LEGAL

Privacy Policy

How clickt handles your data, your audience's data, and the data captured by the pixel on customer-domain funnels.

Last updated · 2026-05-15

Draft, counsel review pending. The URLs clickt.link/privacy and clickt.link/terms are wired into the Google OAuth consent screen and need to be reachable. This page covers the standing facts; counsel finalises the language before public launch.

1. Who we are

clickt (the "service", "we", "us", "our") is a YouTube attribution platform for creators selling courses, coaching, and SaaS products. The service is operated by clickt under domains including clickt.link, app.clickt.link, api.clickt.link, and pixel.clickt.link.

For privacy questions, contact support@clickt.link.

2. What data we collect

2.1 Account data (data about you, the customer)

When you sign up:

  • Email address, name (if you provide one)
  • Password (hashed; we never see plaintext)
  • Org / workspace metadata
  • Billing details (handled by Stripe; we store an opaque customer ID, never your card)

2.2 YouTube data (via OAuth, with your consent)

When you connect a YouTube channel via Google OAuth, we request the minimum scope set for the features you use:

  • youtube.readonly, list videos, read metadata, transcripts, public stats
  • youtube.force-ssl, update video descriptions (only for the bulk-rewrite feature you explicitly trigger)

We store:

  • Channel metadata (channel ID, title, custom URL)
  • Per-video metadata (title, description, tags, transcript, publish date, view count snapshot)
  • OAuth refresh tokens, encrypted at rest under a per-workspace data key

We do not retain access tokens (they're derived from refresh tokens on demand). You can revoke our OAuth access at any time via your Google account settings or by disconnecting the channel in the clickt dashboard.

2.3 Audience data (captured by the pixel on your customer-domain funnels)

When your audience clicks a tracked link and lands on your funnel, the clickt pixel captures:

  • The tracked link ID (?cl=…)
  • Page URL (path only; query strings stripped except cl)
  • Referrer (if present; YouTube referrers stripped of video ID by YouTube)
  • Device class (mobile / desktop / tablet)
  • Coarse geolocation (country level only, derived from request IP at the edge)
  • User-agent string
  • Session ID (random, first-party, scoped to your domain)

When your audience submits a form on your funnel (newsletter, lead magnet, checkout):

  • Email address (encrypted at rest with a workspace-scoped key; indexed via HMAC hash for lookup, no plaintext email ever lands in our database)
  • Click ID associated with the session

When your audience completes a conversion (purchase):

  • Transaction ID, amount, currency
  • Email (same encryption story as above)
  • Conversion timestamp

We do not capture: full IP addresses, payment-card numbers, browsing history on your site, names, addresses, phone numbers, or any field that isn't email from audience-facing forms. The pixel observes only what's needed for sale attribution.

2.4 Consent mode

The pixel checks for a configurable consent signal (window.__clickt_consent === true) before reading or writing identity-bearing data. The default in EU geographies (detected via Cloudflare's cf-ipcountry header on first beacon) is OFF, only the anonymous pageview is captured until consent is signalled.

You, the customer, choose the consent posture for your audience by configuring this in the dashboard.

3. Why we collect it

  • Account data, to operate the service, authenticate you, bill you.
  • YouTube data, to provide the per-video attribution and bulk-rewrite features you signed up for. YouTube data is used only to deliver the service to you and is not used for any other purpose, including but not limited to: training AI models, selling to third parties, or any use beyond what's needed to render your dashboard.
  • Audience data, to attribute sales to the videos that drove them. This is the core function of the service.

We do not:

  • Sell any data
  • Train AI models on YouTube data or your audience's data
  • Share data with advertising networks
  • Use data for any purpose beyond delivering the service to you

4. How long we keep it

  • Account data, retained while your account is active; deleted within 30 days of account closure.
  • YouTube refresh tokens, retained while your OAuth connection is active; deleted within 7 days of disconnection.
  • YouTube API data (channel metadata, video metadata, descriptions, transcripts, thumbnails), refreshed via re-imports or deleted within 30 days of the last refresh per Google's YouTube API Services Developer Policies. On disconnect or account deletion, all stored YouTube API data is deleted within 7 days. You can request immediate deletion at support@clickt.link and we'll complete it within 7 days.
  • Audience event data, retained while your workspace is active. On workspace closure, retained 90 days then deleted.
  • Email associations, retained 90 days, rebuilt from events as needed.

5. Sub-processors

We use the following sub-processors:

  • Cloudflare, edge runtime + CDN + DNS
  • Neon, Postgres database hosting
  • Resend, transactional email
  • Stripe, billing
  • Axiom, operational logging
  • Sentry, error monitoring (browser-side only)

Each sub-processor has signed a Data Processing Agreement and operates under SOC 2 or equivalent certification.

6. Your rights

Under GDPR / UK GDPR / CCPA:

  • Access, request a copy of your data
  • Rectification, correct inaccurate data
  • Erasure, delete your account and associated data
  • Portability, export your data in machine-readable format
  • Restriction / objection, limit how we process your data

Email support@clickt.link. We respond within 30 days for general privacy requests and within 7 days for YouTube-data deletion requests per Google's YouTube API Services requirements.

7. YouTube API Services compliance

clickt's use of information received from YouTube APIs adheres to the YouTube API Services Terms of Service and the Google Privacy Policy.

7.1 Limited Use of Google user data

clickt's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data (including YouTube API data) only to provide and improve the per-video attribution, bulk-rewrite, and continuous re-tag features described above. We do not use it for any other purpose.
  • We do not sell Google user data.
  • We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
  • We do not use Google user data to develop, improve, or train generalised or non-personalised AI/ML models. Any AI features clickt offers operate on customer- configuration data only (never on YouTube data).
  • We do not transfer Google user data to any third party except (i) to provide or improve the service via the sub-processors listed in §5, (ii) where required by law, or (iii) as part of a merger or acquisition with prior notice to you.
  • Human access to Google user data is restricted to (i) you and users you've invited to your workspace, (ii) clickt staff with legitimate operational need under a confidentiality obligation, (iii) where required by law, and (iv) where necessary to address security or abuse concerns.

7.2 Revocation and deletion

  • Revoke clickt's access to your Google account at any time via the Google Account permissions page.
  • Disconnect a channel inside the clickt dashboard at any time. The refresh token is deleted within 7 days and the cached YouTube API data (channel metadata, video metadata, descriptions, transcripts) within 7 days of disconnect.
  • Request full data deletion by emailing support@clickt.link. YouTube-data deletion is completed within 7 days; broader account deletion within 30 days.

7.3 Refresh and retention

YouTube API data we store (channel metadata, video metadata, descriptions, transcripts, thumbnails) is refreshed on each import or background re-tag run. Data not refreshed within 30 days is deleted from our systems per Google's YouTube API Services Developer Policies.

8. Changes to this policy

We'll email you at least 30 days before any material change. The current version is always at clickt.link/privacy with the updatedAt date in the page metadata.