Privacy Policy

General notes

The following notes provide a simple overview of what happens to your personal data when you visit this website (FixXpert) or place a repair order with us. Personal data is any data that can be used to identify you personally. For detailed information, please see the privacy policy below.

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section "Information on the controller" in this privacy policy.

How do we collect your data?

On the one hand, your data is collected when you provide it to us — for example when you book a repair, contact us or create a customer account. Other data is collected automatically or with your consent when you visit the website (e.g. browser, operating system, time of access).

What do we use your data for?

Some data is collected to ensure error-free provision of the website. Other data is used to receive repair orders, communicate with you, fulfil your order and comply with legal obligations.

What rights do you have regarding your data?

You have the right to obtain free information at any time about the origin, recipient and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances and a right of complaint to the competent supervisory authority.

The controller responsible for data processing on this website is:

Name

Rami Naiim

Address

Rautenstraße 26, 30171 Hannover, Germany

Phone

+49 1737186363

Email

fixxpert@gmx.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

Data protection

The operators of this site take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. We point out that data transmission on the internet (e.g. when communicating by email) can have security gaps. Complete protection of data against access by third parties is not possible.

Storage period

Unless a more specific storage period is mentioned within this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law of 6 or 10 years pursuant to §§ 147 AO, 257 HGB).

Legal basis for processing

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR. If your data is required for the performance of a contract or for pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. We also process your data if it is required for the fulfilment of a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Recipients of personal data

In the course of our business activities we work with several external service providers. We only pass on personal data to external bodies where this is necessary for the performance of a contract, where we are legally obliged to do so, where we have a legitimate interest pursuant to Art. 6(1)(f) GDPR, or where another legal basis allows the data transfer. Where we use processors (e.g. Vercel, Supabase, Cloudflare, Resend), we only pass on personal data on the basis of a valid data processing agreement under Art. 28 GDPR.

Information, correction and deletion

Within the framework of the applicable statutory provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if applicable, a right to correction or deletion of this data.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data, in particular if:

• you contest the accuracy of the data we store — for the duration of the verification.
• the processing of your data is or was unlawful and you request restriction instead of deletion.
• we no longer need your data, but you need it to assert, exercise or defend legal claims.
• you have objected pursuant to Art. 21(1) GDPR and it has not yet been determined whose interests prevail.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format.

Right of complaint to the supervisory authority

In the event of breaches of the GDPR, data subjects have a right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The competent supervisory authority for FixXpert is the State Commissioner for Data Protection of Lower Saxony (Prinzenstraße 5, 30159 Hannover, Germany).

Withdrawal of consent

Many data processing operations are only possible with your express consent. You can revoke consent at any time. The lawfulness of the data processing carried out until revocation remains unaffected by the revocation. You can adjust cookie and marketing consent at any time via the "Cookie settings" link in the footer of this website.

Right to object (Art. 21 GDPR)

For security reasons and to protect the transmission of confidential content — such as repair orders or enquiries that you send to us as the site operator — this website uses SSL/TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

We host our website and process data with carefully selected processors. Data processing agreements pursuant to Art. 28 GDPR exist with all of the following providers.

Vercel (frontend hosting)

Provider is Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Vercel provides edge/frontend hosting for the FixXpert website. When you access the site, technically necessary connection data (e.g. IP address, user agent, requested URL, timestamp) is processed. Legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and performant delivery). Transfers to the USA are based on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework (DPF). More: https://vercel.com/legal/privacy-policy.

Cloudflare (DNS, CDN, security)

Provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare is used as a reverse proxy/CDN, for security functions (DDoS protection, TLS termination) and for Cloudflare Turnstile (see below). Connection data (in particular IP address) is processed. Legal basis is Art. 6(1)(f) GDPR. Standard Contractual Clauses: https://www.cloudflare.com/cloudflare-customer-scc/. Privacy policy: https://www.cloudflare.com/privacypolicy/.

Supabase (database, authentication, storage)

Provider is Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992 (hosted in EU region, Frankfurt). Supabase processes the database content (incl. repair orders, customer accounts, promotions) and authentication data (email, password hash, session tokens) on our behalf. Legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR. Privacy policy: https://supabase.com/privacy.

Resend (transactional emails)

Provider is Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend sends transactional emails on our behalf (booking confirmations, order status, admin notifications). The email address, name, message content and delivery metadata are processed. Legal basis is Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR. Privacy policy: https://resend.com/legal/privacy-policy.

Cookies & consent management

Our website uses first-party cookies and similar technologies (e.g. localStorage). We distinguish between strictly necessary cookies (e.g. language preference, login session, cookie consent), analytics cookies and marketing cookies. Analytics and marketing cookies are only set after your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). You can revoke or adjust your consent at any time via the "Cookie settings" link in the footer. Strictly necessary cookies are stored on the basis of Art. 6(1)(f) GDPR or § 25(2) No. 2 TDDDG.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser transmits to us automatically:

• Browser type and version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources. The collection is based on Art. 6(1)(f) GDPR (legitimate interest in technically faultless and secure operation of the website). Server log data is generally deleted after 14 days unless it is required for longer to investigate a security incident.

Repair request / online booking

When you request a repair via the booking form, we process the following data to handle your order:

• First and last name
• Email address
• Phone number
• Optional: shipping address (for mail-in repairs)
• Device details (brand, model, requested repair, quality grade)
• Order details, price and status
• Free-text "Notes" field if you fill it in

This data is stored in our Supabase database and used exclusively to handle the order and to fulfil legal retention and warranty obligations. Legal basis: Art. 6(1)(b) GDPR (contract and pre-contractual measures). Data from completed orders is deleted after the repair has been completed; statutory retention periods (in particular §§ 147 AO, 257 HGB, 6–10 years for accounting documents) remain unaffected.

Customer account (optional, via Supabase Auth)

If you create a customer account, we process your email address, a hashed password and the orders stored on your account. You can have your account deleted at any time by contacting us by email. Legal basis: Art. 6(1)(b) GDPR.

Enquiries by email or phone

When you contact us by email or phone, your enquiry including the personal data resulting from it (name, enquiry, phone number/email) will be stored for the purpose of processing. We will not pass on this data without your consent. Legal basis is Art. 6(1)(b) GDPR if your enquiry relates to the performance of a contract; otherwise Art. 6(1)(f) GDPR. The data remains with us until the purpose for storage no longer applies or you ask us to delete it.

Transactional emails (booking confirmations, status updates)

After a booking is received we send a confirmation email to the address you provided and, where relevant, further status messages. Sending is performed via Resend (see Section 6). Legal basis: Art. 6(1)(b) GDPR.

We use Cloudflare Turnstile to protect our forms (in particular the booking and contact forms) from abusive automated use and spam. Provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Turnstile is intended to verify whether data input on this website is performed by a human or by an automated program. To do so, Turnstile analyses the visitor’s behaviour based on various characteristics. The analysis starts automatically as soon as the visitor enters a website with Turnstile activated. To analyse, Turnstile evaluates various information (e.g. IP address, time spent on the website, mouse movements). The data collected during the analysis is forwarded to Cloudflare.

Storage and analysis of the data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated scraping and from spam. If consent has been requested, processing is exclusively based on Art. 6(1)(a) GDPR and § 25(1) TDDDG; consent can be revoked at any time.

Data processing is based on Standard Contractual Clauses: https://www.cloudflare.com/cloudflare-customer-scc/. Further information: https://www.cloudflare.com/cloudflare-customer-dpa/.

• Server log files: usually 14 days.
• Cookie consent: until revocation or until the consent statement version changes.
• Contact enquiries (email, phone, form): until the request is handled; longer if related to a contract until statutory retention periods expire.
• Repair orders / invoices: 6 or 10 years pursuant to §§ 147 AO, 257 HGB.
• Customer accounts: until deletion by you, or up to 24 months after the last activity.
• Marketing consent: until revocation.

The use of contact data published in the framework of the imprint obligation for sending unsolicited advertising and information material is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited advertising information, e.g. through spam emails.

We reserve the right to amend this privacy policy so that it always complies with current legal requirements or to implement changes to our services. The new privacy policy will then apply to your next visit.