Privacy Policy

Last updated: February 19, 2026

This Privacy Policy explains how Klyqme collects, uses, shares, and protects personal information. We are committed to transparency and to protecting your privacy.

1. Scope of This Policy

This Privacy Policy applies to all personal information collected through Klyqme's services, including our website (klyqme.com), dashboard (app.klyqme.com), URL shortening service (klyq.me), bio pages hosted on any domain (including custom domains), the Klyqme API, and any related features or services. This policy applies regardless of how you access the Service: via web browser, mobile device, or API.

2. Who We Are

Klyqme is the data controller for personal information collected through our services. Klyqme also acts as a data processor when processing Visitor data, click analytics, and email signups on behalf of Users who create links and bio pages. Users who create links, bio pages, or collect data through forms act as independent data controllers for their Visitors' personal data and are responsible for maintaining their own privacy notices.

For privacy inquiries, contact us at privacy@klyqme.com.

3. Who This Policy Applies To

This policy applies to four categories of individuals:

• Account Holders ("Users"): People who register for a Klyqme account to create links, bio pages, QR codes, and digital products.
• Visitors ("End Users"): People who click shortened links, view bio pages, or scan QR codes, whether or not they have a Klyqme account.
• Customers: People who purchase digital products through the Klyqme marketplace.
• Website Visitors: People who browse klyqme.com or our marketing pages without creating an account.

Most Visitors interact with Klyqme without realizing it: for example, by clicking a shortened link. This policy explains what data we collect from each category and how we handle it.

4. Information We Collect

4a. Information You Provide Directly

When you create an account or use our services, we collect:

• Email address: for account creation, login, and transactional communications
• Name: for account personalization and display
• Password: stored securely using one-way hashing (bcrypt); we cannot read your password
• Google account data (if using social login): name, email address, and profile picture, as authorized during the Google sign-in process
• Team and organization information: team name and member roles
• Bio page content: titles, descriptions, images, links, and block configurations you create
• Digital product information: product titles, descriptions, files, and pricing
• Email signups: email addresses collected through bio page forms are stored on your behalf

4b. Information Collected Automatically

When Visitors click links, view bio pages, or scan QR codes, we automatically collect:

• IP address: used to derive approximate geographic location (country and city), then retained for a limited period
• Device type, browser, and operating system: parsed from the User-Agent request header
• Referrer URL: the web page from which the Visitor arrived
• UTM parameters: campaign tracking data included in the URL (utm_source, utm_medium, utm_campaign, etc.)
• Timestamp: the date and time of the click, view, or scan
• A unique click or view identifier: a randomly generated ID for analytics purposes

For link redirects, we do NOT place tracking cookies on Visitors. Geographic and device data is derived entirely server-side from standard HTTP request headers. This means clicking a shortened link does not store anything on your device.

4c. Information from Third Parties

We receive limited information from the following third-party services:

• Google (social login): name, email address, and profile picture, only when you choose to sign in with Google
• Stripe: payment confirmations, subscription status, and Stripe Connect account information for marketplace creators
• Mailchimp (User-configured): audience list identifiers, used when Users connect their Mailchimp account to auto-sync email signups

5. How We Use Your Information

We use your information for the following purposes:

• Provide the core Service: URL shortening, bio page hosting, QR code generation, and analytics
• Process payments: manage subscriptions, process marketplace transactions, and facilitate creator payouts via Stripe
• Deliver analytics: provide click, view, and scan data to Users through the analytics dashboard
• Facilitate digital product transactions: process orders, generate download tokens, and enable product delivery
• Send transactional communications: account verification, password resets, billing receipts, and important service updates via Resend
• Detect and prevent abuse: identify spam, phishing, bot traffic, and malicious links through rate limiting and automated analysis
• Ensure security: authenticate sessions, prevent unauthorized access, and protect the Service infrastructure
• Support A/B testing: assign Visitors to variations and measure performance differences
• Fire retargeting pixels: execute Meta, Google, TikTok, or LinkedIn pixels on behalf of Users who configure them
• Deliver email signups: sync captured emails to Users' Mailchimp accounts or webhook endpoints
• Improve the Service: analyze usage patterns to develop new features and optimize existing ones

Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, we rely on:

• Contract performance: account management, service delivery, payment processing, and digital product fulfillment
• Legitimate interest: analytics, security, abuse prevention, service improvement, and bot detection. We balance our interests against the rights of data subjects and implement appropriate safeguards.
• Consent: marketing communications, social login via Google, and retargeting pixels (configured by Users for their Visitors)

6. How We Share Your Information

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising for our own purposes.

We share data with the following categories of recipients:

• Service providers: companies that help us operate the Service (see Subprocessors below)
• Klyqme Users: aggregated, non-personally-identifiable analytics about their links, bio pages, and QR codes
• Ad platforms: IP address and User-Agent sent to advertising platforms (Meta, Google, TikTok, LinkedIn) only when a User has configured retargeting pixels on their links or bio pages
• Mailchimp: email signups forwarded to Users' connected Mailchimp accounts
• Stripe and Stripe Connect: payment data and payout information necessary for transaction processing
• Law enforcement and legal authorities: when required by applicable law, legal process, or to protect the rights, property, or safety of Klyqme, our Users, or the public

Subprocessors

We use the following third-party service providers to operate the Service:

• Vercel: hosting, edge functions, and content delivery (US and global edge network)
• PostgreSQL hosting provider: primary database
• Upstash: Redis for rate limiting and click deduplication (US)
• Stripe: payment processing and marketplace payouts (US)
• Resend: transactional email delivery (US)
• AWS S3: file storage for digital products
• Google: OAuth authentication for social login (US)

7. Cookies and Tracking Technologies

We use a minimal number of cookies, and we do not place tracking cookies on Visitors during link redirects.

The cookies we use:

• Session cookie (JWT): Strictly necessary for authentication of logged-in Users. Duration: 1 day. No consent required.
• Password protection cookie: Strictly necessary when accessing password-protected links. Duration: session. No consent required.
• Locale preference cookie: Stores your selected language. Duration: 1 year.
• Bio page visitor cookie (_klyq_vid): Identifies returning visitors for bio page analytics. HttpOnly. Duration: 14 days. No consent required.

For bio pages, Users may configure third-party retargeting pixels (Meta Pixel, Google Tag, TikTok Pixel, LinkedIn Insight Tag) that may set their own cookies. The User who configured these pixels is responsible for obtaining appropriate consent from their Visitors.

8. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

• Account data: retained while your account is active, plus a 30-day grace period after account deletion
• Click and analytics data: retained according to your subscription plan (7 to 120 days of queryable history), up to a maximum of 24 months for aggregated records
• IP addresses: retained for up to 90 days, then deleted or truncated
• Payment and order records: retained for 7 years to comply with tax and legal requirements
• Deduplication hashes: automatically expire after 1 hour
• Digital product download tokens: valid for 30 days or 5 downloads, whichever comes first
• Deleted account data: permanently purged after the grace period

You may request earlier deletion of your data by contacting privacy@klyqme.com, subject to our legal obligations to retain certain records.

9. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) and compliance with the EU-US Data Privacy Framework where applicable. Vercel's edge network may process initial requests at the edge location nearest to the Visitor before routing to our primary infrastructure.

10. Data Security

We implement technical and organizational measures to protect your data, including:

• Password hashing using bcrypt with salt rounds
• Encrypted session tokens (JWT with HS256 signing)
• Encrypted tracking pixel credentials and webhook secrets (AES-256-GCM)
• HTTPS encryption for all connections
• Secure, httpOnly, sameSite cookies
• Rate limiting on authentication and sensitive API endpoints

No system is completely secure. In the event of a data breach affecting your personal information, we will notify affected individuals and relevant supervisory authorities as required by applicable law, including within 72 hours for GDPR-covered breaches.

11. Your Privacy Rights

11a. GDPR Rights (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data ("right to be forgotten")
• Restriction: request that we limit how we process your data
• Portability: receive your data in a structured, machine-readable format
• Object: object to processing based on legitimate interest
• Withdraw consent: withdraw previously given consent at any time
• Lodge a complaint: file a complaint with your local supervisory authority

We will respond to your request within 30 days. Requests can be submitted to privacy@klyqme.com.

11b. US State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Texas, or other US states with privacy legislation, you may have the right to:

• Know what personal information we collect, use, and share
• Delete your personal information
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (note: we do not sell personal information)
• Non-discrimination for exercising your privacy rights

We will respond to verifiable requests within 45 days. To submit a request, contact privacy@klyqme.com.

11c. Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have the right to:

• Access your personal information held by Klyqme
• Challenge the accuracy and completeness of your data and have it corrected
• File a complaint with the Office of the Privacy Commissioner of Canada

12. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without appropriate parental consent, we will take steps to promptly delete that information. If you believe we may have collected data from a child, please contact us at privacy@klyqme.com.

13. Third-Party Links and Services

Short links created through the Service redirect Visitors to third-party websites. Bio pages may contain embedded content from third-party services. We have no control over and are not responsible for the privacy practices, content, or security of third-party websites and services. We encourage Visitors to review the privacy policies of any third-party website they visit through our Service.

14. Marketplace and Payment Data

Klyqme facilitates digital product transactions between creators and Customers. All payment processing is handled by Stripe: we never have access to or store credit card numbers or full payment card details. The data we store for marketplace transactions includes: order identifier, product reference, transaction amount, Customer email address, and a secure download token. Stripe acts as an independent data controller for the payment data it processes. For more information, please refer to Stripe's privacy policy. Creator payouts are processed through Stripe Connect, and creator banking details are held solely by Stripe.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (to the address associated with your account) or by posting a prominent notice within the Service. The "Last updated" date at the top of this policy will reflect the most recent revision. We encourage you to review this policy periodically.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at privacy@klyqme.com. For general support inquiries, contact support@klyqme.com.