Skip to content
This page is also available in: Čeština, Українська, Slovensky

Privacy Policy

Effective from: August 10, 2026

I. Basic Information about the Controller

Controller of personal data: FixIt App s.r.o. Company ID (IČO): 23725681 Registered office: Prague, Czech Republic Email: legal@fixit.app Phone: +420 702 140 894

Legal basis: This Policy complies with:

  • Regulation (EU) 2016/679 (GDPR)
  • Act No. 110/2019 Coll., on Personal Data Processing
  • Act No. 127/2005 Coll., on Electronic Communications

Data Protection Officer: FixIt App s.r.o. is not required to appoint a Data Protection Officer pursuant to Article 37 of the GDPR.

Supervisory authority: Office for Personal Data Protection (Úřad pro ochranu osobních údajů) Address: Pplk. Sochora 27, 170 00 Prague 7 Website: uoou.cz Email: posta@uoou.cz

II. Introduction

FixIt App s.r.o. ("FixIt", "we", or "our") respects your privacy and is committed to protecting your personal data. FixIt operates an online platform that connects service providers with customers and, for jobs in the on-demand mode (REALTIME), also secures fulfilment through its own workers employed on a DPP/DPČ basis.

Dual role: For intermediated jobs (MARKETPLACE PRO / QUICK and scheduled jobs), FixIt is an intermediary. For REALTIME jobs, FixIt is the worker's employer and the provider of the service. The processing of workers' data in the employment relationship is described in detail in the separate document Cooperation Terms and Personal Data Protection for Workers.

A complete list of processors and recipients of data can be found on the Data Processors page.

III. What Personal Data We Process

A. Data of providers and partners

Scope of data:

  • Identification data: name, surname, date of birth
  • Contact data: email, phone number, address
  • Business data: Company ID (IČO), VAT ID (DIČ), business authorization details
  • Data from identity verification via Bank iD (bank identity)
  • Profile photo
  • Information about the services provided, ratings, reviews
  • Payment account identifiers at the payment provider (Stripe) and capability flags
  • Transaction and payment data

Legal basis:

  • Article 6(1)(b) GDPR – contract performance
  • Article 6(1)(c) GDPR – compliance with legal obligations
  • Article 6(1)(f) GDPR – legitimate interest (security, fraud prevention, service improvement)

B. Customer data

Scope of data:

  • Identification data: name, surname
  • Contact data: email, phone number
  • The address of the place of performance, including any supplementary information (e.g., entrance code, access notes) – this data is passed on to the assigned provider/worker
  • The job description and photos of the problem that you upload
  • Data on orders, communication, and ratings
  • Payment data processed by the payment gateway (Stripe)

Legal basis:

  • Article 6(1)(b) GDPR – contract performance
  • Article 6(1)(a) GDPR – consent (marketing)
  • Article 6(1)(f) GDPR – legitimate interest (security, platform functionality)

C. Location data

For the operation of dispatch (job assignment), we process the user's current location. We always store only the single most recent location record (not movement history); the user can turn off, or delete, the location in the app.

Legal basis: Article 6(1)(b) GDPR (contract performance) and (f) (service functionality). For marketplace jobs, the location shown to the counterparty is coarsened (both parties see an approximate locality, not the exact address, until the job is accepted).

D. Communication and attachments

Chat messages between users are retained. Attachments are stored in non-public storage, made accessible via temporary signed links, and undergo antivirus scanning.

Legal basis: Article 6(1)(b) and (f) GDPR.

E. Push notifications and device data

To send notifications to the app, we process push tokens and basic device data. Notification delivery is provided by the Expo service (see Data Processors).

F. Website visitor data

Scope of data:

  • IP address
  • browser and device information
  • traffic data (Umami Analytics – a self-hosted, cookie-free solution)
  • URLs of visited pages, referrer

Legal basis: Article 6(1)(f) GDPR – legitimate interest (security, analytics, service improvement).

G. Public inquiry form (web leads)

If you submit an inquiry via the public form on the website, we process your email, a description of the problem, your city, any photos, and the IP address of the submission. The form is protected against bots by the Cloudflare Turnstile service. Unclaimed inquiries are automatically deleted after a set period.

Legal basis: Article 6(1)(b) and (f) GDPR.

H. Worker data (DPP/DPČ)

For workers in an employment relationship, we process broader categories of data (among others, the birth number, payroll data, and reports to the ČSSZ and the tax office). This data and its legal basis are described in the separate document Cooperation Terms and Personal Data Protection for Workers.

I. Data of competition and promo campaign participants

As part of competitions and promotional campaigns, we process identification and contact data, participation data (points, referral codes), and technical data (IP address, access logs). Details are contained in the separate document Competition Personal Data Processing Policy.

IV. Processing of Content by Artificial Intelligence (AI)

For faster and more accurate processing of jobs, we use artificial intelligence language and multimodal models. The photos of the problem and the text description of the job that you provide to us may, for the purpose of analysis (e.g., recognizing the type of problem, categorization, suggesting a solution), be passed on to AI service providers:

  • OpenAI (GPT-family models, including image analysis),
  • Anthropic (Claude-family models),

and this takes place through the intermediary services OpenRouter and an internal gateway (LiteLLM). These providers may also process data outside the EU/EEA.

Legal basis: Article 6(1)(b) GDPR (processing and handling of the job) and (f) (improvement and automation of services).

V. Purposes of Personal Data Processing

We process your personal data for the following purposes:

  1. Platform operation – connecting providers and customers, dispatching jobs
  2. Contract performance – processing orders, communication, account management
  3. Payment transactions – processing payments via Stripe
  4. Employment and tax obligations – for workers on DPP/DPČ (wages, ČSSZ, tax office)
  5. Legal obligations – tax documents, accounting, archiving
  6. Security and fraud prevention – protecting the platform and users
  7. Marketing – sending commercial communications (only with consent)
  8. Service improvement – traffic analysis, automation, UX optimization

VI. Fraud Prevention and Security

To protect the platform and users against fraud and misuse, we process technical and security data, in particular device characteristics, network identifiers (e.g., IP address), access logs, and signals for risk assessment. Based on this data, we may restrict or block risky conduct.

Legal basis: Article 6(1)(f) GDPR – legitimate interest (security, fraud prevention).

VII. Processors and Data Transfers

A. Processors of personal data

In accordance with Article 28 GDPR, we use a number of processors (hosting, payments, identity verification, AI analysis, notifications, email, analytics, error monitoring, etc.). A complete and up-to-date list of processors and recipients – including the purpose, location, and any transfer outside the EU – can be found on a separate page:

Data Processors (subprocessors)

Key processors include, in particular:

  • Hetzner Online GmbH – hosting (Germany, EU)
  • Stripe – payment processing and KYC verification
  • Bank iD – identity verification (bank identity)
  • OpenAI and Anthropic (via OpenRouter/LiteLLM) – AI analysis of job content

B. Transfer of personal data to other parties

The personal data of providers/workers is made available to customers when a profile is displayed and a job is accepted (name, contact, ratings).

The personal data of customers is passed on to the assigned provider/worker after a job is accepted (name, contact, job address including any access data).

For workers on DPP/DPČ, we pass on the legally required data to the Czech Social Security Administration (ČSSZ) and the Financial Administration (tax authority) – details in the Cooperation Terms for Workers.

We do not pass on your data to third parties for their own marketing purposes without your consent.

VIII. Personal Data Retention Period

Data categoryRetention period
Registration dataFor the duration of the account and a reasonable period after its termination
Business and tax documentsIn accordance with tax and accounting regulations
Employment and payroll documents, ČSSZ/tax office reportsIn accordance with statutory periods (see /worker-terms)
Marketing dataUntil consent is withdrawn
Logs, security dataFor the period necessary for the security purpose
Analytics data (Umami)For the period necessary for analysis

IX. Your Rights as a Data Subject

Under the GDPR, you have the following rights. We also state how we actually exercise these rights today:

A. Right of access (Article 15 GDPR)

You have the right to confirmation of whether we process your data and to access it. You can download part of your data (profile, addresses, location, membership) directly in the app via the export function; we will provide the remaining data upon request within 30 days.

B. Right to rectification (Article 16 GDPR)

You have the right to request the correction of inaccurate data or the completion of incomplete data.

C. Right to erasure – the "right to be forgotten" (Article 17 GDPR)

You have the right to request the erasure of your data. We carry out erasure on the basis of a request (not automatically), and each request is assessed individually. Erasure cannot be carried out to the extent that we are required to retain the data by law (in particular tax documents) or to the extent that another legal ground for processing persists – for example, for the duration of an active employment relationship and for the period of statutory archiving of employment and payroll documents for workers.

D. Right to restriction of processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your data.

E. Right to data portability (Article 20 GDPR)

You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format (to the extent supported by the export function; the remainder upon request).

F. Right to object (Article 21 GDPR)

You have the right to object at any time to the processing, in particular for direct marketing purposes.

G. Right to withdraw consent (Article 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw it at any time. Consent granted during verification via Bank iD can be withdrawn; after withdrawal, the relevant identity snapshot is invalidated (see Art. XI).

H. Right to lodge a complaint

You have the right to lodge a complaint with the Office for Personal Data Protection.

How to exercise your rights: Contact us at legal@fixit.app. We will respond within 30 days at the latest.

X. Analytics and Visitor Tracking

To understand website usage, we use our own analytics solution Umami:

  • no cookies on your device,
  • data is aggregated and stored on servers in the EU,
  • no data sharing with third parties for their own purposes,
  • geographic location only at country level.

Consent is not required: Thanks to Umami's privacy-first approach, it does not store cookies and does not collect personal data in a manner requiring consent.

Legal basis: Legitimate interest (Article 6(1)(f) GDPR).

For error monitoring, we use our own (self-hosted) Sentry tool with the sending of personally identifying data turned off (sendDefaultPii: false).

XI. Identity Verification via Bank iD

To verify identity, we use the Bank iD service (bank identity). From Bank iD, we obtain the identification data needed for verification and, in the case of workers, also further data necessary for the employment relationship (in detail in the Cooperation Terms for Workers).

Withdrawal of consent / revocation: You can withdraw the consent granted in Bank iD. Upon revocation, the relevant identity verification snapshot held by us is invalidated, and this fact is recorded in the audit trail.

XII. Personal Data Security

We have implemented technical and organizational measures:

  • Encryption: SSL/TLS in transit; sensitive data (e.g., birth numbers, IBANs) is also encrypted at rest (AES-256-GCM),
  • Access rights: limited access only for authorized persons,
  • Backups: regular automatic backups,
  • Monitoring: monitoring of security threats,
  • Minimization: sensitive identifiers are masked in overviews.

XIII. Changes to This Policy

We may update this Policy. We will inform you of significant changes via email or a notification on the platform.

XIV. Contact

For personal data protection inquiries:

Office for Personal Data Protection:


Last updated: July 10, 2026