The classifier reads column names and types, so it gets most flags right and some
wrong. This page shows how to fix a mis-classified column — mark a missed one, clear a false
positive — and make the fix stick across every future scan. A correction is a mechanical fact you
are allowed to set; it never touches a legal call.
When to correct a flag
Two things go wrong, and both have the same fix:
A false positive — a column flagged as personal that isn't. A server_ip in
a telemetry table is infrastructure, not a data subject's address.
A missed column — personal data the name didn't reveal. A status column
that actually holds a health status is Special category (Art. 9),
but "status" reads as ordinary.
The classifier shows its reasoning on every flag (the matched rule and its confidence — see
Read the map), so a wrong call is easy to spot. You correct
it one of two ways: from your project — say it to your coding agent, or run the
command yourself — or in the Map. Both write the same correction.
Correct it from your project
Review every flag in one pass
Don't hunt through the map column by column. Hand the whole catalog to your coding agent and let it
do the first pass:
say
“Review the personal-data flags in my Regixo catalog and correct the ones that are wrong.”
↪No single command does this. Regixo has no classify all — your agent reads each column’s name and type and runs regixo classify set once per wrong flag. Each correction stands on its own.
Hand it the playbook first. Regixo's own classifier is built so that it can only read
column names and types — it has no way to reach the values. Your agent does. That limit holds because
the playbook states it, not because your agent will infer it: run regixo classify --skill
and give your agent the output. It carries the two lines it must never cross, the exact commands, and
the column-id format.
A good pass does three things:
Fixes the clear mistakes — a missed nickname, an over-flagged ip.
Hands the ambiguous ones back to you instead of guessing.
Shows you every change it made, column by column.
Nothing it does is hidden or final: regixo classify list shows every correction that
landed, and regixo classify clear reverts any of them.
Fix a single column
Once you know which flag is wrong — spotted on the map, or reported back by your agent — one command
sets or clears a column's personal-data classification:
say
“Correct the personal-data flag on that column in Regixo — the scanner got it wrong.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo classify set <columnId><personal|special|criminal|not>
The four calls map onto the mechanical flag Regixo carries for the column:
personal
Ordinary personal data — the column holds it, no special article applies.
special
Special category under Art. 9 (health, ethnicity, religion, biometric, sexual orientation, trade-union…). Flags it and its own count.
criminal
Criminal-offence data under Art. 10 — a separate class from Art. 9.
not
Not personal data — clears the flag (suppresses a false positive).
Clear a false positive on that infrastructure IP:
say
“Regixo flagged our logs.ip column as personal data, but it holds infrastructure IPs. Correct it.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo classify set app-db/public/logs.ip not
then
The flag flips, and the correction is stored outside the scan snapshot — so
regixo watch re-derives Regixo's own flags from scratch and then layers yours back on
top. A re-scan never wipes it. It flows straight into your RoPA draft.
Check it worked: on the Map the column loses its personal-data tag and its row now reads
corrected by you; the dataset it belongs to gains a ✓ corrected chip in the rail.
Your full override list is one sentence away — it is the next block.
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
Corrected app-db/public/logs.ip → not. It flows into your RoPA draft and survives a re-scan. Undo: regixo classify clear app-db/public/logs.ip
Mark a column the name hid — a health status the classifier read as ordinary:
say
“Our patients.status column holds health data. Flag it as special-category in Regixo.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo classify set app-db/public/patients.status special
Undo a correction and hand the call back to the classifier:
say
“Undo the personal-data correction I made on that column in Regixo.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo classify clear app-db/public/logs.ip
List every correction you've made — this shows only the columns a human has overridden, which is
the set worth auditing:
say
“Show me which personal-data flags I have corrected in Regixo.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo classify list
then
Only the columns someone overrode — never Regixo’s own calls. That is deliberate: it is the
set worth auditing, because it is where someone disagreed with the scanner. Each row records who.
Check it worked: a correction you asked for and cannot find here did not land. Ask
again, naming the column id exactly as the Map shows it.
Show what it prints in the terminalHide the terminal outputShow what your agent reportsHide what your agent reports
example output
Your PII corrections (these survive a re-scan):
app-db/public/logs.ip → not (ip)
app-db/public/patients.status → special (status)
Add --json to any of these for machine-readable output. Every command
is non-interactive — a missing or unknown column id is a coded
CLASSIFY_INPUT_INVALID error, never a prompt.
How do I find a column's id?
A column id is source/schema/table.column — the last dot separates the column
from its dataset (e.g. dataset app-db/public/logs, column ip). Two ways
to get one: search for it — regixo search ip lists matching columns with their ids —
or open the Map (regixo open) and read it off the column row.
Correct it in the portal
Start on the Map. The rail on the left is one fold per source; the filters above it carry
live counts — Personal data, Art. 9, Art. 10 — so the columns worth checking are a
click away. Open the source, pick the dataset.
what you’ll see — the Map rail: the five filters with their live counts, and a source fold opened
Every column in the pane carries a Correct control. Open it and you get a
"This column is" select with the same four calls —
Personal data / Special category · Art. 9 / Criminal offence · Art. 10 /
Not personal data — and Save. Picking one writes the identical correction
regixo classify writes, and the fine print says it plainly: a mechanical fix, never a
legal judgement. It overrides Regixo's detection, survives every re-scan, and is logged in
What changed. Once a column is
corrected, its row says corrected by you and a second button appears —
Revert to Regixo's call — which hands the flag back to the classifier. Use whichever surface
fits the moment: the Map when you're reading the estate, your project when you're scripting, working
headless, or handing the job to your agent.
what you’ll see — the Map, with a dataset open: the columns table on stripe / stripe / payment_method, and the Correct control open on two of them
A different surface. An assistant registered against the read-only
regixo mcp server can read a column's flag (get_dataset) but not
change it — that server has no write tool at all. To have an agent correct a flag, ask your
coding agent, which runs regixo classify set in this project, exactly as above. A flag
is a mechanical fact, so an agent may set it; the legal calls stay a human's
(Hard Rule #4). See Use an AI agent.
Why corrections stick across a re-scan
A correction is stored outside the scan snapshot. When regixo watch re-scans a
source, the classifier re-derives its own flags from scratch — but your corrections are layered back
on top afterwards, so a re-scan never wipes them. The correction then re-flows everywhere the flag is
read: the Map, the RoPA draft, the personal-data counts, and the agent surface.
One column, keptregixo classify pins one column by id. It carries who set it (from
REGIXO_SIGNER_EMAIL when set) and holds through every future scan until you
clear it. For a rule that should apply across the whole estate by name, use
regixo.yml instead.
A correction changes the flag, not the law
Setting or clearing the personal-data flag is a mechanical fact a human may correct. It never
touches purpose, lawful basis, retention or transfers — those are legal judgments only a
person on your compliance team confirms and signs (Hard Rule #4). Regixo suggests and sanity-checks;
it never self-confirms a legal field, and classify has no way to.
Tune the classifier in regixo.yml
When a correction isn't about one column but a naming pattern across your estate, encode it
once in regixo.yml under pii. Two knobs, applied at scan time to every
column by name:
regixo.yml
version: 1
pii:
extraPatterns: # extra regex, tested against the column name (case-insensitive)
- "member_ref$" # our internal person key — flag anything ending member_ref
- "^crm_.*_id$"
allowList: # exact column names to suppress entirely (case-insensitive)
- country # a plain country column — not personal on its own
- server_ip
pii.extraPatterns
Regex patterns matched against the column name. A hit adds a personal-data flag (confidence 0.7). A malformed pattern is ignored, never an error. These only add ordinary personal flags — they can't set Art. 9 or Art. 10; use classify … special|criminal for that.
pii.allowList
Exact column names (case-insensitive) to suppress before any rule runs. Use it to silence a recurring false positive across the estate — a column named country everywhere, say.
Rule of thumb: a pattern for many columns, classify for one.regixo.yml holds only names and non-secret config, so commit it freely — and a
teammate's clone gets the same classification on their own scan.
Next
Corrections make the map right. The next step is making it richer — descriptions,
lineage and a glossary a scanner can't infer, all shared with your team:
Enrich & share.