GDPR Compliance

1. Introduction & Commitment

ClickReel, Inc. ("ClickReel," "we," "us," or "our") is committed to protecting the privacy and personal data of individuals in the European Union (EU) and European Economic Area (EEA) in compliance with Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR").

This GDPR Compliance page supplements our Privacy Policy and Terms of Service by providing additional information specific to the rights of EU/EEA data subjects and our obligations under the GDPR. It applies to all processing of personal data of individuals located in the EU/EEA, regardless of where that processing takes place.

We have implemented comprehensive technical and organizational measures to ensure that data protection is integrated into every aspect of our Service, from the design of our cookie-less SDK to the encryption of stored credentials. We are committed to transparency, data minimization, and respecting the rights of data subjects.

2. Controller vs. Processor

Under the GDPR, the roles of data controller and data processor carry distinct responsibilities. ClickReel operates in both capacities depending on the type of data being processed:

2.1 ClickReel as Data Controller

ClickReel acts as the data controller for personal data that we collect directly from our customers (account holders) in connection with their use of the ClickReel platform. This includes:

• Registration data — name, email address, and password hash collected during account creation.
• Billing data — payment-related information processed through Stripe for subscription management and invoicing.
• Support and communication data — information provided through customer support interactions, feedback, or correspondence.
• Dashboard usage data — information about how customers interact with the ClickReel dashboard and platform features.

As data controller for this data, ClickReel determines the purposes and means of processing and is directly responsible for compliance with the GDPR.

2.2 ClickReel as Data Processor

ClickReel acts as a data processor for personal data collected from End Users through the ClickReel SDK embedded on customer websites. This includes:

• Engagement event data — page views, video interactions, CTA clicks, bubble events, story events, and dismiss actions.
• Session data — server-generated session identifiers and associated intent scores.
• Device metadata — browser type, operating system, screen resolution, and referring URL.

In this context, the customer is the data controller who determines why and how End User data is collected and processed. ClickReel processes this data solely on behalf of and according to the documented instructions of the customer. Customers who process EU/EEA personal data through the ClickReel SDK should enter into a Data Processing Agreement (DPA) with us by contacting gdpr@clickreel.io.

3. Legal Bases for Processing

Under Article 6 of the GDPR, we process personal data only when we have a valid legal basis to do so. The legal bases we rely on depend on the type of data and the purpose of processing:

3.1 Performance of a Contract (Article 6(1)(b))

We process personal data when it is necessary for the performance of our contract with you (the Terms of Service). This includes processing your account information to provide and maintain the Service, managing your subscription and billing, delivering campaign configurations and analytics through the dashboard, and providing customer support related to the Service.

3.2 Legitimate Interests (Article 6(1)(f))

We process personal data when it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by the data subject's rights and freedoms. Our legitimate interests include:

• Security monitoring — detecting, preventing, and responding to security threats, unauthorized access attempts, and fraudulent activity.
• Fraud prevention — identifying and blocking abusive usage patterns, bot traffic, and attempts to circumvent usage limits.
• Service improvement — analyzing aggregate usage patterns and performance data to improve the reliability, functionality, and user experience of the Service.

3.3 Consent (Article 6(1)(a))

We rely on consent as a legal basis for processing in limited circumstances, including the sending of marketing communications and promotional emails. Consent is freely given, specific, informed, and unambiguous. You may withdraw your consent at any time by using the unsubscribe mechanism in our emails or by contacting us at gdpr@clickreel.io. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

We process personal data when it is necessary to comply with a legal obligation to which we are subject. This includes maintaining financial records and tax documentation as required by applicable laws, responding to lawful requests from governmental authorities or courts, and fulfilling our obligations under data protection laws, including data breach notification requirements.

4. Data Subject Rights

Under the GDPR, individuals located in the EU/EEA have the following rights with respect to their personal data. You may exercise any of these rights by contacting us at gdpr@clickreel.io. We will respond to all verified requests within 30 days as required by the GDPR.

4.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes of processing, the categories of data concerned, the recipients to whom data has been disclosed, the envisaged retention period, and the existence of your other rights under the GDPR.

4.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. You can update most account information directly through the ClickReel dashboard settings. For other corrections, please contact us.

4.3 Right to Erasure / Right to be Forgotten (Article 17)

You have the right to request the deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent (where consent was the legal basis), when you object to processing and there are no overriding legitimate grounds, or when the data has been unlawfully processed. Account deletion can be initiated through your account settings, and all data will be permanently deleted after a 30-day retention period.

4.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data (for a period enabling us to verify accuracy), when processing is unlawful but you oppose erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification of our legitimate grounds.

4.5 Right to Data Portability (Article 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means.

4.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defense of legal claims.

4.7 Rights Related to Automated Decision-Making (Article 22)

ClickReel uses automated processing in the form of intent scoring, which calculates an engagement score (0–100) based on weighted user interaction events. This automated processing is used solely for ad optimization and analytics purposes on behalf of our customers. Intent scoring does not produce legal effects or similarly significant effects on data subjects — it is not used for profiling that affects access to services, credit decisions, employment, or any other decision with legal consequences. End Users are not denied services, treated differently, or subject to any adverse outcomes based on their intent score.

If you believe that automated processing is affecting you in a significant way, you may contact us to request human review of the processing and to express your point of view.

5. Data Protection Measures

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures are designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

5.1 Technical Measures

• AES-256-GCM credential encryption — integration credentials (Meta CAPI tokens, Google Ads API keys) are encrypted using AES-256-GCM with PBKDF2-derived keys, per-credential salt, and unique initialization vectors.
• Bcrypt password hashing — all user passwords are hashed using bcrypt with appropriate work factors, rendering plaintext passwords unrecoverable from stored hashes.
• HTTPS/TLS encryption — all data in transit between clients, the ClickReel dashboard, the SDK, and the ingestion service is encrypted using HTTPS/TLS.
• Content Security Policy (CSP) — strict CSP headers are enforced to mitigate cross-site scripting (XSS), clickjacking, and other code injection attacks.
• Rate limiting — authentication endpoints are protected with rate limiting (5 login attempts per 15 minutes, 3 registration attempts per hour, 5 password change attempts per hour) to prevent brute-force attacks.
• Password policy enforcement — passwords must meet minimum complexity requirements (10 characters minimum, including uppercase, lowercase, and numeric characters) and are checked against lists of commonly breached passwords.

5.2 Organizational Measures

• Access controls — role-based access control (owner, admin, member, viewer) ensures that team members have access only to the features and data appropriate to their role.
• Employee training — team members who handle personal data receive training on data protection principles and GDPR requirements.
• Vendor security assessment — we evaluate the security and privacy practices of our sub-processors and infrastructure providers before engaging them.

5.3 Privacy by Design and Default

In accordance with Article 25 of the GDPR, ClickReel implements data protection by design and by default throughout our platform:

• Cookie-less SDK — the ClickReel SDK operates without any cookies or persistent client-side storage, minimizing the personal data footprint on End User devices.
• Server-generated session IDs — session identification uses server-generated IDs with a 30-minute timeout, avoiding persistent tracking across visits.
• Shadow DOM isolation — the SDK uses a closed Shadow DOM via a custom element, ensuring CSS and JavaScript isolation from the host page.
• Data minimization — we collect only the engagement event data necessary to provide intent scoring and analytics functionality. No unnecessary personal data is collected.

6. Cross-Border Transfers

ClickReel is headquartered in the United States, and personal data collected from EU/EEA data subjects may be transferred to and processed in the United States. We recognize that such transfers require appropriate safeguards under Chapter V of the GDPR.

6.1 Standard Contractual Clauses

For transfers of personal data from the EU/EEA to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under Commission Implementing Decision (EU) 2021/914. These clauses are incorporated into our Data Processing Agreements with customers and into our agreements with sub-processors.

6.2 Sub-Processor Agreements

We maintain Data Processing Agreements with all sub-processors that handle personal data on our behalf. These agreements include SCCs where required and impose obligations on sub-processors to implement appropriate technical and organizational measures to protect personal data.

6.3 Regular Review of Transfer Mechanisms

We regularly review the legal frameworks and transfer mechanisms we rely on to ensure their continued validity and adequacy. In the event that a transfer mechanism is invalidated by a court or regulatory authority, we will promptly implement alternative safeguards or, if necessary, cease the relevant transfer. We also conduct transfer impact assessments to evaluate the laws and practices of the destination country and implement supplementary measures where appropriate.

7. Data Retention

In accordance with the GDPR's data minimization and storage limitation principles (Article 5(1)(c) and (e)), we retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

• Account data — retained for the duration of your active account plus 30 days after account deletion or cancellation to enable account recovery. After the 30-day period, account data is permanently and irreversibly deleted.
• Event data — retention periods vary by subscription plan: Starter plans retain event data for 7 days, Growth plans for 30 days, and Pro plans for 90 days. Upon expiration of the retention period, event data is automatically purged from our systems.
• Session data — active sessions expire after 30 minutes of inactivity. Once expired, individual session records are aggregated into anonymous statistical summaries, and the granular session data (including session IDs and individual event records) is deleted.
• Payment records — retained as required by applicable tax, accounting, and financial regulations, typically for a period of seven (7) years. Payment records are processed and stored by our payment processor, Stripe.

Our data retention schedule is reviewed annually and updated as necessary to reflect changes in legal requirements, business needs, or data protection best practices. Data subjects may request early deletion of their personal data by exercising their right to erasure (Article 17), subject to applicable legal exceptions.

8. Cookie & Tracking Policy

ClickReel takes a privacy-first approach to cookies and tracking technologies. Our practices are designed to minimize the use of cookies and to avoid any form of cross-site or persistent tracking.

8.1 SDK — No Cookies

The ClickReel SDK operates entirely without cookies. It does not set, read, or require any browser cookies for its functionality. Session identification is achieved through server-generated session IDs that are maintained in server-side memory and expire after 30 minutes of inactivity. The SDK does not use localStorage, sessionStorage, IndexedDB, or any other client-side persistence mechanisms for tracking.

8.2 No Browser Fingerprinting

ClickReel does not employ browser fingerprinting, canvas fingerprinting, WebGL fingerprinting, or any other technique designed to create a unique identifier based on device or browser characteristics. The limited device information collected by the SDK (browser type, operating system, screen size) is used solely for aggregate analytics and ensuring proper rendering of video content.

8.3 No Third-Party Tracking Scripts

The ClickReel SDK does not include or load any third-party tracking scripts, advertising pixels, or analytics beacons. All data collection is performed directly by the ClickReel SDK and transmitted to the ClickReel ingestion service.

8.4 Dashboard Authentication Cookie

The ClickReel dashboard uses a single strictly necessary cookie for session authentication:

• Cookie name: auth_token
• Purpose: session authentication only
• Type: httpOnly, secure, first-party
• Content: JSON Web Token (JWT) containing user ID, email, and role
• Expiry: 7 days
• Legal basis: strictly necessary for the provision of the service (exempt from consent under ePrivacy Directive Article 5(3))

This cookie is classified as a strictly necessary cookie under the ePrivacy Directive and does not require consent as it is essential for the functioning of the authentication system.

9. Sub-Processors

In accordance with Article 28 of the GDPR, we engage the following sub-processors to assist in providing the Service. Each sub-processor is bound by a Data Processing Agreement that includes Standard Contractual Clauses where applicable.

We will provide customers with at least 30 days' advance notice before engaging a new sub-processor or making material changes to sub-processor arrangements. If you object to a new sub-processor on reasonable data protection grounds, you may contact us to discuss alternative arrangements. If we are unable to resolve your objection, you may terminate your account in accordance with the Terms of Service.

10. Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR, ClickReel has established comprehensive data breach detection and notification procedures:

10.1 Internal Detection

We maintain security monitoring and incident detection systems designed to identify potential personal data breaches within 24 hours of occurrence. All suspected breaches are immediately escalated to our security team for assessment and classification.

10.2 Supervisory Authority Notification (Article 33)

In the event of a confirmed personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.

10.3 Data Subject Notification (Article 34)

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to affected data subjects without undue delay. The communication will describe, in clear and plain language, the nature of the breach, the contact details of our Data Protection Officer, the likely consequences of the breach, and the measures taken to address it.

10.4 Customer Notification (Processor Obligations)

Where ClickReel acts as a data processor, we will notify affected customers (data controllers) of any personal data breach without undue delay after becoming aware of the breach, enabling them to fulfill their own notification obligations under Articles 33 and 34.

10.5 Breach Documentation

In accordance with Article 33(5), we maintain a record of all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This record is available for inspection by supervisory authorities upon request.

To report a suspected security incident or data breach, please contact us immediately at security@clickreel.io.

11. Data Protection Officer

ClickReel has designated a Data Protection Officer (DPO) to oversee our GDPR compliance efforts and serve as a point of contact for data subjects and supervisory authorities.

The Data Protection Officer can be contacted at:

• Email: dpo@clickreel.io
• Company: ClickReel, Inc.

The DPO is available to:

• Assist data subjects with exercising their rights under the GDPR, including access, rectification, erasure, restriction, portability, and objection requests.
• Provide information about our data processing activities and the measures we have taken to protect personal data.
• Cooperate with supervisory authorities on matters relating to the processing of personal data.
• Address questions or concerns about our GDPR compliance practices.

You also have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. While we encourage you to contact us first so that we can attempt to resolve your concern, this right exists independently and without prejudice to any other administrative or judicial remedy.

12. Updates

We review this GDPR Compliance page annually to ensure that it remains accurate and reflects our current data processing practices and legal obligations. Reviews are conducted in consultation with our Data Protection Officer and legal counsel.

When we make material changes to this page — including changes to our sub-processors, data processing activities, transfer mechanisms, or the rights available to data subjects — we will provide notification by sending an email to the address associated with your ClickReel account. Changes will become effective 30 days after the notification is sent, unless a longer notice period is required by applicable law or regulation.

An archive of previous versions of this GDPR Compliance page is available upon request. To request a prior version, please contact our Data Protection Officer at dpo@clickreel.io.

For any questions about this GDPR Compliance page or our data protection practices, please contact us at gdpr@clickreel.io.