Last updated February 27, 2022

Privacy and security

Your privacy is important to PixieBrix. We respect your privacy regarding information we may collect from you across our website.

PixieBrix privacy and security policy

This privacy and security policy (“Privacy and Security Policy”) explains how PixieBrix, Inc. (“PixieBrix” or “we”) collects and processes information from users of the website and software applications (collectively “PixieBrix’s products”). PixieBrix’s products include the:

- Web browser extension (the “Extension”)
- Web application located at app.pixiebrix.com (the “Web Application”)
- Documentation located at docs.pixiebrix.com (the “Documentation”)
- Community forum located at community.pixiebrix.com (the “Community Forum”)
- Website located at www.pixiebrix.com (the “Website”)

What data we transmit and store

This section enumerates what data we transmit and store. The Third-party service and providers section details which third-party service providers we use to deliver our products.

Name and email address
When you register with the Web Application, we collect your name and email address from the service you used to authenticate. We use this information to 1) send you account-related communication, such as team invitations, onboarding, and billing, and 2) provide customer support.

Additionally, you may opt-in to newsletters and marketing information with your email address. We do not share or sell this information with third parties; you may opt-out at any time.

Account settings
Extension settings are stored locally in the Extension. Web Application settings are stored in the Web Application.

Brick and service configurations
The Web Application stores extensions you create so that you can access them on any browser. Additionally, it stores any brick and integration configurations you choose to make public or share with your team.

Error telemetry
The Web Application and Extension report error telemetry with your account email, anonymized IP address, operating system, browser version, and sanitized error details. You can disable error telemetry by visiting the Settings screen in the Extension.

Product telemetry
The Web Application and Extension report product usage telemetry/events with your account email, anonymized IP address, operating system, browser version, and event details. The event details do not include information about your browsing history. See this GitHub search for an up-to-date list of the events and information collected. You can disable product telemetry by visiting the Settings screen in the Extension.

Team API calls
If you choose to use the shared team service feature for authentication, those API calls will be transmitted through the Web Application. The Web Application does not capture or log any data sent or received from those API calls. The Web Application does, however, log request metadata such as call frequency in order to prevent abuse

How we protect your data

We are dedicated to protecting your information and have put in place electronic and procedural safeguards.

Procedures
We use Two Factor Authentication (2FA), password managers, and limit administrative access to PixieBrix Products.

Open source
The Extension is available open-source on Github. The Chrome Web Store description includes a link to the build.

Runtime controls
The PixieBrix framework provides fine-grained control over which website features can run on, and which calls service credentials can authenticate.

Encryption
Web Application data is encrypted at rest with AES-256, block-level encryption. All internal traffic, as well as between the Extension and Web Application is encrypted during transit with TLS/SSL.

Web application protection
The Web Application is protected by a Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP).

Vulnerability scanning
We automatically monitor PixieBrix’s software dependencies for security disclosures. Additionally, we run static analysis tools as part of our development and continuous integration processes.

Third-party review
Each version of the Extension published in the Chrome Web Store is reviewed by Google prior to distribution. See Chrome Developers: Frequently Asked Questions for more information on their review process.

Extension permissions

When you install the Extension, you will be prompted to accept the required permissions. We try to minimize the set of permissions the Extension requests up front, subject to browser technical limitations. If you create/activate features that require additional permissions, the Extension will prompt you to accept those permissions before you can use those features.

The use of browser permissions are reviewed by the Google Chrome Web Store team prior to distribution.

Required permissions

Permission
Reason
storage
The Extension stores account settings and configuration locally
tabs
The Extension uses the tabs API in conjunction with the Web Navigation API for three purposes:

1. Load the content script into pages (necessary due to dynamic permissions for content scripts)

2. Notify the content script on Single Page Applications (SPAs) of navigation events

3. For multi-tab workflows, track relationship between parent/child tabsThe Extension does not record/modify any information about tabs or their URLs.
activeTab
The activeTab permission allows you to temporarily grant access to a tab in order to develop a new brick using the developer panel tools.
webNavigation
The Extension uses the Web Navigation API to detect page navigation events on Single Page Applications (SPAs).

The Extension does not store the information it retrieves from this API.
contextMenus
The Extension does not add any context menus by default. However, it supports creating new context menu items.

The Extension requests this permission at install time because Browser Extension Manifest Version 2 does not support marking it as optional.
identity
PixieBrix does not use the Identity API by default. However, it is optionally used to authenticate with 3rd party services using launchWebAuthFlow.

The Extension requests this permission at install time because Browser Extension Manifest Version 2 does not support marking it as optional.
https://*.pixiebrix.com/*
The Extension communicates with the Web Application to sync the service token and provide seamless blueprint activation from the Marketplace.


Optional permissions

Permission
Reason
clipboardWrite
Support integrations that copy information to your clipboard.
https://*/
http://*/
Allows you to opt-in to the content script being run on a particular page.

When you create/activate a brick, the Extension will make a permissions request for the necessary permissions. The browser will prompt you to accept/deny the request.

Third-party service providers

The following tables enumerate the third-party service providers we use to provide our services.
Service
Purpose
Data Processed / Stored
Web Application Hosting
Web application data, network requests
Hosting static content and user uploaded media
Public marketplace screenshots, network requests
Content delivery network (CDN)
Network requests
Documentation and career page hosting
Network requests
Authentication (Optional), browser extension distribution, customer support emails, font hosting, video hosting
Email address, communication, web store reviews
Server log management
IP address, HTTP request metadata (e.g., time, URL, headers), error stack traces
Error telemetry
Email address, IP address, browser, operating system, error message, stack trace
Web application firewall (WAF), security monitoring
Generated user identifier, IP address
System and account management emails
Email address, account communication


Optional Service Providers
The following tables enumerate the third-party service providers we use to provide our services.
Service
Purpose
Data Processed / Stored
Authentication
Web application data, network requests
Payment processing
Account identifier, payment information
End-to-end encrypted customer support calls
Information you provide to Zoom
Product telemetry, seat monitoring
Email, event metadata
Account onboarding emails
Email address, account communication
Opt-in newsletters and marketing emails
Email address and any information you provide during newsletter registration
Privacy-respecting share buttons for marketplace listings
URL requested, referring URL, anonymized IP address. Respects Do Not Track (DNT) headers
Source code hosting, continuous integration
Information you provide via Issues and Pull Requests

How we protect your data

The PixieBrix Web Application and Website use cookies for authentication and essential website functionality:

- Session Cookies: the Web Application uses cookies to maintain your session with the web server. These are required to use the Web Application.

- Authentication Cookies: the Website uses cookies from Google to show an account selector and trigger authentication.

- Cookies Notice Acceptance Cookies: the Website uses cookies to remember whether you’ve accepted our Cookies Policy.

If you want to disable cookies entirely, your browser or mobile device might have an option to do that. For more information, including instructions on disabling cookies, please visit: https://www.allaboutcookies.org.

Responsible disclosure

If you believe you have discovered a vulnerability in one of our products, please email us at [email protected]. We will respond within 3 business days to create a remediation plan.

The following systems and services are in scope:

- Website and APIs: https://*.pixiebrix.com
- Web Browser Extensions
- Source code at https://github.com/pixiebrix/

Any other systems and services, e.g., our third-party service providers, are excluded from scope and not authorized for testing. Please refer to their policies, and report any vulnerabilities directly to them.

Additionally, the following activities and test methods and not authorized:

- Revealing the vulnerability to others before it has been resolved
- Taking advantage of the vulnerability, e.g., by downloading or deleting other user's data beyond what is necessary to demonstrate the vulnerability
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access), social engineering (e.g. phishing), or any other non-technical vulnerability testing

We do not currently offer monetary compensation for reporting vulnerabilities, but will recognize you in the public vulnerability disclosure (unless you desire otherwise).

Minors

We created PixieBrix for the exclusive use of adults (18 and older). We don’t knowingly collect or solicit personal information from children. If you are a child under 18, please do not attempt to register for PixieBrix’s products or send any personal information to us.

Changes to this policy

We will continue to update our policies and practices as needed. We will notify you of any changes to our Privacy and Security Policy by posting any changes here. If we do, you’ll see that the date at the top of this Privacy and Security Policy has changed.

How to contact us

If you have any questions about our privacy policies and practice, please contact us at [email protected].