Introduction

The protection of your personal data is important to us. In this privacy policy, we inform you about the processing of personal data when using ClicksLeft.

Data Controller

The data controller within the meaning of the GDPR is:

Tom Silas Helmke c/o Online-Impressum.de #4746 Europaring 90 53757 Sankt Augustin Germany Email: mrworldlink1@gmail.com

Data We Collect

Account Data

During registration, we collect: Email address (required), name (optional). This data is necessary for providing our service.

Usage Data

When using our service, we process: Created links and their settings, click analytics (anonymized location data at city/country level, device type, browser), uploaded files (stored encrypted).

Payment Data

Payments are processed through Stripe. We do not store credit card data. Stripe receives the data necessary for payment directly. Our legal basis is Art. 6 para. 1 lit. b GDPR (contract fulfillment).

Server Log Data

With each access, the following data is automatically collected: IP address (anonymized after 7 days), date and time, page accessed, browser type and version, operating system. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in security).

Purpose of Processing

We process your data for the following purposes:

Provision and operation of the service (Art. 6 para. 1 lit. b GDPR)
Processing of payments (Art. 6 para. 1 lit. b GDPR)
Improvement of our offering (Art. 6 para. 1 lit. f GDPR)
Fulfillment of legal obligations (Art. 6 para. 1 lit. c GDPR)
Abuse prevention and security (Art. 6 para. 1 lit. f GDPR)

Storage Duration

We store your data only as long as necessary for the respective purposes:

Account data: Until deletion of your account
Link data: Until link expiration + 30 days
Click analytics: 90 days (Free) / 1 year (Pro and higher)
Files: Until link expiration + 7 days
Billing data: 10 years (legal retention requirement)
Server logs: 7 days

Encryption & Security

We employ the highest security standards to protect your data:

End-to-End Encryption

Secret messages (Secrets) are encrypted client-side using AES-256-GCM before reaching our servers. The decryption key is transmitted as a URL fragment (#) and never reaches our servers. Only the recipient with the complete link can decrypt the content.

File Encryption

Uploaded files are stored server-side encrypted using AES-256. Access is provided through temporary, signed URLs that expire after 60 seconds.

Transport Encryption

All connections to ClicksLeft are encrypted using TLS 1.3. We use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

Zero-Knowledge Architecture

For end-to-end encrypted Secrets, we have no access to the plaintext content. We cannot decrypt or recover encrypted data.

Recipients and Processors

We work with the following service providers:

Supabase Inc.

Purpose: Database and authentication

Location: USA

Legal Basis: EU Standard Contractual Clauses (SCCs)

Vercel Inc.

Purpose: Hosting and CDN

Location: USA

Legal Basis: EU Standard Contractual Clauses (SCCs)

Stripe Inc.

Purpose: Payment processing

Location: USA

Legal Basis: EU Standard Contractual Clauses (SCCs)

Data Transfer to Third Countries

Some of our service providers are located in the USA. The transfer is based on EU Standard Contractual Clauses (Art. 46 para. 2 lit. c GDPR). These provide an adequate level of data protection. Copies of the Standard Contractual Clauses can be viewed from the respective providers.

Your Rights

Under the GDPR, you have the following rights:

Access (Art. 15 GDPR)

You have the right to receive information about the personal data we process.

Rectification (Art. 16 GDPR)

You have the right to have inaccurate data corrected.

Erasure (Art. 17 GDPR)

You have the right to request deletion of your data, provided no legal retention obligations apply.

Restriction (Art. 18 GDPR)

You have the right to request restriction of processing.

Data Portability (Art. 20 GDPR)

You have the right to receive your data in a common format.

Objection (Art. 21 GDPR)

You have the right to object to the processing of your data insofar as it is based on legitimate interests.

Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The responsible authority is: The State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestraße 2-4, 40213 Düsseldorf, Germany.

Cookies

Information about the use of cookies can be found in our Cookie Policy.

Go to Cookie Policy →

Changes to This Policy

We reserve the right to adapt this privacy policy to changed legal situations or when the service changes. The current version is always available on this page.