Privacy Policy

1. Introduction

This Privacy Policy describes how INFO DM PRIVATE LIMITED ("Fixmo," "we," "us," or "our"), a company incorporated in Sri Lanka, collects, uses, discloses, and protects personal data in connection with the Fixmo repair shop management platform available at fixmo.app and related applications, APIs, and services (together, the "Service").

Please read this policy carefully. By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, please do not use the Service.

2. Who this policy applies to

Fixmo is a business-to-business platform. It is used by repair shops (our "Subscribers") to manage their operations, and those Subscribers record information about their own end customers ("End Customers") inside the Service. That means we act in two different roles:

• Controller — for personal data relating to Subscriber account holders and team members (owners, managers, technicians, cashiers), visitors to fixmo.app, and people who contact us directly. We decide how and why that data is processed.
• Processor — for End Customer data and other business records that a Subscriber enters or uploads into their workspace (for example, an End Customer's name, phone number, device details, or repair history). We process that data on behalf of, and on the instructions of, the Subscriber.

If you are an End Customer and have questions about data a repair shop has recorded about you, please contact that shop directly — they are the controller of that information. We will assist shops in responding to your requests.

3. Information we collect

3.1 Information you provide

• Account information: full name, email address, password (stored as a bcrypt hash only, never in plain text), phone number, shop name and code, branch name and code, country, and currency preference.
• Team member information: name, email, phone, role (Admin, Manager, Technician, Cashier), branch assignment, and profile photo where provided.
• Billing information: the plan you select, billing cycle, invoice history, order reference IDs, and the payment provider's payment ID. Full card details are never sent to or stored by Fixmo — they are collected and held by our payment processor (see Section 6).
• Business data entered by the Subscriber: End Customer records (name, phone, email, WhatsApp status, billing address, tax ID, company details, notes), repair jobs (device, problem description, status, photos, service history), inventory items, serial numbers, sales and payment records, invoices, quotations, credit notes, refunds, supplier and purchase order data, commission agent records, expense records, and uploaded documents and images.
• Integration credentials: where a Subscriber enables an optional integration (such as the WhatsApp Business API or a custom SMTP email server), we store the relevant tokens, IDs, and, where necessary, SMTP credentials so the integration can function.
• Support communications: messages you send us by email, through contact forms, or through any other support channel, and our replies.

3.2 Information collected automatically

• IP address, user-agent string, device type, and operating system.
• Basic usage information such as pages viewed, features used, and request timestamps, used for security monitoring, rate limiting, and debugging.
• Essential cookies: we set a first-party session cookie ("fixmo-token") to keep you signed in and to enforce authentication. No third-party advertising or cross-site tracking cookies are used.
• Security logs: records of sign-in attempts, password changes, email changes, and, for super administrators, an audit log of administrative actions.

3.3 Information we do not collect

• We do not collect the content of personal WhatsApp conversations. When a Subscriber enables WhatsApp notifications, we only send transactional messages (such as repair status updates) through the official WhatsApp Business API and store delivery status for those messages.
• We do not use third-party advertising networks or sell your personal data to data brokers.

4. How we use personal data

We use personal data for the following purposes:

• Providing the Service — creating and maintaining accounts, storing business records, sending transactional notifications, generating documents, processing refunds, and enabling integrations.
• Authentication and security — verifying identity, maintaining sessions, enforcing rate limits, detecting abuse, and protecting the Service and its users.
• Billing and administration — processing subscription payments, issuing receipts, managing plan changes, and handling suspension or termination for non-payment or breach.
• Customer support — responding to your questions and troubleshooting issues.
• Service improvement — diagnosing errors, analysing aggregate usage, and improving features. We do not profile individuals for advertising.
• Legal compliance — complying with applicable laws, tax requirements, and lawful requests from authorities.

5. Legal bases for processing (EEA / UK users)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the Service you have signed up for, including account creation, billing, and core features.
• Legitimate interests — to keep the Service secure, prevent fraud and abuse, improve our product, and communicate service-related information. We balance these interests against your rights.
• Legal obligation — to comply with tax, accounting, and other statutory obligations and to respond to lawful requests.
• Consent — where required, for example when you opt in to marketing communications or enable an optional integration. You may withdraw consent at any time.

When we act as a processor on behalf of a Subscriber, the Subscriber is responsible for identifying the legal basis for processing End Customer data and for obtaining any consents required under applicable law.

6. Third-party service providers (sub-processors)

We use a small number of carefully selected vendors to operate the Service. These vendors are bound by contractual confidentiality and data protection obligations, and process data only to provide services to us.

• Railway (Railway Corp.) — application hosting and managed PostgreSQL database.
• Cloudflare R2 (Cloudflare, Inc.) — object storage for uploaded files, images, logos, documents, and other attachments.
• Resend (Resend, Inc.) — transactional email delivery (verification emails, password resets, invoices, and Subscriber-configured customer notifications).
• PayHere (PayHere Pvt Ltd) — subscription payment processing. PayHere collects and processes card and payment details directly; we receive only a payment reference and status.
• Meta WhatsApp Business API (Meta Platforms, Inc.), and optionally Twilio(Twilio, Inc.) — delivery of outbound WhatsApp transactional messages, where a Subscriber has enabled the integration.

Each of these providers has its own privacy practices. A more detailed, up-to-date list of sub-processors is available on request at [email protected].

7. Other disclosures

We may also share personal data in the following limited circumstances:

• Within the Subscriber's workspace. Data entered by one team member is visible to other authorised users of the same shop, based on their role and branch.
• Legal and regulatory requirements. We may disclose information if required by law, court order, or legitimate request by a public authority, or to protect the rights, property, or safety of Fixmo, our users, or others.
• Business transfers. If Fixmo is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction. We will notify Subscribers before personal data becomes subject to a different privacy policy.
• With your direction. For example, when a Subscriber chooses to send a document or notification to an End Customer, or connects a third-party integration.

We do not sell personal data and do not share it for cross-context behavioural advertising.

8. International data transfers

Fixmo is operated from Sri Lanka, and we use hosting and infrastructure partners (including Railway and Cloudflare) that operate internationally. As a result, personal data may be stored and processed in countries outside your country of residence, including the United States and other jurisdictions. Where required by applicable law (including the GDPR), we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms offered by our vendors to protect cross-border transfers.

9. Data retention

• Active accounts: we retain data for as long as your account is active and as needed to provide the Service. Free-plan workspaces may be subject to additional operational limits communicated in-product.
• After cancellation or termination: following cancellation, suspension, or termination of an account, we keep a 30-day window during which an administrator can reactivate the account or export data. After that window, we delete or anonymise the data, except where we are required to retain it for legal, tax, accounting, fraud-prevention, or dispute-resolution purposes.
• Backups: data removed from our active systems may persist in encrypted backups for a limited period (typically up to 30 days) before being overwritten in the normal course of operations.
• Billing and tax records: invoice and payment records are retained for the periods required by applicable tax and accounting law.

10. Security

We take the security of personal data seriously. Our safeguards include:

• TLS/HTTPS encryption of all data in transit.
• Encryption at rest as provided by our hosting and storage partners (Railway and Cloudflare R2).
• Passwords stored only as bcrypt hashes; plaintext passwords are never logged or stored.
• Role-based access control (Admin, Manager, Technician, Cashier) and branch-scoped permissions inside each workspace.
• Session management with signed JWT cookies set as HttpOnly, Secure, and SameSite where applicable.
• Optional two-factor authentication (TOTP) and passkey / WebAuthn support for privileged accounts.
• Rate limiting on authentication, registration, and password-reset endpoints.
• Internal audit logging for administrative actions.

No system is perfectly secure. While we work hard to protect your data, we cannot guarantee absolute security against every possible threat. Please use a strong, unique password and keep your credentials confidential.

11. Your rights

Depending on where you live, you may have the following rights in respect of your personal data (for example, under the GDPR, UK GDPR, or the California Consumer Privacy Act / CPRA):

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your personal data (subject to lawful exceptions).
• Restriction — ask us to limit how we process your data in certain circumstances.
• Objection — object to processing we carry out on the basis of legitimate interests.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Withdraw consent — at any time, where processing is based on consent, without affecting the lawfulness of earlier processing.
• Non-discrimination (California residents) — you will not receive discriminatory treatment for exercising your rights.
• Complain — lodge a complaint with your local data protection authority.

Many of these rights can be exercised directly inside the Service: you can update your profile, change your email and password, export business data, and delete or wipe shop data from the Settings area. For other requests, please email [email protected] from the email address associated with your account. We will respond within 30 days, or sooner where required by law. We may need to verify your identity before fulfilling a request.

If your request relates to End Customer data held by a repair shop on our Service, we will forward it to the relevant Subscriber, who is the controller of that data.

11.1 How to request data deletion

You can request deletion of your personal data in any of the following ways:

• In-app — account holders can delete a shop, wipe specific business data, or close their account from the Settings area inside Fixmo.
• Web form — anyone can submit a request at https://fixmo.app/data-deletion. We will reply within 30 days.
• Email — write to [email protected] from the email address associated with your account.
• Meta / Facebook — if you connected your WhatsApp Business account to Fixmo using Facebook Login, you can remove Fixmo from your Facebook account settings. Meta will notify us automatically via a signed data-deletion callback, and we will delete the corresponding access tokens and account-link records. This automated path only deletes the link between your Facebook account and Fixmo; business data stored inside the Subscriber's Fixmo shop is governed by the in-app and email options above.

12. Children's privacy

The Service is intended for use by businesses and is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have inadvertently collected data from a child, please contact us and we will take steps to delete it promptly.

13. Cookies and similar technologies

Fixmo uses only essential first-party cookies and local storage needed to operate the Service, primarily for authentication, session continuity, theme preference (dark/light mode), and security. We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that share browsing history with other sites.

14. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. Some routine operations (such as rate limiting or anti-abuse checks) are automated but do not substitute for human judgement in account-level decisions.

15. Responsibilities of Subscribers

If you are a Subscriber using Fixmo to manage your repair shop, you are responsible for:

• Providing an appropriate privacy notice to your End Customers describing how their data is collected and used by your business.
• Obtaining any consents required under applicable law (for example, for marketing messages or for sending notifications via WhatsApp or email).
• Ensuring that the data you enter into Fixmo is accurate and that you have the right to process it.
• Responding to data-subject requests from your End Customers, where you are the controller of that data.
• Keeping your account credentials secure and managing your team's access appropriately.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or business operations. When we make material changes, we will update the "Effective date" above and, where appropriate, notify you by email or through the Service before the changes take effect. Your continued use of the Service after the new policy takes effect constitutes acceptance of the updated policy.

17. How to contact us

If you have questions, requests, or complaints about this Privacy Policy or our handling of personal data:

• Privacy inquiries: [email protected]
• General support: [email protected]
• Company: INFO DM PRIVATE LIMITED
• Registered address: Sen Michel Garden, Batakettara, Piliyandala 10300, Sri Lanka
• Website: https://fixmo.app/contact

Please also review our Terms of Service and Refund Policy.