Privacy Policy

Data controller: Muhammed Alperen Taşyürek (operating as Pixel Office; Beyoğlu Vergi Dairesi, VKN 8300327190; Şehit Muhtar Mah. Mis Sk. No: 24 İç Kapı No: 28 Beyoğlu/İstanbul, Türkiye). Categories collected:

• Account information (name, email) — via Clerk • Service usage (office name, vertical, which Pixmates you use, brief content, output) • Technical data (IP, browser, OS, anonymous session metrics) • Cookies and similar (session management, preferences)

Strictly necessary: sign-in + locale (always used) Analytics: PostHog (anonymous product usage) Third-party: Clerk (auth) + Paddle (payments)

You can disable cookies in your browser, but parts of the service may stop working.

We use these providers to deliver the service:

• Clerk (auth) — see clerk.com privacy policy • Anthropic (AI) — see anthropic.com privacy policy • OpenAI (fallback AI) — see openai.com privacy policy • Paddle (payments, Merchant of Record) — see paddle.com privacy policy • Vercel + Railway + Neon (infrastructure) • Sentry + PostHog (observability)

None of these providers use your data for their own marketing; we have signed Data Processing Agreements (DPAs).

Your briefs, files, or output are NOT used to train Anthropic or OpenAI models. We call the Anthropic API in 'no training' mode and opt out of OpenAI's training pipeline.

Pixel Office itself doesn't train models on user data either. Aggregated, anonymised usage metrics (e.g. "which Pixmate is hired most often") are used for platform improvements only.

Through the Google account you connect, we access only the data you EXPLICITLY consent to in /profile's consent screen. No data is used for marketing, profiling, or third-party advertising.

• Calendar (calendar.events + calendar.readonly): read events, create events, find free slots. Used by Personal Assistant + Kai + meeting-facilitator. Data isn't stored in Pixel Office's DB; every call hits Google's API at request time.

• Gmail (gmail.modify): list/read threads, send mail, modify labels. Powers Personal Assistant inbox-zero and b2b-sales reply tracking. Email content is NOT persisted on Pixel Office servers; it is processed transiently in memory only to produce the current Pixmate's response.

• Sheets (spreadsheets): read ranges, append rows, update cells. For CRM/tracker Pixmate flows. Sheet content isn't persisted.

• Drive (drive.readonly): list files, read content (Docs / Sheets / Slides export + text/* files). For document-parser and editorial-producer intake flows. File content isn't persisted; binary files (PDF / media) aren't even fetched.

• Analytics (analytics.readonly): GA4 traffic / source / conversion reports. For marketing/analyst Pixmate reports. Read-only; we don't write to GA4.

• Search Console (webmasters.readonly): no site management rights — only query/click/impression/position data. For Ava SEO Pixmate reports.

Retention: Google data flows through the request-response chain only; it isn't cached long-term. OAuth tokens (access_token + refresh_token) are stored Fernet-encrypted in the tenant_integrations table — decrypted only inside tool invocations, never logged in plaintext.

Pixel Office's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In practice this means: • We use Google data only to complete the work the user's Pixmate is performing. • We do NOT use Google data for advertising, profiling, or transfer to third-party marketers. • We do NOT use Google data for AI model training — neither Anthropic / OpenAI's training, nor any Pixel Office model. • We do NOT read Google data with human eyes (outside the user's explicit consent for debug/support). • We do NOT share Google-sourced data with any other SaaS, partner, or affiliate.

You can disconnect your linked Google account at any time via the 'Disconnect' button on /profile. On disconnect: • Your OAuth tokens are deleted from the tenant_integrations table immediately. • Subsequent Pixmate calls can no longer access Google data. • To fully revoke the authorization on Google's side as well, visit https://myaccount.google.com/permissions and remove Pixel Office.

To delete your entire account, do it yourself from your Profile page under "Danger Zone → Delete account": re-type your email to confirm, then delete. Deletion happens IMMEDIATELY: • Every OAuth / integration token is best-effort revoked at the provider and deleted from our database. • The offices you SOLELY own and everything in them (brief content, Pixmate output, uploaded documents, credit/token history, subscription + payment records) are deleted. • For offices with other owners, only your membership is removed; rows in those offices that referenced you (e.g. payment orders you created) are anonymised (your user link is nulled). • Your user row (name, email, identity) is deleted entirely. • Full deletion from backups can take an additional 90 days (rolling backup retention).

If your JWT carries no usable email (legacy accounts), the self-serve delete may not work; in that case email an 'account deletion' request to alperen@pixel-office.com.

• HTTPS everywhere (HSTS active) • Sensitive DB fields (API keys) encrypted with Fernet • Optional 2FA via Clerk • Anomalous-session detection (Sentry + Clerk Client Trust)

No system is 100% secure — please report suspected breaches to our privacy team.

Pixel Office doesn't serve users under 18. If we learn an account belongs to a minor, it will be deleted.

Data may be processed on servers outside Turkey (notably the EU and US). Such transfers happen under Standard Contractual Clauses (SCCs) and Article 9 of the Turkish KVKK.

Privacy questions: alperen@pixel-office.com

We respond within 30 days.