Privacy Policy

1. Introduction

ClickReel ("ClickReel," "we," "us," or "our") operates the clickreel.io website, the ClickReel dashboard application, the ClickReel JavaScript SDK, and associated APIs (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you access or use our Service.

This Privacy Policy applies to all users of the Service, including account holders who access the dashboard, website visitors, and end users who interact with the ClickReel SDK embedded on customer websites. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

This Privacy Policy is effective as of March 8, 2026. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

We collect different types of information depending on how you interact with our Service. The categories of information we collect are described below.

2.1 Account Information

When you create a ClickReel account, we collect the following information:

• Name and email address — used for account identification, authentication, and service communications.
• Password — stored as a one-way bcrypt hash. We never store or have access to your plaintext password.
• Company or organization name — used for workspace and account management within our multi-tenant system.
• Account role — your role within your organization (owner, admin, member, or viewer) for access control purposes.

2.2 Usage and Analytics Data

When you use the ClickReel dashboard, we collect information about how you interact with our platform, including pages visited, features used, campaign configurations, and general usage patterns. This data helps us improve the Service and provide a better user experience.

2.3 SDK Event Data

When the ClickReel SDK is embedded on a customer website, it collects engagement event data from end users who interact with video content. This data includes:

• Engagement events — page views, bubble impressions, bubble hovers, bubble clicks, video plays, video pause events, video progress milestones (25%, 50%, 75%, 100%), call-to-action clicks, story interactions, and dismiss actions.
• Intent scores — a calculated engagement score (0–100) derived from weighted event data that indicates the level of user interest. Intent scores are categorized into tiers: Low (0–19), Medium (20–49), and High (50+).
• Session identifiers — server-generated session IDs used to group events within a single visit. These are not cookies and expire after 30 minutes of inactivity.

The ClickReel SDK does not use cookies, browser fingerprinting, or any persistent client-side storage for tracking purposes.

2.4 Device Information

The SDK collects limited device information to ensure proper functionality and for analytics purposes. This includes browser type and version, operating system, screen size and resolution, and referring URL. This information is collected automatically and is not used to identify individual users.

2.5 Payment Information

Payment processing is handled entirely by our third-party payment processor, Stripe, Inc. We do not store, process, or have access to your full credit card numbers, bank account details, or other sensitive financial information. We receive and store only limited transaction information from Stripe, such as the last four digits of your card, card brand, expiration date, and billing address for invoicing purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

We use your account information to provide, maintain, and operate the Service, including authenticating your identity, managing your workspace and campaigns, delivering video engagement experiences through the SDK, and providing customer support.

3.2 Intent Scoring and Analytics

We process SDK event data to calculate intent scores and provide analytics to our customers. Intent scoring uses a weighted algorithm to evaluate user engagement levels and categorize sessions by interest tier. This information is presented through the analytics dashboard, enabling customers to understand how end users engage with their video content.

3.3 Ad Platform Synchronization

When a customer configures ad platform integrations (Meta Conversions API or Google Ads GA4 Measurement Protocol), we synchronize high-intent engagement data to those platforms on the customer's behalf. This synchronization occurs only when explicitly configured by the customer and uses encrypted credentials provided by the customer. ClickReel acts as a data processor in this context, transmitting data per the customer's instructions.

3.4 Security and Fraud Prevention

We use account activity data, access logs, and rate limiting to detect, prevent, and respond to security threats, fraudulent activity, and abuse of the Service. This includes monitoring for unauthorized access attempts, abnormal usage patterns, and potential vulnerabilities.

3.5 Communications

We use your email address to send transactional communications related to the Service, including account verification, password resets, billing notifications, security alerts, and important service updates. We will not send marketing or promotional emails without your explicit opt-in consent, and you may unsubscribe from any marketing communications at any time.

4. Data Sharing

We share personal information only in the limited circumstances described below. We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

4.1 Ad Platforms

When customers configure ad platform integrations, engagement event data is transmitted to the configured platforms (Meta Platforms, Inc. via the Conversions API, or Google LLC via the GA4 Measurement Protocol). This sharing occurs only at the customer's direction and is limited to the data necessary for conversion tracking and optimization. In this context, ClickReel acts as a data processor on behalf of the customer.

4.2 Payment Processor

We share billing and payment information with Stripe, Inc. to process subscription payments, manage billing cycles, and handle refunds. Stripe's handling of your payment data is governed by Stripe's own Privacy Policy.

4.3 Infrastructure Providers

We use third-party infrastructure providers for hosting, data storage, and content delivery. These providers process data on our behalf under data processing agreements that require them to maintain the confidentiality and security of your information and to use it only for the purposes of providing their services to us.

4.4 Legal Requirements

We may disclose personal information if required to do so by law or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, respond to a subpoena, court order, or other legal process, protect and defend our rights or property, prevent or investigate possible wrongdoing in connection with the Service, or protect the personal safety of users or the public.

5. Cookies & Tracking

ClickReel takes a privacy-first approach to tracking and uses minimal cookies across the Service.

5.1 SDK — Cookie-Less by Design

The ClickReel SDK is entirely cookie-less. It does not set, read, or rely on any browser cookies for its operation. Session identification is handled through server-generated session IDs that are maintained in memory during an active browsing session and expire after 30 minutes of inactivity. The SDK does not use localStorage, sessionStorage, IndexedDB, or any other persistent client-side storage mechanism for tracking purposes.

5.2 Dashboard Authentication Cookie

The ClickReel dashboard uses a single httpOnly authentication cookie (auth_token) to maintain your login session. This cookie contains a JSON Web Token (JWT) with a 7-day expiration period. It is strictly functional — used solely for session authentication — and is marked httpOnly to prevent access by client-side JavaScript.

5.3 No Third-Party Tracking or Fingerprinting

We do not use any third-party tracking cookies, advertising pixels, or analytics trackers on our platform. We do not employ browser fingerprinting or any other cross-site tracking techniques. The limited device information collected by the SDK (browser type, OS, screen size) is used solely for functionality and aggregate analytics and is not used to create persistent user profiles or track users across websites.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Our retention periods are as follows:

• Account data — retained for the duration of your active account and for 30 days following account deletion or cancellation to allow for account recovery. After 30 days, account data is permanently deleted.
• Event data — retained based on your subscription plan tier. Starter plans retain event data for 7 days, Growth plans for 30 days, and Pro plans for 90 days. After the applicable retention period, event data is automatically purged.
• Session data — active sessions expire after 30 minutes of inactivity. After expiration, individual session data is aggregated into anonymous statistical summaries and the granular session records are deleted.
• Payment records — retained as required by applicable tax and financial regulations, typically for a period of seven (7) years.

7. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Right of Access — you may request a copy of the personal information we hold about you, including a description of how it is used and with whom it has been shared.
• Right to Correction — you may request that we correct inaccurate or incomplete personal information. You can also update most account information directly through the dashboard settings.
• Right to Deletion — you may request the deletion of your personal information, subject to certain legal exceptions. Account deletion can be initiated through your account settings or by contacting us directly.
• Right to Data Portability — you may request a machine-readable copy of the personal information you have provided to us, in a commonly used format such as JSON or CSV.
• Right to Restriction of Processing — you may request that we restrict the processing of your personal information in certain circumstances, such as while we verify the accuracy of your data.
• Right to Objection — you may object to the processing of your personal information for certain purposes, including processing based on our legitimate interests.

To exercise any of these rights, please contact us at privacy@clickreel.io. We will respond to all verified requests within 30 days. In certain circumstances, we may need to verify your identity before processing your request, and we may request additional information to do so.

8. Children's Privacy

The Service is not directed at children under the age of 16, and we do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take reasonable steps to delete that information as promptly as possible. If you believe that a child under 16 has provided us with personal information, please contact us at privacy@clickreel.io so that we can take appropriate action.

Our customers are responsible for ensuring that the ClickReel SDK is not deployed on websites or pages directed at children under 16, and that their use of the Service complies with the Children's Online Privacy Protection Act (COPPA) and equivalent regulations in their jurisdiction.

9. International Transfers

ClickReel is based in the United States, and the data we collect is primarily processed and stored in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, along with supplementary measures where appropriate, to ensure that adequate safeguards are in place to protect your personal data. For more information about our GDPR compliance and international transfer mechanisms, please see our GDPR Compliance page.

10. Security Measures

We implement robust technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption at rest — integration credentials (such as Meta CAPI access tokens and Google Ads API keys) are encrypted using AES-256-GCM with PBKDF2-derived keys and per-credential salt and initialization vectors.
• Password hashing — all user passwords are hashed using bcrypt with appropriate work factors, ensuring that plaintext passwords are never stored or transmitted.
• Encryption in transit — all communications between clients and the Service are encrypted using HTTPS/TLS.
• Content Security Policy — strict CSP headers are configured to prevent cross-site scripting (XSS) and other injection attacks.
• Rate limiting — authentication endpoints are protected with rate limiting to prevent brute-force attacks (5 login attempts per 15 minutes, 3 registration attempts per hour).
• Regular security reviews — we conduct periodic security assessments and code reviews to identify and remediate potential vulnerabilities.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we are committed to maintaining industry-standard protections.

11. Third-Party Links

The Service may contain links to third-party websites, services, or content, including links within video call-to-action buttons configured by our customers. We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

Additionally, the ClickReel SDK is embedded on customer websites that are independently operated. We are not responsible for the privacy practices of those customer websites beyond the data collected by the ClickReel SDK as described in this Privacy Policy.

12. Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days' advance notice by sending an email to the address associated with your account. Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the updated terms.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: privacy@clickreel.io
• Company: ClickReel, Inc.

For EU/EEA residents with questions about your rights under the General Data Protection Regulation (GDPR), please visit our GDPR Compliance page or contact our Data Protection Officer at dpo@clickreel.io.