Privacy Policy

Last updated: 2026-05-15

1. Data controller

The controller of your personal data is the operator of the JustZix service, available at www.justzix.com and as a Chrome extension.

Contact: support@justzix.com.

2. What JustZix is

JustZix is a Chrome extension for injecting your own CSS and JavaScript code into any web page, with optional rule synchronization across devices and time-limited link sharing of rule sets.

Without creating a sync account, the extension works entirely locally in your browser — it does not send anything to our server and we collect no personal data from you.

3. What data we collect and why

Only if you choose to use account synchronization, we collect the following data:

3.1 Sync key

What: a 25-character key in the format SYNC-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX, generated locally in your browser.
How we store it: only as a SHA-256 cryptographic hash. We never see your key in plain form — and cannot recover it if you lose it (only replace it with a new one through the recovery procedure, if you previously added an email).
Why: to identify your account when logging in from different devices.

3.2 CSS / JavaScript rules (sync entities)

What: the CSS and JavaScript code you wrote, along with metadata (rule name, URL pattern, folder/group structure).
Why: to synchronize your rules between your devices.
Note: the code you enter is the content of your rules — we do not analyze or execute it server-side. We store it as received.

3.3 Device sessions

What: a device identifier (UUID generated locally), an optional device label, IP address, browser User-Agent, creation and last-used timestamps.
Why: security (ability to remotely log out from another device), abuse detection, rate limiting.

3.4 Email (optional)

What: an email address if you voluntarily provide it in account settings.
Why: exclusively for the sync key recovery procedure if you lose it, and notifications about planned deletion of an inactive account (see point 5).
What we don't do: we do not send newsletters, marketing offers or promotional content. Email is used solely for operations related to your account.

3.5 Shared rule sets (Shares)

What: if you generate a public link to a rule set, its content (gzip-compressed JSON payload) is stored on the server until expiration (1 to 48 hours) or revocation by you.
Why: so the link recipient can download it.
After expiration/revocation: the data is deleted at the next scheduled task run (daily).

3.6 Google Analytics 4 (only with your consent)

What: on your first visit the site shows a consent banner. If you click "Accept", Google Analytics 4 is loaded (it measures visit count, time on site, country/region down to city level, device type, traffic source). We enable the anonymize_ip option — your IP address is truncated before storage.
What if you reject: the Google tag is not loaded at all. No analytics cookies are set. The site works normally.
Withdrawing consent: clear justzix.com site data in your browser (the jz_consent key in localStorage). The banner will reappear on your next visit.
Where the data goes: Google LLC (USA) as a processor. Google operates under Standard Contractual Clauses (SCC) approved by the European Commission (decision 2021/914).
Legal basis: Article 6(1)(a) GDPR (consent) — granted by clicking "Accept" in the banner. You can withdraw it at any time (see above).

3.7 What we do NOT collect

We do not use Facebook Pixel, Hotjar, or any other third-party trackers beyond the Google Analytics 4 described above (and only with your consent).
We do not collect browsing history or data about the sites you visit after leaving justzix.com.
The extension itself collects no telemetry — it does not read the contents of pages where it operates, does not report which rules you activate or how often.
We do not share any data with third parties for advertising purposes.

4. Legal basis for processing (GDPR Article 6)

Article 6(1)(b) GDPR (contract performance) — collecting and storing account data is necessary to provide the sync service which you yourself activated.
Article 6(1)(f) GDPR (legitimate interest) — storing IP address and User-Agent in sessions serves to prevent abuse and ensure account security.
Article 6(1)(a) GDPR (consent) — voluntary provision of an email address; you can remove it at any time in account settings.

5. How long we keep data (retention)

Data type	Retention period
Sync rules	As long as the account exists.
Automatic backups	24 hourly + 30 daily + 8 weekly. Older ones are automatically deleted.
Device sessions	Active — up to 7 days from last use. Expired / revoked — deleted after 30 days.
Recovery / email verification links	After use or expiration — deleted within 7 days.
Shared rule sets (Shares)	Until expiration (1–48 h) or revocation.
Account without email and inactivity	After 90 days of inactivity, the account and all data are deleted without warning.
Account with verified email but inactive	After 12 months we send a warning email. If the account remains unused for another 30 days — deleted along with all data.
Technical logs (nginx access log, PHP error log)	Up to 30 days — for diagnostics and security.

6. With whom we share data

No one. Your data is not sold, rented, or shared with third parties for commercial purposes. Exceptions:

Hosting operator — the physical location where the servers run (as a processor within the meaning of GDPR Article 28).
Email service provider — when we send you an email (key recovery, account deletion warning), an SMTP server intermediates the delivery.
State authorities — only on the basis of a binding court order or administrative decision.

7. Your rights (GDPR Articles 15–22)

Right of access — you can download all your data via the export function in the extension or by contacting us.
Right to rectification — you can change any account data (display name, email) in extension settings.
Right to erasure ("right to be forgotten") — in extension settings click "Delete account". All data is deleted immediately, irrevocably, in cascade (sessions, rules, backups, shares). Alternatively, write to us at support@justzix.com.
Right to restriction of processing — you can disable sync in the extension; rules will remain only locally.
Right to data portability — you export everything as JSON with one click.
Right to lodge a complaint — you can lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

8. Where we store data

All data is stored on servers located in Poland, within the European Economic Area (EEA). We do not transfer data to third countries.

9. Security

All communication with the server is encrypted using HTTPS (TLS 1.2+).
The sync key is SHA-256 hashed — never stored in plain form.
Sessions are tokenized (opaque random hex), with a 7-day TTL and the ability to log out remotely.
We apply rate limiting to protect against brute-force attacks and DoS.

10. Cookies and localStorage

The www.justzix.com site uses browser storage technologies in the following scope:

Name	Type	Purpose	TTL	Consent?
`jz_consent`	localStorage	Remembering your choice in the cookie banner (values: `accept` or `reject`).	Persistent, until manually cleared.	Strictly necessary (the consent itself) — no consent required.
`_ga`, `_ga_*`	Cookie	Google Analytics 4 — anonymous visit statistics.	Up to 2 years (Google).	Only after clicking "Accept" in the cookie banner (see section 3.6).

The Chrome extension stores data exclusively locally in your browser's chrome.storage.local — this is not a cookie or data sent to us without your action.

11. Children

The service is not directed at persons under 16 years of age. We do not knowingly collect children's data. If we learn that an account was created by a person under 16, it will be deleted.

12. Changes to the policy

We may update this policy. Material changes will be announced on this page in advance. The date of the last update is at the top of the document. Continued use of the service after changes take effect constitutes acceptance.

13. Contact

Direct all privacy questions to: support@justzix.com.