Privacy Policy
This Privacy Policy describes how Klik Tik Ltd. ("Klik Tik," "we," "us," or "our") collects, uses, stores, shares, and protects personal information when you use the Klik Tik platform.
1. Data Controller & Processor Roles
Klik Tik as Data Controller: Account registration data, billing information, website visitor data, marketing communications, support requests, and usage analytics.
Klik Tik as Data Processor: Customer Data (CRM records, End User data from forms/booking/chatbot, communication content, documents, AI conversation data) — processed solely on the Customer's instructions.
Customer as Data Controller: Customers are controllers for contact records, End User data, employee data, and communication content they process through the Platform.
2. Information We Collect
Account & Registration
Name, email, phone (optional), company name, password (hashed, never stored in plain text), role, profile picture (optional). Registration metadata collected automatically: IP address, approximate location (country, city from IP), browser user agent, browser language, and device information.
Billing & Payment
Billing name/address, payment method (processed by Stripe — we do not store card numbers), transaction history, subscription details.
Customer Data (Processed on Behalf of Customers)
Contact & CRM data (names, emails, phones, addresses, tags, custom fields, communication history); financial data (orders, invoices, payments, commissions, expenses); communication data (emails via Gmail, SMS via Twilio, team chat, chatbot transcripts, AI conversation history, voice recordings); documents (PDFs, e-signature data including signer name, email, IP, timestamp); appointment & booking data; employee & HR data (including heartbeat-based activity monitoring that records active/inactive periods during shifts); social media data (Instagram posts, DMs, analytics); e-commerce data (synced from WooCommerce/Shopify); automation & flow execution logs; and landing page & form submission data.
Service Data (Automatic)
Usage data, device/browser info, performance metrics, API request logs (retained 7 days raw, then aggregated), error reports, webhook event logs (retained 30 days).
Push Notifications
Firebase Cloud Messaging device tokens, device platform (iOS/Android), token activity status. Tokens auto-deactivated when invalid.
3. How We Use Your Information
Service operation: Account management, payment processing, all Platform features, AI processing, integration sync, notifications, and support.
Improvement: Usage analysis, bug fixes, new features, internal research (aggregated data only — NOT individual Customer Data for AI training).
Security: Fraud prevention, abuse detection, rate limiting, audit trails, legal compliance.
Communication: Transactional notifications, product updates (with opt-out), marketing (with consent and opt-out).
4. Legal Bases (GDPR)
Contract Performance: Account creation, service delivery, payments, support. Legitimate Interests: Service improvement, security, fraud prevention, analytics. Consent: Marketing, optional cookies, beta programs. Legal Obligation: Tax reporting, government requests. Data Processing Agreement: Processing Customer Data on behalf of Customers.
5. AI Features & Data Processing
AI processing may involve transmitting data to third-party providers including Google (Gemini) and VAPI (voice). Klik Tik does NOT use individual Customer Data to train general-purpose AI models. AI providers are selected based on API terms that generally prohibit training on submitted data; however, Klik Tik cannot independently verify third-party internal practices. Knowledge base entries serve only the specific Customer's account. AI-generated content should be reviewed before use. Voice data may be recorded and transcribed.
6. Information Sharing
We do NOT sell Personal Data.
Sub-processors
| Category | Provider | Data |
|---|---|---|
| Cloud Infrastructure | Google Cloud Platform | All Platform data |
| Caching | Google Memorystore (Redis) | Cached data (tenant-scoped) |
| Payment Processing | Stripe | Billing, transactions |
| Gmail API (Customer accounts) | Email content | |
| SMS | Twilio | Phone numbers, messages |
| AI Processing | Google (Gemini), VAPI | Chat/voice data, CRM context |
| E-Commerce | WooCommerce, Shopify | Products, customers, orders |
| Accounting | QuickBooks | Invoices, payments |
| Calendar | Google Calendar | Appointments, events |
| File Storage | Google Cloud Storage | Files, documents, images |
| Social Media | Meta/Instagram | Posts, messages, analytics |
| Push Notifications | Google Firebase (FCM) | Device tokens, payloads |
| Domain/SSL | Cloudflare | Hostnames, certificates |
We may disclose data for legal compliance, rights protection, fraud prevention, and emergencies. In a merger/acquisition, data may transfer with prior notice.
7. International Data Transfers
Data is stored on Google Cloud Platform in the United States (us-central1). For EEA/UK/Switzerland transfers, we implement Standard Contractual Clauses and supplementary measures. A Data Processing Agreement is available upon request at legal@kliktik.com.
8. Data Retention
| Data Type | Retention |
|---|---|
| Account & Customer Data | Duration of Subscription + 30 days retrieval |
| Activity logs | Duration of Subscription (no automatic purge) |
| API request logs (raw) | 7 days, then aggregated |
| Webhook event logs | 30 days |
| Billing records | 7 years (tax compliance) |
| Push notification tokens | Until unregistered or invalid |
Archival vs. Deletion
The Platform uses a combination of soft deletion (archiving/deactivation) and permanent deletion. Contacts may be archived rather than permanently deleted to preserve referential integrity with orders, invoices, and activity history. User accounts are deactivated rather than deleted. Permanent deletion is available for verified data subject requests where legally required. Deletion of a contact may not remove all associated records where retention is required for legal/accounting purposes.
9. Data Security
Technical: TLS 1.2+ encryption in transit; AES-256-CBC encryption for stored OAuth tokens; bcrypt password hashing; multi-tenant data isolation; role-based access controls; JWT authentication; Google Cloud Platform infrastructure (SOC 2, ISO 27001 certified).
Organizational: Production access restricted to authorized personnel; security-conscious development practices.
Note: Klik Tik does not currently hold independent security certifications (SOC 2, ISO 27001) at the company level. We rely on the certifications of our infrastructure providers.
No system is 100% secure. We cannot guarantee absolute protection.
10. Your Privacy Rights
Depending on your location, you may have rights to: Access, Correction, Deletion, Data Portability (scope varies by data type), Restriction, Objection, Withdrawal of Consent, and Non-Discrimination.
Customers/Users: Exercise rights via Platform settings or contact privacy@kliktik.com.
End Users: Contact the Customer directly. If unreachable, contact us.
Response time: 30 days (GDPR), 45 days (CCPA/CPRA).
GDPR (EEA, UK, Switzerland)
Right to lodge complaints with supervisory authorities. If required under GDPR Article 27, Klik Tik will designate an EU representative — contact privacy@kliktik.com for status.
CCPA/CPRA (California)
Klik Tik does NOT sell Personal Information and does NOT share for cross-context behavioral advertising. California residents may submit requests via privacy@kliktik.com with subject "California Privacy Request."
11. Children's Privacy
Services are not directed to individuals under 18. We do not knowingly collect data from children under 13 (or 16 in EEA). If discovered, such data will be promptly deleted.
12. Cookies & Tracking
We use strictly necessary cookies (authentication, sessions), functional cookies (preferences), and analytics cookies (usage statistics). The Platform stores a JWT token in localStorage for session management. Third-party cookies may be set by integrated services. You can control cookies through browser settings.
13. Communication Preferences
Transactional communications cannot be opted out of. Product updates can be managed in notification settings. Marketing communications require consent and can be opted out anytime via unsubscribe links or settings.
14. Changes to This Policy
We may update this Policy. Material changes will be notified via email and in-app notice with 30 days advance notice. Continued use constitutes acceptance.
15. Contact
Klik Tik Ltd.
Privacy: privacy@kliktik.com
Legal: legal@kliktik.com
Support: support@kliktik.com
By using the Klik Tik Platform, you acknowledge that you have read and understood this Privacy Policy.
KLIK TIK LTD. — Privacy Policy — Version 1.0 | Effective March 17, 2026