We designed Phixo to handle email content with maximum restraint. This policy explains exactly what we do and do not do with your data.
Last updated: May 25, 2026 · Effective: March 31, 2026
The short version: Phixo scans your email over an encrypted connection, delivers a threat verdict, then discards the content immediately. We do not store, log, sell, or use your email content for any purpose beyond that single scan. We collect only the minimum data required to operate the service.
Phixo ("we", "our", "us") operates the Phixo Chrome extension and associated backend services. Our registered contact for privacy matters is privacy@phixo.io.
When you open an email in a supported webmail client, Phixo sends the email's text content, subject line, sender address, and any URLs to our analysis API over HTTPS. This data exists in our system for the duration of the scan only (typically under 2 seconds) and is discarded immediately upon completion. It is never written to disk, stored in a database, or retained in any form after the response is sent to your browser.
We collect aggregated, non-identifying metrics such as total scan counts, average scan times, and error rates. These metrics cannot be linked to individual users or email content.
If you purchase a paid plan, we collect your email address, billing information (processed by our payment provider — we do not store card numbers), and subscription status.
Your extension preferences (e.g., scan enabled/disabled, trusted domains list, sidebar position) are stored locally in Chrome’s extension storage on your device. We do not have access to this data.
Email content is used solely to produce a phishing verdict for the specific email you are viewing. Account data is used to manage your subscription and communicate service-related information. Aggregate metrics are used to improve performance and reliability of the service.
We use the following sub-processors who may transiently process data as part of service operation:
For users in the European Economic Area or United Kingdom, our lawful basis for processing email content is legitimate interests (providing the security scanning service you have actively requested). Because we retain no email content after scanning, the privacy impact is minimal. You have the right to object to this processing at any time by uninstalling the extension. For account data, our lawful basis is contract performance. To exercise any GDPR rights, contact privacy@phixo.io.
We do not share your data with any other third parties. We may disclose data if required by law or to protect the safety of users, but we will notify affected users where legally permitted.
Email content: zero retention — discarded immediately upon scan completion. Account data: retained for the duration of your account plus 30 days after deletion. Aggregate metrics: retained indefinitely in anonymized form.
Depending on your jurisdiction, you may have the right to access, correct, or delete personal data we hold about you. To exercise these rights, contact privacy@phixo.io. We will respond within 30 days. Because we do not store email content, there is no email-level data to access or delete.
All data in transit is encrypted via TLS 1.2 or higher. Our infrastructure is hosted on Railway with access restricted to authorized personnel. We maintain a responsible disclosure program for security vulnerabilities — see our Security Disclosure page.
Phixo is not directed at children under 13. We do not knowingly collect personal information from children under 13.
We will post any material changes to this policy on this page and update the "Last updated" date. For significant changes, we will notify users by email where we have an address on file.
Privacy questions: privacy@phixo.io
General contact: Contact page