Kingdom, and/or the United States, depending on the Azure region selected at the time of service provisioning.

Where Personal Data is transferred outside the UK or EEA, we ensure an adequate level of protection by relying on one or more of the following mechanisms:

• The European Commission's Standard Contractual Clauses (SCCs) as adopted or adapted for UK transfers under the International Data Transfer Agreement (IDTA).
• An adequacy decision issued by the relevant authority.
• Other appropriate safeguards under Article 46 GDPR / UK GDPR.

You may request a copy of the relevant transfer mechanism by contacting us (see Section 16).

Where we are required to retain data for legal, regulatory, or contractual reasons, those obligations take precedence over shorter retention periods stated above.

Depending on your location and the applicable law, you may have the following rights regarding your Personal Data:

How to Exercise Your Rights

Submit a written request to privacy@phixtra.com. We will respond within 30 days (extendable by a further 60 days in complex cases, with notification). We may request identity verification before acting on your request. There is no charge for reasonable requests.

Complaints

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the relevant supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• EU: Your national Data Protection Authority (DPA).
• US (California): California Privacy Protection Agency (CPPA).

We would, however, appreciate the opportunity to resolve any concerns directly before you escalate to a supervisory body.

Our website and SaaS platform use cookies and similar technologies. You can manage cookie preferences via our cookie banner or your browser settings.

The PhiXtra AI Support Widget, when embedded on a merchant's website, does not independently set first-party cookies. Any third-party scripts loaded alongside the widget on the merchant's site are the merchant's responsibility.

Our services are not directed at children under the age of 13 (or 16 where required by applicable law). We do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data without parental consent, please contact us immediately at privacy@phixtra.com and we will take prompt steps to delete that information.

Merchants who deploy the AI Support Widget on websites frequented by children are responsible for complying with applicable children's privacy laws, including COPPA (US) and the UK Children's Code, and should ensure their own privacy notices adequately disclose any data processing.

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Transport Layer Security (TLS 1.2 or higher) for all data in transit.
• Encryption at rest for data stored on our servers.
• API key and bearer-token authentication for all plugin-to-server communication.
• Role-based access control (RBAC) restricting data access to authorised personnel.
• Regular vulnerability scanning and penetration testing.
• Intrusion detection and audit logging.

No method of electronic transmission or storage is 100% secure. If you discover a potential security vulnerability, please disclose it responsibly to security@phixtra.com.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours and, where required, will notify affected individuals without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective" date at the top of this page.
• Display a prominent notice on our website and/or send an e-mail to account holders.
• For material changes affecting WordPress plugin functionality, publish release notes on the WordPress.org plugin pages.

We encourage you to review this policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

Prior versions of this Privacy Policy are available upon written request.

If you have questions, concerns, or requests relating to this Privacy Policy or your Personal Data, please contact us: