How we protect your data

Updated: May 7, 2026

This page explains, in plain language, how we keep your personal data safe on FixIt. It's the companion to our Privacy Policy — the policy covers your legal rights, this page covers what we actually do day-to-day.

Developer or security researcher? See the technical detail page for an engineering-faithful walkthrough — concrete primitives, module paths, and falsifiable claims.

I. Verifying who you are

To make sure the professionals on FixIt can legally work, we need to verify their identity. We don't ask for ID scans over email and we don't store sensitive identity documents ourselves. Instead, we hand that work to two trusted partners:

• Bank iD — the Czech bank-based identity service. You sign in with your bank, the same way you would for online banking. We never see your banking credentials — only the verified result (name, date of birth, address, document number).
• Stripe Identity — if you don't use a Czech bank, you can scan your passport, ID card or driving licence. The photos go straight from your phone to Stripe; they never pass through our servers. We only receive the verified outcome.

Every step of a verification is logged so we (and you) can audit it later. Verified profile data stays as long as the law requires for an employment relationship; the raw technical traces of the verification itself are deleted after 60 days.

II. Signing in and your devices

We don't store passwords. You sign in with a magic link sent to your email, with Bank iD, or with Google.

Once you're in, your session is held together by short-lived security keys that live only on your device — never on our servers — and they refresh every time the app talks to us. Even if someone managed to copy an old key, it would already be useless.

Sessions expire on their own. After 14 days of inactivity (or 1 year of continuous use), you're signed out automatically.

Stolen-session defence. If we ever spot a sign that a session was copied — the same key being used twice — we sign out every device tied to that login, usually within seconds. You don't need to do anything.

Your active devices. Open Account → Sign-in to see every device currently signed into your FixIt account, when it was last active and roughly where it was used. You can sign out a single device, or all of them at once.

III. Files and documents

Photos, contracts, invoices, signatures — anything you upload to FixIt is stored on private storage we control, never on a public CDN. Every file address is generated fresh for each request and only valid for a short time, so nobody can guess a permanent link or share one that keeps working forever.

We also enforce who is allowed to see what:

1. Public images (a company logo on a public profile) — anyone who can see the profile can see the image.
2. Your own documents (job photos, invoices, contracts) — only you and the people involved in that job can open them.
3. Company documents (internal files, contracts) — only members of that specific company can open them. An admin from a different company cannot.

IV. Encryption — in transit and at rest

In transit. Every connection between the FixIt app or website and our servers uses modern TLS encryption — the same lock you see in your browser bar. We force HTTPS everywhere and tell your browser to refuse unencrypted fallback. Our edge sits behind a Web Application Firewall that filters common attacks before they reach us.

At rest. The disks our database runs on are fully encrypted. Backups are encrypted again with a separate key and kept off the live machine, so even physical theft of a disk wouldn't expose your data.

What you type. Anything you write — a job description, a chat message, a portfolio link — is cleaned of HTML and other injection tricks before it's saved, so other users can't be attacked through the content you post. Links you paste are checked before our servers fetch them.

V. Privacy rights and contacts

FixIt App s.r.o. is the controller of your personal data under the GDPR. Our Privacy Policy explains your rights — access, correction, deletion, portability — and how to exercise them.

• Privacy questions: legal@fixit.app
• Supervisory authority: Czech Office for Personal Data Protection — Pplk. Sochora 27, 170 00 Prague 7

Found a security issue? Please email security@fixit.app — we acknowledge within 48 hours and ship a fix as quickly as we can. We ask that you don't publish the issue before we've had a chance to address it.

If anything on this page doesn't match your experience, that's a bug — write to security@fixit.app and we'll fix it.