Legal

Privacy Policy

How Clicktics collects, uses, and protects data — for our customers and for the visitors of the websites our customers measure. Written to be read, not skimmed past.

Last updated: July 2026

1. Data we collect

Clicktics is an analytics platform. Depending on how you interact with us, we process three broad kinds of data:

  • Session recordings.Our SDK captures anonymized reconstructions of how visitors interact with our customers' websites — mouse movement, scrolling, clicks, and page structure. Text typed into form fields is masked by default: inputs such as passwords, emails, payment details, and any field a customer marks as sensitive are replaced with placeholder characters before the recording ever leaves the visitor's browser.
  • Analytics events. Page views, referrers, UTM parameters, device and browser type, coarse geolocation derived from IP (the IP itself is truncated and not stored in raw form), console errors, and custom events our customers define.
  • Chat transcripts. If a visitor uses the live-chat widget, we store the conversation, the name or email the visitor chooses to provide, and enough context (current page, browser) for the support team to help.

If you hold a Clicktics account, we additionally store your name, email address, a salted password hash, billing details, and workspace settings.

2. How session recording works

Recording is designed to be privacy-preserving from the first byte. Sensitive fields are masked at the edge— inside the visitor's browser, before any data is transmitted to our servers. We never receive the unmasked values, so we cannot store, leak, or be compelled to disclose them.

  • Password, credit-card, and other sensitive input types are always masked and cannot be unmasked by configuration.
  • Customers can extend masking to any element with a CSS class or attribute, or exclude entire pages from recording.
  • The SDK sets no third-party cookies and does not use cross-site tracking. Visitor identification is scoped to the single website being measured.
  • Recordings are transmitted over TLS and stored encrypted at rest.

3. Data retention

Session recordings and analytics events are retained for the period defined by the customer's plan, after which they are automatically and permanently deleted. Chat transcripts follow the same retention window. Account and billing records are kept for as long as the account is active and as required by tax and accounting law afterwards.

When a customer deletes their workspace, all associated recordings, events, transcripts, and visitor profiles are purged from our systems within 30 days, including backups on their normal rotation.

4. Your GDPR rights

If you are in the EU/EEA or UK, you have the right to access, rectify, erase, restrict, and port personal data concerning you, and to object to certain processing. For data we process on behalf of our customers (recordings and events from their websites), we act as a processor — the website owner is the controller, and we support them in fulfilling your requests.

  • Customerscan handle visitor access and erasure requests directly from the dashboard's Privacy page, which locates and deletes all data tied to a visitor.
  • Anyone can email [email protected] and we will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority.

5. CCPA and Global Privacy Control

If you are a California resident, you have the right to know what personal information we collect, to request its deletion, and to opt out of its sale or sharing. Clicktics does not sell personal information and does not share it for cross-context behavioral advertising.

Our SDK honors the Global Privacy Control (GPC)signal: when a visitor's browser sends GPC, recording and analytics for that visit are treated as an opt-out and processed accordingly. To exercise CCPA rights, use the contact details in section 8 — we will not discriminate against you for doing so.

6. Subprocessors

We use a small number of vetted service providers to run Clicktics — cloud infrastructure and storage, transactional email delivery, and payment processing. Each subprocessor is bound by a data-processing agreement, processes data only on our instructions, and is reviewed before onboarding. EU customer data is hosted in our Frankfurt region.

A current list of subprocessors is available on request at [email protected]. We give customers advance notice before adding or replacing a subprocessor.

7. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is limited to a small set of engineers, protected by hardware-key MFA, and logged. We follow independent security best practices and undergo periodic third-party penetration testing. We do not claim certifications we do not hold — if you need a security questionnaire completed for procurement, contact us and we will answer it honestly.

8. Contact

Questions about this policy, our data practices, or a rights request? Reach us at [email protected], or via the contact page. Customers can also open a ticket from their dashboard. We aim to respond to privacy inquiries within two business days.

This policy applies to clicktics.com and the Clicktics platform. We may update it as the product or the law changes; material changes are announced to account owners by email and noted at the top of this page.