Overview
Bixah ("we," "our," or "us") is a cybersecurity product built by Jordanian youth and operated from Jordan. This Privacy Policy explains how we handle information when you use the Bixah app, visit our website at bixah.com, or interact with any of our services.
This policy complies with the Jordanian Personal Data Protection Law (Law No. 24 of 2023), and aligns with internationally recognized privacy standards including GDPR principles.
By using Bixah, you agree to the practices described in this policy. If you do not agree, please discontinue use of our services.
What we collect
We collect only the minimum data necessary to deliver automatic link protection.
| Data type | Purpose | Retention |
|---|---|---|
| URL submitted | Analyzed in real time to determine phishing risk. Message context is never accessed. | Not stored. In-transit only. |
| Account email | Account creation, subscription management, and security alerts. | Subscription duration + 30 days. |
| Billing & transaction records | Payment processing via third-party provider. We do not store card numbers. | Retained for the period required by applicable Jordanian tax, accounting, and financial laws. Consult your Jordanian accountant to confirm the exact period. |
| Device identifiers | Linking subscription to authorized devices. Enforces Solo (1 device) and Family (5 devices) limits. | Duration of subscription. |
| Threat detection logs | Anonymized, non-reversible feature vectors derived from URL analysis — used only for your daily summary notification and to retrain the detection model. Raw URLs are not stored. No vector is linked to your identity. | Rolling 30 days, then permanently deleted. |
| Crash reports | Opt-in only. Contains OS version and error stack trace — no personal content. | 14 days. |
What we never collect
We want to be explicit about what Bixah does not do:
- We do not read, access, or store the content of your messages, emails, or chats — only URLs are analyzed.
- We do not store the URLs or domains you submit after analysis is complete.
- We do not track your location, GPS coordinates, or physical whereabouts.
- We do not collect your contacts, call logs, photos, camera, or microphone input.
- We do not build behavioral profiles or advertising audiences from your usage.
- We do not sell, rent, or broker your personal data to any third party — ever.
- We do not share data with government entities unless legally compelled by a valid Jordanian court order, in which case we notify you unless prohibited by law.
How we use your data
The data we collect is used for exactly the following purposes — nothing else:
- Delivering link protection — analyzing URLs in real time to detect phishing, malware, and redirect attacks.
- Account management — creating your account, processing your subscription, and linking authorized devices.
- Daily summary notifications — sending you an anonymized count of threats detected on your device that day.
- Improving detection accuracy — aggregated, anonymized threat patterns help retrain the AI model. No individual user data is used.
- Security communications — notifying you of critical security matters related to your account.
- Legal compliance — meeting obligations under Jordanian law, including tax records and lawful data requests.
Data storage & security
We apply multiple layers of technical and organizational controls to protect your data:
- Encryption in transit — Bixah enforces encrypted connections to its own services. Our hosting and CDN providers also apply transport-layer security to traffic they handle on our behalf.
- Encryption at rest — account data stored in our systems is encrypted. Specific algorithms may vary by service component and are reviewed periodically.
- Access control — data access is restricted to Bixah engineers on a need-to-know basis, enforced by role-based permissions and audit logs.
- No raw URL logging — URLs submitted for analysis are processed in-memory and are not written to disk or stored in a database. Only non-reversible feature vectors are retained for model retraining.
- IP addresses — Bixah does not intentionally retain IP addresses in its application-level threat logs. Hosting and security providers (e.g., Cloudflare) may process network information temporarily to deliver and secure the service, in accordance with their own privacy policies.
- Infrastructure — we apply security best practices to our infrastructure and conduct periodic security reviews. We do not assert third-party certifications on your behalf — please review the policies of our hosting providers for their compliance posture.
- Breach notification — in the event of a serious personal-data breach that may cause significant harm, we will notify affected individuals within 24 hours of discovery and notify the competent Personal Data Protection Unit within 72 hours, as required by applicable Jordanian law.
Third-party services
We work with a small number of trusted third-party providers, contractually bound to use your data only on our behalf:
| Provider | Purpose | Data transmitted |
|---|---|---|
| Payment processor | Processing subscription payments for Solo and Family plans. | Email address and billing amount. Card data is handled entirely by the processor — Bixah never receives or stores card numbers. |
| Cloud infrastructure & CDN | Hosting Bixah's backend API, detection model, and static website. | Anonymized request metadata. These providers may process IP addresses and network identifiers as part of delivering and securing the service. Bixah does not intentionally log IP addresses at the application level. |
| Google Safe Browsing | Cross-referencing submitted URLs against Google's database of known phishing and malware sites to augment Bixah's own detection model. | The full URL (or a hash prefix thereof, per the Safe Browsing API v4 specification). No account identifier, device identifier, or personal information is transmitted alongside the URL. See Google's Privacy Policy. |
| VirusTotal | Optional secondary scan of URLs against VirusTotal's aggregated threat intelligence feed. | The full URL. No account identifier or personal information is attached. Submitted URLs may be shared by VirusTotal with its security-community partners in accordance with VirusTotal's terms. See VirusTotal's Privacy Notice. |
| Transactional email provider | Sending account confirmations, receipts, and security notifications. | Email address and notification content only. |
We do not use advertising networks, analytics trackers, or social media pixels on any Bixah service.
Cookies & local storage
Our website uses minimal, functional-only storage:
- Session cookies — used to keep you signed in during a browser session. Expire when you close the browser.
- Local storage (scanner) — a single flag (
bixah_scan_used_v2) is stored in your browser to enforce the one-free-scan-per-device limit on the homepage tool. This contains no personal data. - No tracking cookies — we do not set any third-party, advertising, or analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar tools.
Children's privacy
Bixah's individual-account service is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13 through a direct account relationship.
Family Plan and under-13 users: The Bixah Family Plan is designed to be managed by a parent or adult guardian. A child under 13 may benefit from Bixah's link-protection feature only when they are added as a protected device under a parent-managed Family Plan account. In this case, the parent or guardian is the account holder and data controller for that child's device. Bixah does not create a direct account relationship with the child, does not collect the child's personal information independently, and applies the same data-minimization principles to all protected devices.
If you are a parent or guardian and believe your child's data has been collected outside this framework, contact privacy@bixah.com and we will delete it promptly.
Your rights
Under the Jordanian Personal Data Protection Law and applicable international standards, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request that inaccurate or incomplete data be corrected.
- Deletion — request deletion of your data within 30 days, subject to legal retention requirements.
- Data portability — request your data in a structured, machine-readable format.
- Objection — object to any processing you believe is not justified.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Complaint — lodge a complaint with the Personal Data Protection Unit or relevant Jordanian data protection authority.
To exercise any of these rights, email privacy@bixah.com. We will respond within 15 business days.
You may initiate account deletion from within the app: Settings → Account → Delete Account. Alternatively, email privacy@bixah.com with subject line "Account Deletion Request" and we will process it within 30 days. Certain billing and transaction records may be retained where required by applicable law.
Data retention
- Active account data is retained for the duration of your subscription plus 30 days after cancellation.
- Billing records are retained for 7 years as required by Jordanian tax law.
- Anonymized, aggregated threat statistics may be retained indefinitely as they contain no personal data.
- On account deletion, all personal data is permanently purged within 30 days, except where legal obligations require otherwise.
Changes to this policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or product features. When we make material changes, we will notify you via email (if you have an account) and update the effective date at the top of this page.
Your continued use of Bixah after changes are posted constitutes acceptance of the updated policy.
Contact us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, our privacy team is here to help.
Bixah Privacy Team
Amman, Jordan · 🇯🇴 Built by Jordanian Youth