Privacy Policy
This Privacy Policy explains how White Flocs SL processes personal data in connection with the Klickly service (klickly.app) and the public smart link domain klck.link. It is written to meet our obligations under the Andorran Llei Qualificada de Protecció de Dades Personals (LQPD), the EU General Data Protection Regulation (GDPR) where applicable, and the California Consumer Privacy Act (CCPA) where applicable.
1. Controller
The controller of your personal data is:
White Flocs SL
NRT: L-714911-J
Registered office: Encamp, Principat d'Andorra
Contact for privacy matters: privacy@klickly.app
We have not appointed a statutory Data Protection Officer because we are not legally required to do so. Privacy enquiries are handled by the address above.
2. Scope
This policy covers three distinct groups of data subjects:
- Account holders — people who register a Klickly account at klickly.app.
- Visitors of smart links — third parties who click on a klck.link URL created by an account holder.
- Subjects of public Instagram profile monitoring — owners of public Instagram profiles that an account holder has added to their Klickly dashboard for monitoring.
We process different categories of data, on different legal bases, for each group. They are described separately below.
3. Data we process
3.1 Account holders
| Data | Source | Purpose |
|---|---|---|
| Email address | You, at registration | Account identifier, login, transactional email |
| Name (optional) | You | Personalisation of the dashboard |
| Avatar image | Google, if you log in with Google | Display in dashboard |
| Password (bcrypt hash) | You | Authentication. The plaintext password is never stored or logged |
| Email verification timestamp | System | Proof of email ownership |
| Google OAuth tokens (provider ID, account ID, access token, refresh token, ID token) | Google, if you choose Google sign-in | Maintain the OAuth session. Stored encrypted at rest in the Account table |
| Organisation, plan (FREE / INDIVIDUAL / PRO / AGENCY / ENTERPRISE), role | System and your selections | Service entitlement and access control |
Legal basis (GDPR Art. 6): performance of a contract (Art. 6(1)(b)) for everything strictly needed to operate your account; legitimate interests (Art. 6(1)(f)) for security logging and fraud prevention.
3.2 Smart link visitor analytics
When someone clicks a klck.link smart link, we process the following data about the visitor, not about the account holder:
| Data | How it is handled |
|---|---|
| IP address | Used in-memory at request time to derive country/city (local GeoIP database), for per-request rate-limiting, and for anti-scrape defence. On analytics (click) records we store only an anonymized IP — the last octet is zeroed (e.g. 192.0.2.0; IPv6 truncated), never the full address — used to approximate unique visitors. The full raw IP is written only where strictly needed to protect the service: a ShieldEvent row when we detect automated scraping (see below), and — for visitors who arrive through an affiliate link — on the resulting referral record, to detect self-referral fraud |
| Country, city | Derived from IP, retained in aggregated click records |
| Device, OS, browser, browser version | Parsed from the User-Agent header |
| Referrer | URL the visitor came from, if disclosed by the browser |
| Click timestamp | UTC time of the click |
| Detected Instagram country signal | Used for bot fingerprinting only |
| ShieldEvent: crawler signature, IP, User-Agent | Stored when we detect automated scraping, to defend the service |
Legal basis (GDPR Art. 6): legitimate interests (Art. 6(1)(f)) — measuring traffic to links operated by our customers, and protecting our infrastructure against abuse. We have performed a balancing test and consider that the impact on visitors is minimal because we do not build cross-site profiles, do not use third-party analytics, and do not place any non-essential cookies on visitor devices.
3.3 Public Instagram profile monitoring
When an account holder adds an Instagram @username to their dashboard, we read publicly available data from that profile: follower count, post count, engagement metrics, bio. We never request the Instagram password of the account holder, we never access non-public content, and we never log into Instagram on behalf of the data subject of the monitored profile.
Legal basis (GDPR Art. 6): legitimate interests (Art. 6(1)(f)) of the account holder and Klickly, balanced against the limited expectation of privacy a user has in data they have themselves made public on Instagram. Profile owners may request removal of their data via privacy@klickly.app and we will action it.
3.4 Payment data
Payments are processed by Paddle as the Merchant of Record (see Section 5). Klickly receives only:
- the Paddle transaction ID
- the plan purchased
- the customer email
- the customer country (for VAT visibility on our side)
- the Paddle customer_id
Card details never reach Klickly servers. They are collected, stored and processed exclusively by Paddle.
4. Retention
| Data | Retention period |
|---|---|
| Account data | While the account is active, plus 90 days after closure for dispute resolution. Backups expire after 7 daily + 4 weekly rotations |
| Aggregated click analytics | 24 months from the click |
| ShieldEvent records | 12 months |
| Sentry error logs | 30 days |
| Database backups | 7 daily snapshots plus 4 weekly snapshots, then deleted |
| Payment records held by Paddle | According to Paddle's own retention schedule, which we do not control |
Where required by Andorran tax or commercial law, invoices and accounting records may be retained for the statutory periods (currently six years).
5. Subprocessors
We use the following subprocessors. We have signed a Data Processing Agreement (or equivalent contractual safeguard) with each of them.
| Subprocessor | Function | Location of processing | Transfer mechanism |
|---|---|---|---|
| Paddle.com Market Ltd | Payment processing as Merchant of Record | United Kingdom and United States | UK adequacy, EU SCCs, EU–US Data Privacy Framework where applicable |
| Resend (Resend.com, Inc.) | Transactional email (verification, password reset, email change) | EU region — Ireland (eu-west-1) | Processing inside the EEA. The corporate parent is in the US under EU SCCs and EU–US DPF |
| Sentry (Functional Software, Inc.) | Error tracking, 10% trace sample, no session replay | EU region — Frankfurt, Germany (ingest.de.sentry.io) | Processing inside the EEA. The corporate parent is in the US under EU SCCs and EU–US DPF |
| Google LLC | Google OAuth login, only if the user chooses it | United States | EU SCCs, EU–US DPF |
| Cloudflare, Inc. | DNS, CDN, TLS termination for klickly.app and klck.link | Global edge network | EU SCCs, EU–US DPF |
| Cubepath | VPS hosting for the application and PostgreSQL database | European Union | Processing inside the EEA |
We do not use third-party web analytics, advertising pixels, AI inference providers, or session replay services on klickly.app or klck.link.
6. International transfers
White Flocs SL is established in Andorra. Andorra has been recognised by the European Commission as providing an adequate level of data protection (Decision 2010/625/EU), so transfers between the EEA and Klickly do not require additional safeguards.
For onward transfers to subprocessors in the United States (Paddle, Resend, Google, Cloudflare, Sentry's parent entity), we rely on the EU Standard Contractual Clauses adopted by Decision (EU) 2021/914 and, where the receiving entity is certified, on the EU–US Data Privacy Framework. A copy of the relevant clauses is available on request to privacy@klickly.app.
7. Your rights
If GDPR applies to your data, you have the right to:
- access the personal data we hold about you
- request rectification of inaccurate data
- request erasure ("right to be forgotten")
- request restriction of processing
- data portability in a structured, machine-readable format
- object to processing based on legitimate interests
- withdraw consent at any time, where consent is the basis (this does not affect the lawfulness of past processing)
- not be subject to solely automated decisions that produce legal effects on you — we do not currently perform such decisions
- lodge a complaint with a supervisory authority:
- in Andorra: Agència Andorrana de Protecció de Dades (APDA) — www.apda.ad
- in Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
- or the supervisory authority of your habitual residence
To exercise any of these rights, write to privacy@klickly.app. We aim to respond within 30 days. We may ask you to verify your identity before disclosing data.
CCPA notice for California residents
If you are a California resident, you additionally have the right to:
- know what categories of personal information we have collected about you and the purposes
- request deletion of personal information, subject to legal exceptions
- opt out of the sale or sharing of personal information. We do not sell or share personal information as those terms are defined under the CCPA / CPRA
- non-discrimination for exercising your rights
Requests: privacy@klickly.app. We will respond within 45 days. We do not currently offer financial incentives for personal data.
8. Cookies
We use only strictly necessary and functional cookies. There is no advertising or third-party analytics tracking on klickly.app or klck.link. See the Cookies Policy for the full table.
9. Children
Klickly is not directed at children. You must be at least 16 years old to create an account. We do not knowingly process personal data of anyone under 16. If you believe a minor has registered, contact privacy@klickly.app and we will delete the account.
10. Security
We use bcrypt for password hashing, TLS everywhere via Cloudflare, encrypted database backups, two-factor authentication on administrative accounts, and Sentry for error monitoring. We restrict production database access to designated personnel. No system is perfectly secure; in the unlikely event of a personal data breach affecting your rights, we will notify the APDA within 72 hours of becoming aware, and we will notify affected users without undue delay where the law requires it.
11. Changes to this policy
We may update this policy to reflect changes in the service, subprocessors, or applicable law. The current version is always available at klickly.app/privacy. Material changes will be announced by email to active account holders at least 14 days before they take effect.