Does your website use third-party services? Get GDPR compliant in minutes.

Refix

What does Refix do?

Refix is an EU based developer tooling and AI assistant platform that helps engineering teams keep dependencies, configurations and infrastructure in good shape. The product runs server side, processes repository data submitted by the customer through GitHub, GitLab or self hosted Git, and exposes a small in product widget that may be embedded on dashboards. Hosting is on EU infrastructure (AWS eu-west, Hetzner Germany), which keeps Refix in the lower risk band under the GDPR.

What Refix is

Refix is a developer tooling and AI assistant platform built for engineering teams that need to keep dependencies, infrastructure as code and CI configurations under control. It connects to GitHub, GitLab or a self hosted Git server, scans repositories, opens pull requests with safe upgrades and surfaces a dashboard with health scores. The product is operated by an EU company and hosted on EU infrastructure.

What data Refix processes

Refix typically processes repository metadata (package files, manifests, infrastructure as code, Dockerfiles, CI configurations), CI logs and the identity of the engineer who triggered an action. The optional in product widget sets a first party functional cookie (refix_session) for the session and stores the UI preferences. Refix does not collect end user behavioural data on the customer site.

GDPR and ePrivacy implications

The Refix widget cookies are strictly necessary and exempt from consent under Article 5(3) of the ePrivacy Directive. Repository content is processed under contract performance Article 6(1)(b) GDPR. Where engineers can be identified through GitHub or GitLab usernames, Refix is processing personal data and acts as a processor on behalf of the customer.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent and configuration

In product use does not need a cookie banner because only strictly necessary cookies are involved. The Refix marketing website may use analytics or pixels, in which case those analytics flows require an opt in cookie banner like any other public site. Customers should ensure that engineers receive the standard internal information about employee data processing.

Data transfers and hosting

Production processing happens in EU AWS regions (eu-west) and Hetzner Falkenstein. Observability data is sent to Datadog EU. Refix does not export customer repository data to the United States by default. Customer enabled integrations (Slack, GitHub.com, paging tools) may create downstream transfers and must be assessed by the customer.

Practical compliance steps

Sign the Refix DPA, document Refix in the record of processing as a sub processor with EU hosting, configure access by least privilege on the GitHub or GitLab side, exclude repositories that contain personal data or production secrets if not needed, and review the integrations list (Slack, paging) for downstream transfers.

GDPR consent category

Analytics

Websites using Refix must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) for the strictly necessary functional cookies set by the in product widget, plus contract performance (Art. 6(1)(b) GDPR) for processing repository and configuration data submitted by the customer. Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive) is required for any analytics or marketing pixel layered on the public marketing site.

Risk levellow

Applicable regulationsGDPR, ePrivacy Directive, French CNIL guidelines, German TTDSG, Spanish LSSI, Italian Garante guidelines

DPIA considerations

A DPIA is generally not required for Refix when only repository metadata, dependency graphs and CI logs are processed. It can become relevant if the deployment ingests source code containing personal data, secrets or production telemetry that includes end user identifiers.

Sample consent text

This product uses Refix to manage dependencies and configuration health. The Refix widget sets a small functional cookie to keep your session active. Refix processes repository metadata and configuration files on EU infrastructure on our behalf and does not share data with third party advertisers.

Technical details

Tracking methodJavaScript widget loaded from refix.ai for in product onboarding hints and assistant interactions, REST API for the dependency analysis service. The platform itself runs server side and analyses repository data submitted by the customer. The optional widget on customer websites uses first party functional cookies for the session and device class.

Server locationRefix is operated from the European Union with hosting on AWS eu-west and Hetzner Falkenstein. Service to service traffic is contained in EU regions; observability data may be processed in Datadog EU.

Cookieless tracking availableYes

Third-party domains contacted

refix.aiapp.refix.aiapi.refix.ai

Cookies placed

Name	Type	Duration	Purpose
refix_session	session	Session	Strictly necessary functional cookie that maintains the Refix product session for authenticated engineers.
refix_prefs	persistent	1 year	Stores UI preferences for the Refix dashboard such as the selected workspace and theme.

Refix collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

What cookies does Refix set?

Refix sets a small first party functional cookie (refix_session) when the in product widget is loaded, and a UI preference cookie. No advertising or third party tracking cookies are set on customer products.

Do I need consent to use Refix?

No for the in product widget, because only strictly necessary cookies are involved. The Refix marketing site, like any public site, requires consent for analytics or marketing pixels it may include.

What is the legal basis for Refix?

Contract performance (Art. 6(1)(b) GDPR) for the repository data processed on behalf of the customer. Legitimate interest (Art. 6(1)(f) GDPR) for the strictly necessary widget cookies. Where engineer identity is processed, Refix acts as a processor under a Data Processing Agreement.

Does Refix transfer data to the US?

No by default. Production processing happens in EU AWS regions and Hetzner Germany; observability is handled by Datadog EU. Customer enabled integrations (Slack, GitHub.com, paging tools) may create downstream transfers that the customer must assess.

Do I need a DPIA for Refix?

Generally no when only repository metadata, dependency graphs and CI logs are processed. A DPIA may become relevant if the customer ingests source code containing personal data, secrets or production telemetry that includes end user identifiers.

How do I implement Refix compliantly?

Sign the Refix DPA, document Refix in the record of processing as an EU based sub processor, configure least privilege access on GitHub or GitLab, exclude repositories that contain personal data or production secrets and review the integrations list (Slack, paging) for downstream transfers.

What are the alternatives to Refix?

Other dependency management and developer assistant tools include Renovate, Dependabot, Mend (formerly WhiteSource), Snyk, Sourcegraph Cody and Tabnine. EU based or self hosted options (Renovate self hosted, Mend Renovate, Sourcegraph Cody Cloud EU) are preferred when GDPR alignment is the priority.

How do I update the cookie policy for Refix?

List Refix as an EU based sub processor with the purpose (developer tooling and dependency management), the cookies it sets (refix_session, UI preferences), the legal basis (legitimate interest for functional cookies, contract performance for repository data), the storage location (EU) and the sub processors (AWS eu-west, Hetzner Germany, Datadog EU).

Get compliant — Try FlowConsent free

Free plan · 10-min setup