Log in
Get started free

Privacy Policy

Last updated: April 22, 2025

This policy explains what data ClickedSys collects, how it is used, and the choices you have. We believe in plain language — if anything is unclear, please contact us.

1. Overview

ClickedSys ("we", "our", "us") is a SaaS platform operated by ClickedSys. We provide embeddable CTA (Call-to-Action) widgets and performance analytics. This Privacy Policy applies to:

  • Registered users of the ClickedSys dashboard at app.clickedsys.com
  • End-users of websites that embed the ClickedSys tracker script (server.clickedsys.com/init)
  • Visitors to the ClickedSys marketing website

2. Data we collect

2.1 Account data (registered users)

When you create an account we collect:

  • Name and email address
  • Password (stored as a bcrypt hash — we never see your plaintext password)
  • Payment method details (processed by Stripe or Razorpay; we only store a token reference)
  • Subscription and plan information

2.2 Usage data (dashboard activity)

We automatically collect standard server logs including pages visited, features used, and timestamps. This helps us improve the product and debug issues.

2.3 Tracking event data (end-users)

When the ClickedSys tracker script fires on a third-party website, it sends:

  • CTA identifier (a UUID that corresponds to a widget in our system)
  • Event type (click, impression, or hover)
  • Timestamp
  • Page URL where the event occurred
  • Hashed IP address (see section 3)
  • Session ID (generated client-side, stored in sessionStorage — not a persistent cookie)
  • User-agent string

We do not collect names, email addresses, or any personally identifiable information from end-users of embedded CTAs.

3. Tracker script & IP hashing

The ClickedSys tracker (init.js) is a lightweight (<5KB) JavaScript snippet loaded asynchronously. It respects the following privacy signals:

  • Do Not Track (DNT): If a visitor's browser sends DNT: 1, the tracker will not fire.
  • Opt-out cookie: Visitors who set a clickedsys_optout=1 cookie are excluded from tracking.
  • IP hashing: All IP addresses are hashed server-side using HMAC-SHA256 before being stored. Raw IP addresses are never persisted. This means we cannot identify individual visitors by IP.

The tracker does not use third-party cookies or fingerprinting techniques.

4. Cookies & local storage

On the dashboard (app.clickedsys.com), we use:

  • A refresh token cookie (HTTP-only, Secure, SameSite) for authentication
  • No analytics, advertising, or third-party tracking cookies

The tracker script uses sessionStorage (not cookies) to store a temporary session ID. This data is cleared when the browser tab is closed and is scoped to the user's browser — we cannot access it server-side.

5. How we use data

  • To provide and improve the ClickedSys service
  • To authenticate registered users and manage subscriptions
  • To generate aggregated click, impression, and hover analytics for dashboard users
  • To send transactional emails (e.g., password resets, invoices)
  • To diagnose bugs and performance issues
  • To comply with legal obligations

We do not sell personal data, use it for advertising, or share it with data brokers.

6. Data sharing

We share data with third parties only as necessary to provide the service:

  • Stripe / Razorpay — payment processing
  • Resend — transactional email delivery
  • Hetzner — cloud infrastructure hosting (EU data centres)

All sub-processors are contractually bound to protect data. We do not share personal data with any other third parties without your consent, except where required by law.

7. Data retention

Tracking event data is retained for the period defined by your plan (15–365 days). After the retention window expires, events are automatically purged.

Account data is retained for as long as your account is active. After account deletion, we may retain anonymised aggregate statistics indefinitely and will purge all personal data within 30 days.

8. Your rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict certain processing
  • Data portability

To exercise any of these rights, email help@clickedsys.com. We will respond within 30 days.

9. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, bcrypt password hashing, RS256 JWT authentication, and IP hashing. No transmission over the internet is 100% secure — if you discover a security vulnerability, please report it responsibly to help@clickedsys.com.

10. Children

ClickedSys is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users or by a prominent notice in the dashboard. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Questions about this policy? Reach us at:
📧 help@clickedsys.com

Summer Discounts are now live ! Grab Now