This Privacy Policy ("Policy") supplements the Terms of Service ("Terms") and describes how Roxr Software Ltd ("Roxr", "Company", "we", "us", or "our") collects, uses, and shares information provided to us through our website clicky.com (the "Site"), and the services available through our Site ("Clicky", "Service", or "Services").

We collect information about users of our Service (our "Customers"), as well as our Customers' end users ("End Users") (collectively, "you", "your", or "yourself"). Note that Customers are also End Users, as we use our own Service to track itself. Some of the information collected may be Personal Data (defined as personal data of End Users that is processed by Roxr on behalf of Customers). Your rights regarding Personal Data are described in this Policy.

By using the Service, you agree that your information will be handled as described by this Policy, and that your usage and any disputes over privacy are subject to the Agreement.


Information we collect

We collect information about you through your use of our Service and/or from the websites and services provided by our Customers.

From Customers

When you create an account, you provide us with a username, password, real name, and email address, as well as one or more websites that you own and want to monitor with the Service. If you make a purchase, you provide us with your billing information such as card number and address. This information is used for the purposes of having and maintaining your account. Your email is only used for important account notifications, such as a failed payment or expiring subscription, and occasional news and updates about the service.

From End Users

We collect information from End Users under the instruction of our Customers, under which circumstance we have no direct relationship with the End Users.
The following information is logged to our tracking servers when an End User visits a Customer's website.
  • URL & Title of pages viewed
  • URL & Title of any links that are clicked on pages viewed
  • Referrer
  • User agent
  • Screen resolution
  • Language
  • x/y coordinates of mouse events
  • Anonymized IP address
    • For visitors using VPNs such as Apple's iCloud Private Relay Opens in new browser tab, we will always log the full IP address of the VPN, as the visitor's true IP address is already hidden and does not require further anonymization.

  • Additional information that may be logged if visitor privacy is disabled for fraud or security purposes:
    • Full IP address ("IP")
    • Unique ID tracking cookie ("UID") -- Most privacy laws consider a UID cookie to be Personal Data, even though it is randomly generated and does not identify who you are or reveal anything else about you. Its sole purpose is to more accurately track unique visitors.
    • Custom data -- This feature can be used by a site to attach additional data to a visitor, potentially including Personal Data such as a name or email address, but it is against our Terms to log Personal Data using this feature without disclosure or (depending on "legitimate interest") consent. Customers are responsible for obtaining content from End Users, if necessary. This feature requires a small amount of configuration and coding by Customers, so only a small percentage of Customers use it.

Processing of UID and IP Personal Data is lawful and does not require your direct consent because it is "necessary for the purposes of the legitimate interests" (GDPR Article 6), and "necessary to fulfill the legitimate interests" (LGPD Article 7), of websites using the service. These legitimate interests include but are not limited to:
  • Assembling statistics regarding the use of a website. (Accurately counting unique visitors is a vital statistic for any website).
  • Preventing fraud and abuse, and maintaining information security. (Full IP addresses are necessary for this type of usage). (Recital 47 of the GDPR Opens in new browser tab states: "The processing of Personal Data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest".)

As Customers of the Service are also End Users, the information listed above are also collected about our Customers when they are using the Service. The Personal Data that we log is as follows:
  • Your UID and IP address, per the legitimate interests above.
  • Your account username, per the legitimate interests above, as well as to help with customer service needs.


How we use your information


Customers

  • To provide and maintain our Service to you.
  • To help understand how Customers use our Service on an individual and aggregate basis in order to improve it.
  • To help with customer service needs, such as troubleshooting issues that you report to us.
  • To contact you with important account notifications, such as a failed payment or expiring subscription.
  • To contact you with occasional product news and updates.
  • Other research and analytical purposes such as Service performance, Customer behavior and retention, and common navigations through the Site.

End Users



How we share your information


Customer information

We may share your information with service providers or contractors who perform actions or functions on our behalf, but only as necessary to provide and maintain the Service to you. All contractors and links to their privacy policies are listed below.
  • We must share your billing information with our merchant account providers to charge you for the Service: Paypal, Authorize.net

No Customer information is shared with any other third party for any purpose, except for the potential legal reasons listed below.


End User information

End User information collected from a Customer's website is only shared with that Customer.

Customers can view End User geographic locations in an embedded Google Maps, but otherwise, no End User information is shared with any other third party for any purpose -- except for potential legal reasons listed below.


Legal reasons that Customer or End User information may be shared:

  • Meeting applicable laws, regulations, legal processes, or enforceable governmental requests.
  • In response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
  • Detecting, preventing, or otherwise addressing fraud, security, or technical issues.
  • Protecting against harm to the rights, property or safety of Roxr, our Customers, or the public as required or permitted by law.
  • Enforcing applicable Terms of Service.


Cookies

The following cookies are set by the Service. All cookies are first party unless otherwise noted. Temporary/session cookies may not all be listed.

Customers:

login
If you check "remember me" on the login page, this cookie is set for 1 year to automatically log you in on future visits. Deleted if you manually "log out" of the Site.
login_2fa
Secondary "remember me" cookie when two-factor authentication login is enabled for your account. Expires after 30 days. Deleted if you manually "log out" of the Site.
_cky_osa
Third party cookie, for authenticating the on-site analytics widget when visiting your own websites. Saved for 30 days, deleted if you manually "log out" of the Site. If set via proxy tracking, this will also be a first party cookie and saved for 90 days instead.
_cky_ignore
Third party cookie, for ignoring your own visits to your own websites. Saved for 1 year. If set via proxy tracking, this will also be a first party cookie.


End Users:

No tracking cookies are used with the default visitor privacy settings.
If privacy is disabled, the following cookies may be used to enhance tracking:
_first_pageview
There are a few pieces of data that we only need the tracking code to send on the first pageview of a visitor session. This cookie helps us achieve that. Expires after 10 minutes.
_heatmaps_g2g_[site_id]
Heatmaps data is sampled at 50% by default, because it consumes a lot of excess bandwidth and storage. With this cookie, we are able to make the randomness be per visitor instead of per page view. Expires after 10 minutes.
_referrer_og
Stores external referrer for 30 days for better long term attribution of traffic sources.
_utm_og
Stores dynamic (UTM) campaign variables for 30 days for better long term attribution of marketing efforts.
_custom_data_[key]
Only set if a site is using custom data tracking. These cookies cache certain custom data keys for 30 days so that they're attached to sessions even when a visitor is not logged in.
_no_tracky_[site_id]
This cookie reduces bandwidth usage when certain visitor filters are active, and expires after 1 hour. NOTE: The Terms of Service require you to remove the tracking code from all websites upon termination of your account. For sites that break the Terms and leave the code installed, this cookie will always be set, regardless of privacy settings, in order to minimize bandwidth and CPU resource usage on our tracking servers.
_jsuid
A random integer generated upon someone's first visit to a website, for identifying unique visitors as accurately as possible. Stored for 1 year.
aff
If an End User clicks a Customer's affiliate link, we save the Customer's referral ID in this cookie for 30 days.


Regardless of the visitor privacy setting, Customers can also disable tracking cookies manually by setting clicky_custom.cookies_disable.


Security

To the best of our ability, we protect all of our data from loss, misuse, and unauthorized access and destruction.

Secure (HTTPS) access is forced for our Site to help keep your information, including login credentials, secure in transit. Two-factor authentication login is available for Customers that need extra account security.

You are responsible for using a strong and unique password for the Site to help keep your account secure. We are not responsbile for any unauthorized activity on your account because of lost, weak, or compromised passwords, or disabled two-factor authentication.


Personal Data rights

EU, UK and Swiss residents have the legal right to access, correct, and delete their Personal Data, per the General Data Protection Regulation (GDPR), with some exceptions. Residents of California and Brazil have similar rights and exceptions, per the California Consumer Privacy Act (CCPA) and Lei Geral de Proteção de Dados Pessoais (LGPD), respectively.

Customers may contact us directly to access, delete their data. If requested to remove data, we will respond within a reasonable timeframe. End Users, with whom we we have no direct relationship, should send their inquiries directly to the Customer in question, as we are considered simply a "Data Processor" per the GDPR and a "Service Provider" per the CCPA. End Users may opt out of tracking entirely if desired, also known as "Do not sell my personal information" in California.

If we receive a request from an End User in relation to Personal Data processed for a Customer, we will advise the End User to submit their request to Customer, and Customer will be responsible for responding to such request using the tools we have provided on our Site for handling Personal Data requests. Customer agrees to use all reasonable measures to verify the identity and location of an End User before sharing or modifying Personal Data.

To limit the use and disclosure of your Personal Data, please contact us via email.

We will provide an individual opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.

Customers can export their data using the API or the export function, or delete their account using the link at the top of the user preferences page.

We retain Personal Data on behalf of our Customers for as long as needed to provide our Service to them, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. To protect against accidental or malicious deletion, there is a delay before data is removed from our active systems and data will remain in our backup systems for up to 1 year before it is fully deleted.

The CCPA requires us to disclose the information we have collected and "sold" over the last 12 months. This is covered in Information we collect.

Our Service is not designed for children under 13. If we discover that a child under 13 has provided us with Personal Data, the data will be deleted.


Data Privacy Framework

Roxr complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Roxr has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Roxr has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

The Federal Trade Commission has jurisdiction over Roxr's compliance with the Data Privacy Framework.

In compliance with the EU-US Data Privacy Framework Principles, Roxr commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Roxr.

Roxr has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

In the context of an onward transfer, Roxr has responsibility for the processing of Personal Data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf. Roxr shall remain liable under the Principles if its agent processes such Personal Data in a manner inconsistent with the Principles, unless Roxr proves that it is not responsible for the event giving rise to the damage.

As of August 1, 2023, the UK and Swiss DPFs have not yet been finalized, but are expected to be soon. Until that time, Customers within these regions must continue to rely upon the EU Standard Contractual Clauses ("SCCs"), per our Data Processing Agreement.


Contact us

If you need to contact us about privacy, Personal Data, or Data Protection, or would like to make a complaint, please contact us by email.

Roxr Software Ltd
10883 SE Main St #201
Milwaukie, OR, 97222