Privacy and security

This privacy and security policy (“Privacy and Security Policy”) explains how PixieBrix, Inc. (“PixieBrix” or “we”) collects and processes information from users of the website and software applications (collectively “PixieBrix’s products”). PixieBrix’s products include the:
‍
- Web browser extension (the “Extension”)
- Web application located at app.pixiebrix.com (the “Web Application”)
- Documentation located at docs.pixiebrix.com (the “Documentation”)
- Website located at www.pixiebrix.com (the “Website”)

This section enumerates what data we transmit and store. The Third-party service and providers section details which third-party service providers we use to deliver our products.

Name and email address
When you register with the Web Application, we collect your name and email address from the service you used to authenticate. We use this information to 1) send you account-related communication, such as team invitations, onboarding, and billing, and 2) provide customer support.

Additionally, you may opt-in to newsletters and marketing information with your email address. We do not share or sell this information with third parties; you may opt-out at any time.

Account settings
Extension settings are stored locally in the Extension. Web Application settings are stored in the Web Application.

Brick and integration configurations
The Web Application stores mods you create so that you can access them on any browser. Additionally, it stores any brick and integration configurations you choose to make public or share with your team.

Error telemetry
The Web Application and Extension report error telemetry with your account email, IP address, operating system, browser version, and sanitized error details. You can disable error telemetry by visiting the Settings screen in the Extension.

Product telemetry
The Web Application and Extension report product usage telemetry/events with your account email,  IP address, operating system, browser version, and event details. The event details do not include information about your browsing history. See this GitHub search for an up-to-date list of the events and information collected. You can disable product telemetry by visiting the Settings screen in the Extension Console.

Team API calls
If you choose to use the shared team integration configuration feature for authentication, those API calls will be transmitted through the API Gateway. The API Gateway does not capture or log any data sent or received from those API calls. The API Gateway does, however, log request metadata such as call frequency for billing and in order to prevent abuse

We are dedicated to protecting your information and have put in place electronic and procedural safeguards.

Procedures
We use Two Factor Authentication (2FA), password managers, and limit administrative access to PixieBrix Products.

Open source
The Extension is available open-source on GitHub. The Chrome Web Store description includes a link to the build.

Runtime controls
The PixieBrix framework provides fine-grained control over which website features can run on, and which calls integration configuration can authenticate.

Encryption
Web Application data is encrypted at rest with AES-256, block-level encryption. All internal traffic, as well as between the Extension and Web Application is encrypted during transit with TLS/SSL.

Web application protection
The Web Application is protected by a Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP).

Vulnerability scanning
We automatically monitor PixieBrix’s software dependencies for security disclosures. Additionally, we run static analysis tools as part of our development and continuous integration processes.

Third-party review
Each version of the Extension published in the Chrome Web Store is reviewed by Google prior to distribution. See Chrome Developers: Frequently Asked Questions for more information on their review process.

When you install the Extension, you will be prompted to accept the required permissions. We try to minimize the set of permissions the Extension requests up front, subject to browser technical limitations. If you create/activate features that require additional permissions, the Extension will prompt you to accept those permissions before you can use those features.

The use of browser permissions are reviewed by the Google Chrome Web Store team prior to distribution.

Required permissions

The following tables enumerate the third-party service providers we use to provide our services.
‍

Optional Service Providers
The following tables enumerate the third-party service providers we use to provide our services.
‍

The use of Third-Party Integrations with PixieBrix is optional. PixieBrix only transmits to Third-Party Integration Providers if you configure that provider for use with a mod you activate. The data transmitted, stored, and shared is limited to the data required for mod operation.

Sign in with Google

When you use Sign in with Google to authenticate with PixieBrix, Google provides your name, email address, and profile picture. PixieBrix uses this information to authenticate you. We do not share or sell this information to other third-party tools (such as AI models).

The use of Sign in with Google is optional. To opt out of using Sign in with Google, use Sign in Microsoft or enter your email to receive a registration/login link.

Google Cloud APIs

When you use a Google Cloud API integration, e.g., the Google Translation API, PixieBrix transmits the request to Google. We do not share or sell the information you provide to other third-party tools (such as AI models).

PixieBrix’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The use of Google Cloud APIs is optional. To opt out of transmitting data to Google Cloud, do not create or use a mod that utilizes a Google Cloud API.

Google Drive

When you use the Google Drive integration, PixieBrix transmits data to/from Google Drive to display available files and/or perform file operations for the mods you activate. We do not share or sell the information transmitted you provide to third-party tools (such as AI models).

PixieBrix’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The use of Google Drive is optional. To opt out of transmitting data to/from Google Drive, do not configure the Google Drive integration.

Microsoft: Sign in with Microsoft, Microsoft APIs

PixieBrix only shares information with Microsoft if you use Sign in with Microsoft, or configure Microsoft for use with a mod you activate. Data shared with Microsoft is limited to data required for authentication and/or mod operation.

PixieBrix’s use and transfer of information received from Microsoft APIs to any other app will adhere to Microsoft APIs Terms of Use.

OpenAI/ChatGPT

PixieBrix’s use of the OpenAI APIs is subject to their API Data Privacy Policy. Data and metadata transmitted to the OpenAI APIs are not used for training.

By default, PixieBrix does not transmit or share your browsing data or API calls with AI models. You may opt in to using AI by activating or creating a mod that calls an AI model provider.

The PixieBrix Web Application and Website use cookies for authentication and essential website functionality:

‍- Session Cookies (Required): the Web Application uses cookies to maintain your session with the web server. These are required to use the Web Application.

- Authentication Cookies (Required): the Website uses cookies from Google to show an account selector and trigger authentication.

- Cookies Notice Acceptance Cookies (Required): the Website uses cookies to remember whether you’ve accepted our Cookies Policy.

- Product Telemetry Cookies (Optional): we use cookies to measure feature usage and user experience to inform product decisions.

If you want to disable cookies entirely, your browser or mobile device might have an option to do that. For more information, including instructions on disabling cookies, please visit: https://www.allaboutcookies.org.

If you believe you have discovered a vulnerability in one of our products, please email us at [email protected]. We will respond within 3 business days to create a remediation plan.

The following systems and services are in scope:

- Website and APIs: https://*.pixiebrix.com
- Web Browser Extensions
- Source code at https://github.com/pixiebrix/

‍Any other systems and services, e.g., our third-party service providers, are excluded from scope and not authorized for testing. Please refer to their policies, and report any vulnerabilities directly to them.

Additionally, the following activities and test methods and not authorized:

- Revealing the vulnerability to others before it has been resolved
- Taking advantage of the vulnerability, e.g., by downloading or deleting other user's data beyond what is necessary to demonstrate the vulnerability
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access), social engineering (e.g. phishing), or any other non-technical vulnerability testing

We do not currently offer monetary compensation for reporting vulnerabilities, but will recognize you in the public vulnerability disclosure (unless you desire otherwise).

We created PixieBrix for the exclusive use of adults (18 and older). We don’t knowingly collect or solicit personal information from children. If you are a child under 18, please do not attempt to register for PixieBrix’s products or send any personal information to us.

We will continue to update our policies and practices as needed. We will notify you of any changes to our Privacy and Security Policy by posting any changes here. If we do, you’ll see that the date at the top of this Privacy and Security Policy has changed.

If you have any questions about our privacy policies and practice, please contact us at [email protected].