Privacy Policy for Fixat

This policy describes how Fixat processes your personal data. Fixat is BuddyPro's standalone marketplace with a separate database and authentication. Data you provide in Fixat is processed separately from other BuddyPro services.

1. Data controller

BuddyPro AB Org. number: 559516-1844 VAT number: SE559516184401 Karlavägen 41, 114 31 Stockholm, Sweden [email protected]

2. What this policy covers

This policy only covers the Fixat marketplace. For BuddyPro Admin, Workforce, Customer Portal, and the buddypro.io website, our general Privacy Policy applies.

3. Data we collect

3.1 Data you provide

Account:

First and last name
Email and phone
Gender (optional)
Profile picture
Short self-description
Personal ID number — collected when you book a service that may qualify for RUT or ROT deduction, or where the provider requires it for invoicing. Shared with the provider for those purposes.

Address and location:

Home address
Any billing or delivery addresses
Address types, preferences, and access instructions

Service and booking:

Preferences and requirements for the service
Answers in the booking form
Booking history
Specific requests or notes

Payment:

Billing address
Payment is made today directly between customer and provider
When payment through the platform is introduced, we'll update the list

3.2 Data collected automatically

Location:

Exact GPS position (latitude, longitude)
Location derived from IP address
Distance between customer and provider
Service area

Device and usage:

Device type, operating system, browser
Usage patterns in the app
Session length and frequency
Error logs and diagnostics

Platform interaction:

Searches and filters
Services you viewed and booked
Communication with providers
Reviews and ratings

3.3 Data from third parties

From providers:

Reviews and ratings of your bookings
Confirmations of completed work
Communication about bookings

From payment providers (when the feature is introduced):

Transaction confirmations and payment status
Fraud checks

4. How we use the data

Platform operations:

Create and manage your account
Process bookings
Forward your full booking form to the provider you select
Match you with providers based on location
Calculate distance-based pricing
Mediate payment between customer and provider
Provide customer support

Communication:

Send confirmations and updates
Enable dialogue between customer and provider
Reminders and follow-up

Platform improvement:

Analyze usage patterns to improve Fixat
Develop new features
Optimize matching
Improve the user experience

Security:

Verify identity and prevent fraud
Monitor suspicious activity
Meet legal requirements

Marketing (after consent):

Send newsletters and product news
Personal recommendations
User surveys

5. Legal basis

Contract — account management, booking, matching, customer service
Legitimate interest — location-based matching, platform improvement, security
Legal obligation — accounting, tax, government requests
Consent — marketing and optional analytics

6.1 With providers

When you book a job, we share the following with the provider:

Your full booking form
Name, email, and phone
Address and location information
Requests and notes
Communication preferences
Personal ID number, where provided for RUT/ROT or invoicing purposes

The provider receives the data to understand and perform the job and can contact you directly for booking, execution, and follow-up.

6.2 Processors

We use the following providers to operate Fixat. The list can change — the updated version is always on this page.

Provider	Use
Customer.io	Transactional and marketing communication
Expo.dev	Mobile app publishing (no customer data processed)
PostHog	Product analytics and usage tracking
Sentry	Error logging and diagnostics
Supabase	Database and authentication for Fixat

We have data processing agreements with all processors under Article 28 GDPR.

6.3 Other recipients

Future payment providers when the payment feature is introduced (contract)
Public display — your first name is shown alongside reviews you leave
Authorities when required by law, court order, or similar (legal obligation)
Acquirers in case of merger, acquisition, or sale

We don't sell your data and we don't share it with unknown parties for their marketing.

7. Where your data is stored

We operate Fixat within the EU. Storage and processing happen on servers in the EU per GDPR.

If we need to transfer data outside the EU, we ensure appropriate safeguards are in place (e.g. EU Standard Contractual Clauses) and inform you in advance.

8. Retention periods

Account data — for the lifetime of the account plus 12 months after closure
Booking history — 7 years for accounting and tax purposes
Communication — 2 years from the most recent message
Usage data in identifiable form — 13 months
Analytics data — up to 26 months
Inactive accounts — may be marked for deletion after 2 years of inactivity, with prior notice
Payment data (when introduced) — 7 years per financial regulation

You can request erasure at any time, subject to statutory archiving requirements. Send your request to [email protected].

9. Your rights

You have the right to:

request a data export
request rectification of incorrect data
request erasure ("right to be forgotten")
request restriction of processing
request data portability
object to processing based on legitimate interest, including direct marketing
withdraw consent at any time
complain to the Swedish Authority for Privacy Protection (IMY) — imy.se

Send your request to [email protected]. We respond within 30 days.

10. Security

We follow Article 32 GDPR and have, among other things:

Encryption of personal data in transit and at rest
Secure authentication and access controls
Regular security testing
Backups and recovery procedures
Internal training in data protection
Data processing agreements with our providers

In the event of a personal data breach that risks your rights, we notify IMY within 72 hours and inform you without undue delay.