Our Commitment to UK GDPR
FixBlox takes data protection seriously. As a UK-based company handling personal data on behalf of our customers, we fully comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page explains how we process personal data, the legal grounds we rely on, and how you can exercise your data rights. For a broader overview, see our Privacy Policy.
What Personal Data We Process
FixBlox processes the following categories of personal data:
- Caller data: phone numbers, names, and any personal information callers volunteer during conversations (e.g. address, service requirements, availability).
- Call recordings and transcripts: full audio recordings and AI-generated text transcripts of every call handled by the Service.
- Customer account data: your name, email address, phone number, billing address, and payment information.
- Booking data: appointment dates, times, and service details collected during calls.
- Usage data: analytics about how you interact with the FixBlox dashboard and website.
Lawful Basis for Processing
Under UK GDPR, we rely on the following lawful bases depending on the type of data and the context:
- Consent (Article 6(1)(a)) — Callers are informed that calls may be recorded and handled by an AI system, and by continuing the call they consent to this processing. Customers consent to account data processing when signing up.
- Contract (Article 6(1)(b)) — We process customer account and billing data to perform our contract with you (i.e. to provide the Service and take payment).
- Legal obligation (Article 6(1)(c)) — We retain certain billing records for up to 6 years to comply with UK tax and accounting laws.
- Legitimate interests (Article 6(1)(f)) — We use analytics to improve the Service and detect abuse. We do not use legitimate interests as a basis for processing call recordings or caller personal data.
Data Storage Location
All personal data processed by FixBlox is stored on servers located within the United Kingdom and the European Economic Area (EEA). Specifically:
- Call recordings and transcripts are stored in UK-based data centres.
- Customer account data is stored in UK-based data centres.
- Analytics and usage data may be processed in the EEA under equivalent data protection safeguards.
Third-Party Processors
We share personal data with the following third-party processors, each of whom is contractually bound to process data only in accordance with our instructions and UK GDPR:
- Twilio — Voice infrastructure provider. Call audio and metadata are processed through Twilio's UK/EU infrastructure. Twilio Privacy Policy
- OpenAI — AI speech recognition and language processing. Short-duration audio clips and transcripts may be processed by OpenAI for real-time call handling. No data is used for model training. OpenAI Enterprise Privacy
- Stripe — Payment processing. Stripe handles billing data and payment card information. They never have access to call recordings or caller personal data. Stripe Privacy Policy
- Vercel — Website hosting. Vercel serves the FixBlox website and dashboard. No call recordings or customer data are stored by Vercel. Vercel Privacy Policy
- PostHog — Product analytics. PostHog processes anonymised usage data to help us improve the dashboard. No personal data or call content is shared with PostHog. PostHog Privacy Policy
Data Subject Rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access (Article 15) — Request a copy of all personal data we hold about you. We will respond within 30 days.
- Right to rectification (Article 16) — Ask us to correct any inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Article 17) — Request deletion of your personal data. We will delete it unless we are legally required to retain it (e.g. billing records for tax purposes).
- Right to restrict processing (Article 18) — Ask us to temporarily stop processing your data while a request or dispute is being resolved.
- Right to data portability (Article 20) — Request your data in a structured, machine-readable format (e.g. JSON or CSV).
- Right to object (Article 21) — Object to us processing your data for direct marketing or legitimate interests. We will stop unless we have compelling legitimate grounds.
- Rights related to automated decision-making (Article 22) — You have the right not to be subject to a decision based solely on automated processing where it produces legal effects. FixBlox's AI call handling is always subject to human review via the dashboard.
How to Exercise Your Rights
You can exercise any of your data subject rights by:
- Emailing privacy@fixblox.com with your request.
- If you are a FixBlox customer, deleting call recordings directly from your dashboard.
We will acknowledge your request within 5 working days and complete it within 30 days (unless the request is complex, in which case we may extend by a further 60 days and notify you).
We may need to verify your identity before processing your request. If we cannot identify you, we will let you know and may ask for additional information.
Data Processing Agreement (DPA)
If you are a FixBlox customer and need a Data Processing Agreement (DPA) for your compliance records, we provide one that covers:
- The scope and purpose of data processing.
- Data security measures and breach notification procedures.
- Sub-processor lists and notification of changes.
- Data retention and deletion commitments.
- International transfer safeguards (where applicable).
To request a DPA, email privacy@fixblox.com with your account details. We will send you a signed copy within 5 working days.
Data Security Measures
We implement the following technical and organisational measures to protect personal data:
- Encryption at rest (AES-256) and in transit (TLS 1.3) for all data.
- Access controls — only authorised FixBlox personnel can access customer data, and access is logged and audited.
- Regular security reviews and vulnerability assessments.
- Breach notification — we will notify affected customers within 72 hours of becoming aware of a personal data breach, as required by UK GDPR.
- Staff training — all FixBlox employees receive data protection training annually.