Last updated January 26th, 2024

Privacy and security

Your privacy is important to PixieBrix. We respect your privacy regarding information we may collect from you across our website.

PixieBrix privacy and security policy

This privacy and security policy (“Privacy and Security Policy”) explains how PixieBrix, Inc. (“PixieBrix” or “we”) collects and processes information from users of the website and software applications (collectively “PixieBrix’s products”). PixieBrix’s products include the:

- Web browser extension (the “Extension”)
- Web application located at app.pixiebrix.com (the “Web Application”)
- Documentation located at docs.pixiebrix.com (the “Documentation”)
- Website located at www.pixiebrix.com (the “Website”)

What data we transmit and store

This section enumerates what data we transmit and store. The Third-party service and providers section details which third-party service providers we use to deliver our products.

Name and email address
When you register with the Web Application, we collect your name and email address from the service you used to authenticate. We use this information to 1) send you account-related communication, such as team invitations, onboarding, and billing, and 2) provide customer support.

Additionally, you may opt-in to newsletters and marketing information with your email address. We do not share or sell this information with third parties; you may opt-out at any time.

Account settings
Extension settings are stored locally in the Extension. Web Application settings are stored in the Web Application.

Brick and integration configurations
The Web Application stores mods you create so that you can access them on any browser. Additionally, it stores any brick and integration configurations you choose to make public or share with your team.

Error telemetry
The Web Application and Extension report error telemetry with your account email, IP address, operating system, browser version, and sanitized error details. You can disable error telemetry by visiting the Settings screen in the Extension.

Product telemetry
The Web Application and Extension report product usage telemetry/events with your account email,  IP address, operating system, browser version, and event details. The event details do not include information about your browsing history. See this GitHub search for an up-to-date list of the events and information collected. You can disable product telemetry by visiting the Settings screen in the Extension Console.

Team API calls
If you choose to use the shared team integration configuration feature for authentication, those API calls will be transmitted through the API Gateway. The API Gateway does not capture or log any data sent or received from those API calls. The API Gateway does, however, log request metadata such as call frequency for billing and in order to prevent abuse

How we protect your data

We are dedicated to protecting your information and have put in place electronic and procedural safeguards.

Procedures
We use Two Factor Authentication (2FA), password managers, and limit administrative access to PixieBrix Products.

Open source
The Extension is available open-source on GitHub. The Chrome Web Store description includes a link to the build.

Runtime controls
The PixieBrix framework provides fine-grained control over which website features can run on, and which calls integration configuration can authenticate.

Encryption
Web Application data is encrypted at rest with AES-256, block-level encryption. All internal traffic, as well as between the Extension and Web Application is encrypted during transit with TLS/SSL.

Web application protection
The Web Application is protected by a Web Application Firewall (WAF) and Runtime Application Self-Protection (RASP).

Vulnerability scanning
We automatically monitor PixieBrix’s software dependencies for security disclosures. Additionally, we run static analysis tools as part of our development and continuous integration processes.

Third-party review
Each version of the Extension published in the Chrome Web Store is reviewed by Google prior to distribution. See Chrome Developers: Frequently Asked Questions for more information on their review process.

Extension permissions

When you install the Extension, you will be prompted to accept the required permissions. We try to minimize the set of permissions the Extension requests up front, subject to browser technical limitations. If you create/activate features that require additional permissions, the Extension will prompt you to accept those permissions before you can use those features.

The use of browser permissions are reviewed by the Google Chrome Web Store team prior to distribution.

Required permissions

Permission
Reason
storage
The Extension stores account settings and configuration locally
tabs
The Extension uses the tabs API in conjunction with the Web Navigation API for three purposes:

1. Load the content script into pages

2. Notify the content script on Single Page Applications (SPAs) of navigation events

3. For multi-tab workflows, track relationship between parent/child tabs

The Extension does not record/modify any information about tabs or their URLs.
activeTab
The activeTab permission allows you to temporarily grant access to a tab in order to develop a new brick using the developer panel tools.
webNavigation
The Extension uses the Web Navigation API to detect page navigation events on Single Page Applications (SPAs).

The Extension does not store the information it retrieves from this API.
contextMenus
The Extension does not add any context menus by default. However, it supports creating new context menu items.

The Extension requests this permission at install time because Browser Extension Manifest Version 2 does not support marking it as optional.
https://*.pixiebrix.com/*
The Extension communicates with the Web Application to sync the service token and provide seamless blueprint activation from the Marketplace.
<all_urls>
Allows PixieBrix to display the floating action button and to activate mods on any page.
identity
Enables OAuth2 authentication flows with integrations.The Extension requests this permission at install time because Browser Extension Manifest Version 2 does not support marking it as optional.


Optional permissions

Permission
Reason
clipboardWrite
Support integrations that copy information to your clipboard.

Third-party service providers

The following tables enumerate the third-party service providers we use to provide our services.
Service
Purpose
Data Processed / Stored
Web Application Hosting
Web application data, network requests
Hosting static content and user uploaded media
Public marketplace screenshots, network requests
Content delivery network (CDN)
Network requests
Documentation and career page hosting
Network requests
Performance, Error, and Security Monitoring
Email address, IP address, request metadata
Authentication (Optional), browser extension distribution, customer support emails, font hosting, video hosting
Email address, communication, web store reviews
System and account management emails
System and account management emails


Optional Service Providers
The following tables enumerate the third-party service providers we use to provide our services.
Service
Purpose
Data Processed / Stored
Authentication
Web application data, network requests
Payment processing
Account identifier, payment information
End-to-end encrypted customer support calls
Information you provide to Zoom
Product telemetry, seat monitoring
Email, event metadata
Account onboarding emails
Email address, account communication
Product telemetry and user feedback
Privacy-respecting share buttons for marketplace listings
URL requested, referring URL, anonymized IP address. Respects Do Not Track (DNT) headers
Source code hosting, continuous integration
Information you provide via Issues and Pull Requests
Customer support
Email, support communication
Customer support
Email, support communication

Third-party integration privacy

The use of Third-Party Integrations with PixieBrix is optional. PixieBrix only transmits to Third-Party Integration Providers if you configure that provider for use with a mod you activate. The data transmitted, stored, and shared is limited to the data required for mod operation.

Sign in with Google

When you use Sign in with Google to authenticate with PixieBrix, Google provides your name, email address, and profile picture. PixieBrix uses this information to authenticate you. We do not share or sell this information to other third-party tools (such as AI models).

The use of Sign in with Google is optional. To opt out of using Sign in with Google, use Sign in Microsoft or enter your email to receive a registration/login link.

Google Cloud APIs

When you use a Google Cloud API integration, e.g., the Google Translation API, PixieBrix transmits the request to Google. We do not share or sell the information you provide to other third-party tools (such as AI models).

PixieBrix’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The use of Google Cloud APIs is optional. To opt out of transmitting data to Google Cloud, do not create or use a mod that utilizes a Google Cloud API.

Google Drive

When you use the Google Drive integration, PixieBrix transmits data to/from Google Drive to display available files and/or perform file operations for the mods you activate. We do not share or sell the information transmitted you provide to third-party tools (such as AI models).

PixieBrix’s use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

The use of Google Drive is optional. To opt out of transmitting data to/from Google Drive, do not configure the Google Drive integration.

Microsoft: Sign in with Microsoft, Microsoft APIs

PixieBrix only shares information with Microsoft if you use Sign in with Microsoft, or configure Microsoft for use with a mod you activate. Data shared with Microsoft is limited to data required for authentication and/or mod operation.

PixieBrix’s use and transfer of information received from Microsoft APIs to any other app will adhere to Microsoft APIs Terms of Use.

OpenAI/ChatGPT

PixieBrix’s use of the OpenAI APIs is subject to their API Data Privacy Policy. Data and metadata transmitted to the OpenAI APIs are not used for training.

Artificial Intelligence (AI) policy

By default, PixieBrix does not transmit or share your browsing data or API calls with AI models. You may opt in to using AI by activating or creating a mod that calls an AI model provider.

Cookies policy

The PixieBrix Web Application and Website use cookies for authentication and essential website functionality:

- Session Cookies (Required): the Web Application uses cookies to maintain your session with the web server. These are required to use the Web Application.

- Authentication Cookies (Required): the Website uses cookies from Google to show an account selector and trigger authentication.

- Cookies Notice Acceptance Cookies (Required): the Website uses cookies to remember whether you’ve accepted our Cookies Policy.

- Product Telemetry Cookies (Optional): we use cookies to measure feature usage and user experience to inform product decisions.

If you want to disable cookies entirely, your browser or mobile device might have an option to do that. For more information, including instructions on disabling cookies, please visit: https://www.allaboutcookies.org.

Responsible disclosure

If you believe you have discovered a vulnerability in one of our products, please email us at [email protected]. We will respond within 3 business days to create a remediation plan.

The following systems and services are in scope:

- Website and APIs: https://*.pixiebrix.com
- Web Browser Extensions
- Source code at https://github.com/pixiebrix/

Any other systems and services, e.g., our third-party service providers, are excluded from scope and not authorized for testing. Please refer to their policies, and report any vulnerabilities directly to them.

Additionally, the following activities and test methods and not authorized:

- Revealing the vulnerability to others before it has been resolved
- Taking advantage of the vulnerability, e.g., by downloading or deleting other user's data beyond what is necessary to demonstrate the vulnerability
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access), social engineering (e.g. phishing), or any other non-technical vulnerability testing

We do not currently offer monetary compensation for reporting vulnerabilities, but will recognize you in the public vulnerability disclosure (unless you desire otherwise).

Minors

We created PixieBrix for the exclusive use of adults (18 and older). We don’t knowingly collect or solicit personal information from children. If you are a child under 18, please do not attempt to register for PixieBrix’s products or send any personal information to us.

Changes to this policy

We will continue to update our policies and practices as needed. We will notify you of any changes to our Privacy and Security Policy by posting any changes here. If we do, you’ll see that the date at the top of this Privacy and Security Policy has changed.

How to contact us

If you have any questions about our privacy policies and practice, please contact us at [email protected].