The map is a searchable catalog of your data’s structure — datasets, columns, owners,
lineage, and which columns look like personal data. Reading it well means knowing what Regixo actually
measured, how much to trust each flag, and where the honest gaps are.
say
“Open the Regixo dashboard in my browser.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo open
Opens the map in your browser at localhost:4319. From the terminal you can search it
too:
say
“Search my Regixo catalog for columns that look like email addresses.”
Show the commandHide the commandShow the sentenceHide the sentence
run
$ regixo search email
Three ways to reach the same map — pick whichever fits the moment:
▤ In the dashboard
regixo open lands on the Map. Search from the box
("Search datasets & columns…") or narrow the rail with the filters — Source,
Personal data, Art. 9, Art. 10, Undescribed, each carrying a live
count. Open a dataset and the pane holds every action: Correct a column's flag,
Save or Draft a description, and Assert a flow into or out of it. A tour:
the free portal tour.
⌨ Say it, or run it
Both actions are at the top of this page: regixo open and
regixo search. Say the sentence to the coding agent already open in your project, or
run the command yourself — it is the same command in the same shell, either way.
✦ A connected assistant
A different surface. Register the read-only regixo mcp server once, and an
assistant answers "where is X · what's personal · what feeds this table" by chaining
search_datasets → get_dataset → get_lineage. It reads; it
never changes the map. See Use an AI agent.
What the map looks like
The Map is a workbench, and it fits on one screen. One toolbar across the top carries the
title, the counts and the coverage meter ("10 of 10 sources reached"). The rail on the left
holds the search box, the filters, and one collapsible fold per source — each fold counting its
datasets and its personal-data columns, and grouping the tables it flagged as holding personal data
above the ones it didn't. The rail and the pane scroll independently. Below is the real thing — the
toolbar, and the rail with the stripe fold opened. (The five filters sit above the folds;
they are shown, with their live counts, on Classify &
correct.)
what you’ll see — the Map workbench: the toolbar, the rail with one of your ten source folds open, and the line the pane opens with
This is every place your business stores data — Regixo read the labels, never the values. Pick a dataset to see what it holds. Anything marked ● personal feeds your compliance record →
Before you pick anything, the pane opens with that one line of plain English — and, under it, the
trust panel (Reached · Fresh · Confirmed · Sealed — the same verdict an AI assistant gets
from get_provenance) and a card per source (datasets · personal · sensitive · when
it was last scanned).
Open a dataset and the pane answers four questions in order: what it is (source, driver,
when it was scanned, row estimate, who owns it in the database, and a plain-words summary), what it
holds (every column, its type, its personal-data flag — and the small grey note saying how
Regixo recognised it), what it's for (the description), and where the data flows. Every
flag carries a Correct control, and a labels legend explains the colour codes without a
hover. Below is the top of that pane — what it is, and what it holds. The description box and
the lineage river sit under it, and are shown on
Enrich & share.
what you’ll see — the Map, with a dataset open: the top of the pane on app-db / app / customers — what it is, and its columns
In plain words: this dataset holds 5 kinds of personal data — date of birth, email, name, national id, and phone. That’s why it feeds your compliance record →
Columns
What do the labels mean?tap to learn the colour codes
● personalLooks like personal data — a name, email, and so on.
⚠ Art. 10Criminal-offence data. Processed only under official authority or where the law allows.
? unknownA container column (json, blob) Regixo can’t see into — confirm it yourself.
The small grey note (e.g. “by field name”) says how Regixo recognised it. Regixo reads column names and types only — never the values — so double-check anything that looks wrong.
Column
Type
Personal data
created_at
timestamp with time zone optional
not personalCorrect
date_of_birth
date optional
● Date of birthby field nameCorrect
email
text required
● Emailby field nameCorrect
Regixo read the column names and types — never the values. The small grey note beside a flag says how it was spotted; row count is an estimate from the database’s own statistics.
What the scanner reads — and refuses
Regixo reads metadata only. It never runs SELECT *, never counts rows, and
never reads a value out of a table. Concretely, per dataset it collects:
Collected
From
Notes
Tables, columns, data types, nullability
information_schema
All SQL databases. VIEWs are catalogued as datasets too.
Row-count estimates + owning DB role
pg_class.reltuples
Postgres/Redshift only. The planner’s estimate — shown as ~N rows (estimate), never a COUNT(*). Never ANALYZEd → shown as unknown, never a fake 0.
Automatic lineage (view → table)
pg_depend / pg_rewrite
Postgres/Redshift only. Relation names, never SQL-text parsing.
Personal-data flags
column names + types
The classifier runs on names and declared types — never values.
The hard line
Raw data never leaves your machine (Hard Rule #2). If Regixo ever sampled a value to check a
classification, it would do so in memory and discard it — no sampling connector is even built today.
MySQL and SQL Server give tables, columns and types, but no auto row-estimates
or auto lineage (those come from Postgres catalog tables). That’s a limit, stated honestly on the map.
How a column gets flagged
Every personal-data flag comes with the rule that matched and a confidence, so you
can judge it. Regixo evaluates rules in order and takes the highest-confidence hit; a column is
“personal data” when the best confidence is ≥ 0.6.
Tier
Confidence
What it catches
Deny-list
1.0 (hard-stop)
Special category (Art. 9) and criminal-offence (Art. 10) terms — e.g. health_status, diagnosis, =race, conviction_date.
Name rule
0.9
The common kinds by column name — email, phone, name, address, national_id, financial, ip, …
Regex
0.7
Backstop patterns for email / phone / ssn·nino·tax_id.
Your patterns
0.7
Anything you add in regixo.ymlpii.extraPatterns.
Type rule
0
Opaque json/jsonb/blob/bytea → “contents unknown (needs you)”. Never personal by itself.
Why trace_id isn’t flagged as “race”
Matching is whole-token, never substring. Regixo splits a name on camelCase and any
non-letter (trace_id → trace, id), so the deny-list term
=race (which means “the entire name is exactly race”) can’t match
trace. That precision is why the classifier has zero false Art. 9 flags on the
infrastructure benchmark set.
Languages
The classifier ships term packs for many languages. Recall is benchmarked and passing for
English, German, French and Dutch (≥ 0.85 recall on ordinary personal data, zero false Art. 9 on
infrastructure). Spanish, Italian, Portuguese, Polish, Swedish, Danish and Romanian have terms, but
their recall is not yet measured — treat those as best-effort and check them.
The kinds you’ll see
Each flagged column carries a human label:
⚠ Art. 9
Special category — health, beliefs, ethnicity, biometrics, sexual orientation, trade-union… Stricter rules apply; it has its own count and its own filter.
⚠ Art. 10
Criminal-offence data — processed only under official authority or where the law allows. A separate class from Art. 9.
? unknown
A container column (json, blob) Regixo can’t see into — you confirm what’s inside.
not personal
No rule matched, and nobody has corrected it. Regixo says so rather than leaving the cell blank.
…plus Email · Phone · Name · Address · Date of birth · National ID · Financial (card/IBAN) · IP address · Location · Identifier · Gender · Credential/secret · Employment · Personal detail.
Lineage
Lineage arrows show where data flows. They come from three places, and the map tells you which:
Warehouse (auto) — view → table edges read from the Postgres/Redshift catalog.
dbt — the model ref-graph from your manifest.json.
Asserted by you — cross-system flows a scanner can’t infer (e.g. Stripe → your users table), added with regixo lineage (see Enrich & share).
Open a dataset and its flows draw as a vertical river: Comes from above, the dataset
itself on the trunk, Feeds into below. Every chip reads name · source — so
customers · app-db is never confused with customers · mysql-db — and each
caption says who claims the flow (via dbt, via the warehouse, asserted by you).
The head of each pane counts the reach: 2 direct, or 7 direct · 13 total when
the chain runs deeper (a cycle-guarded closure). A join, a loop, or an endpoint Regixo hasn’t scanned
is stated in words, never left to a guess — and a dashed chip is exactly that: an endpoint someone
claims, that isn’t on the map.
Something looks wrong?
If a column is flagged that shouldn’t be (or missed one that should), you correct it — and the
correction sticks across re-scans. That’s the next page: Classify & correct.