Privacy Policy

Our Commitments, in Short

• We do not sell personal data through ordinary use of the Services (see Section 6 for more info).
• We do not use your Input Content to train any ClickSet-operated model without authorization. Some enrichment features rely on independent third-party model providers we don't directly contract with, and we do not guarantee that any specific provider refrains from retaining or training on data submitted through the Services.
• No advertising or ad tracking in connection with Input Content, Output Data, or Third-Party Records.
• You're responsible for your data sources. If you direct the Services to collect data from a given website, list, or provider, you are the one who must have the right to do so.

1. Scope and Roles

This Privacy Policy applies to clickset.ai, the ClickSet platform, our API, dashboard, and related tooling (collectively, the "Services").

This Policy distinguishes between:

• Customers: Companies and individuals who hold a ClickSet account.
• Customer Users: Individuals who access a Customer's account on the Customer's behalf.
• Third-Party Records: Data about people or businesses that a Customer directs the Services to collect, scrape, or enrich. ClickSet has no direct relationship with the individuals reflected in Third-Party Records.

With respect to Account Information and billing, ClickSet is the data controller. With respect to Input Content, Output Data, and any Third-Party Records processed through the Services, the Customer is the data controller and ClickSet acts solely as a data processor / service provider, operating strictly on the Customer's instructions as set out in the applicable DPA. ClickSet does not independently decide to collect data about any individual; it executes the collection, research, and enrichment tasks that Customers configure and direct, and does not monitor, review, or verify Input Content, Output Data, or Third-Party Records for accuracy, legality, or appropriateness, except as ClickSet may elect to do in its discretion to detect violations of the Acceptable Use Policy or as required by law.

2. Information We Collect

• Account Information. Name, work email, password or SSO credentials, company name, billing details, and transaction history.
• Input Content. The prompts, target URLs, lists, files, and API parameters a Customer submits to direct the Services ("Input Content").
• Output Data. The records and structured data the Services generate as a result of processing Input Content, which may include Third-Party Records ("Output Data").
• Usage and Log Data. API call metadata, request volume, error logs, IP address, device/browser type, timestamps, and feature usage.
• Communications. Anything sent to us via support, sales, or email.
• Information from Other Sources. Information from publicly available sources and third-party data providers, accessed at a Customer's direction, and information from fraud-prevention and security partners.

ClickSet does not select, target, or curate the categories of Third-Party Records collected through the Services; that is determined entirely by Customer configuration. See Section 4.

3. How We Use Information

We use the categories above to:

• Provide, secure, and maintain the Services, including executing Customer-directed scraping and enrichment jobs;
• Process payments and manage accounts;
• Respond to support requests and provide service-related communications;
• Detect and prevent fraud, abuse, and security threats, including misuse of the Services in violation of our Terms of Service or Acceptable Use Policy;
• Comply with legal obligations; and
• Improve the reliability and performance of the Services using de-identified, aggregated usage statistics.

We do not use Input Content, Output Data, or Third-Party Records for advertising or to build advertising profiles.

4. Customer Responsibility for Data Sources

Because ClickSet's Services are directed entirely by Customer configuration, the Customer is solely responsible for:

• Having a lawful basis and any necessary rights, licenses, consents, or notices required to direct the Services to access, collect, scrape, or enrich any data, including data about third parties;
• Complying with the terms of service, robots.txt directives, and access restrictions of any website or source the Customer directs the Services to access;
• Complying with applicable law in the Customer's use of the Services, including data protection law (e.g., GDPR, CCPA), anti-hacking and computer-access law (e.g., the CFAA and analogous statutes), intellectual property law, and marketing/communications law (e.g., CAN-SPAM, TCPA) applicable to the Customer's downstream use of Output Data;
• Independently fulfilling any obligations owed to individuals reflected in Third-Party Records, including responding to their requests to access, correct, or delete their data, since ClickSet, as a processor with no direct relationship to those individuals, is frequently not in a position to verify, access, or act on such data independently of the Customer;
• Not directing the Services to collect special categories of sensitive personal data (health, biometric, precise geolocation of natural persons, etc.) unless the Customer has independently confirmed a lawful basis to do so and has provided any required notice to affected individuals; and
• Selecting model and processing configurations (see Section 5) appropriate to the sensitivity of the data the Customer submits, and confirming with ClickSet in advance, in writing, if a specific contractual data-handling guarantee is required before submitting sensitive Input Content.

ClickSet does not review, vet, or independently verify the legality of any data source, website, or data subject that a Customer directs the Services to access, and undertaking such verification is not a service ClickSet provides. ClickSet's role is limited to executing Customer instructions as configured, subject to the Acceptable Use Policy and Terms of Service. ClickSet reserves the right to restrict or suspend any use of the Services that it determines, in its discretion, may violate this Policy, the Terms of Service, applicable law, or the rights of any third party. Nothing in this Policy constitutes legal advice or a guarantee that any particular use of the Services complies with law applicable to the Customer's business, jurisdiction, or data sources; Customers must independently assess their own legal obligations. The full allocation of liability, representations, warranties, and indemnification obligations between ClickSet and the Customer is set out in the Terms of Service and DPA, not this Policy.

5. AI Processing and Third-Party Model Providers

Many of ClickSet's enrichment and AI-assisted features work by sending Input Content to large language models operated by independent third parties ("Model Providers"), accessed through a third-party AI infrastructure and model-routing service that ClickSet contracts with (our "Infrastructure Provider"). This architecture lets ClickSet offer access to a range of models without operating them directly.

• What ClickSet directly controls. ClickSet does not use Input Content or Output Data to train any model that ClickSet itself operates, without explicit authorization. Aggregated, de-identified usage statistics (request volume, latency, general task category) may be used to monitor and improve the Services. The specific data-handling terms for your account are set out in your Customer Agreement and/or DPA, which control over this public Policy in the event of a conflict.
• What ClickSet does not directly control. ClickSet does not have a direct contractual relationship with each individual Model Provider accessed through our Infrastructure Provider. Whether a given Model Provider retains Input Content or Output Data, or uses it to train that provider's own models, is governed by an arrangement between the Infrastructure Provider and that Model Provider, and represented to ClickSet by the Infrastructure Provider; ClickSet relies on those representations and cannot independently verify them.
• No guarantee of no-training or zero-retention processing. ClickSet does not warrant or guarantee that any specific Model Provider, model, or request is processed under no-training or zero-data-retention terms. ClickSet may, at its discretion, route Input Content and Output Data to Model Providers, models, or tiers (including free, promotional, lower-cost, or otherwise discounted options that retain or train on data) for reasons of cost, performance, availability, or otherwise, and reserves the right to do so without prior notice to the Customer. Customers should not submit Input Content they intend to keep confidential, or wish to exclude from any third party's training data, unless they have independently confirmed in writing that the specific configuration available to them guarantees that outcome.
• Customer responsibility. Customers are responsible for determining whether the Services, as configured for their account, are suitable for any sensitive, confidential, or regulated data before submitting it.

6. How We Share Information

We disclose information in these circumstances:

• Sub-processors and vendors: hosting, cloud infrastructure, payment processing, customer support tooling, and our AI Infrastructure Provider (see Section 5), each bound by a written contract limiting their use of data to performing services for ClickSet, except that the data-handling practices of independent Model Providers accessed through our Infrastructure Provider are governed by those providers' own terms, as described in Section 5, and are outside ClickSet's control. A current sub-processor list is available at [link].
• Business transfers: in a merger, acquisition, or asset sale, data may transfer to a successor entity.
• Legal and safety reasons: we may disclose information (i) if required by law or in the good-faith belief that disclosure is necessary to comply with a legal obligation; (ii) to protect and defend ClickSet's rights or property; (iii) if we determine, in our discretion, that there has been a violation of our terms, policies, or applicable law; (iv) to detect or prevent fraud, abuse, or security threats; (v) to protect the safety, security, or integrity of our Services, our personnel, our users, or the public; (vi) to protect against legal liability; or (vii) as evidence in any litigation, dispute, or proceeding involving ClickSet. Where not legally prohibited from doing so, we may, in our discretion, notify the affected Customer of legal requests directed at their data, but are under no obligation to do so.
• Affiliates: within our corporate family, consistent with this Policy.
• At Customer direction: where a Customer connects a third-party integration or exports data, governed by that third party's own terms.

Is this a "sale"? Under most data-protection frameworks, ClickSet's processing of Input Content, Output Data, and Third-Party Records at a Customer's direction is a service-provider/processor activity, not a "sale" or "share" of personal information, because ClickSet does not independently determine the purpose of that processing. If ClickSet ever offers a separately branded product that makes ClickSet's own proprietary data assets available to customers (rather than processing data the Customer directs us to collect), that activity may constitute a "sale" or "share" under laws such as the CCPA, and will be disclosed separately along with an opt-out mechanism at that time. [Placeholder: confirm against ClickSet's actual product structure and update if/when such a feature exists.]

7. Data Retention

• Account and billing data is kept for as long as the account is active, plus the period required for tax, accounting, and dispute-resolution purposes.
• Input Content and Output Data are retained as long as the user maintains an account. We aim to delete such data within a commercially reasonable period after a deletion request or account closure, consistent with the timeframes permitted under applicable law, except where we determine that retaining limited data longer is necessary for fraud prevention, security incident investigation, legal holds, or financial record-keeping.
• Backups are deleted on a rolling schedule in the ordinary course and are not maintained for the purpose of circumventing a deletion request.
• Retention of data by Model Providers (Section 5) is governed by their own terms and is outside ClickSet's control.

8. Security

• Encryption in transit (TLS 1.2+) and at rest.
• We maintain SOC 2 Type II controls and work toward ISO 27001 alignment.
• Role-based access controls, audit logging, and least-privilege access for ClickSet personnel.
• A documented incident response process consistent with the DPA.

No system is completely secure. These measures reflect commercially reasonable efforts and are not, and should not be construed as, a guarantee or warranty of any kind. Full disclaimers of warranty regarding the Services are set out in the Terms of Service.

9. International Data Transfers

Where ClickSet transfers personal data out of the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, incorporated into our DPA (available on request).

10. Rights Regarding Account and Billing Data

If you are a ClickSet Customer or Customer User, you may request to access, correct, export, or delete your Account Information by emailing privacy@clickset.ai or using your account dashboard. We will verify your identity before fulfilling a request and will respond within a reasonable time, consistent with applicable law.

Global Privacy Control (GPC): we honor GPC browser signals as a valid opt-out request for any data uses subject to opt-out under applicable law.

If you are not a ClickSet Customer but believe your personal data has been processed through the Services as part of a Third-Party Record, you may contact us at privacy@clickset.ai. Because ClickSet acts as a processor for that data and does not independently control it, we are frequently not in a position to verify, access, modify, or delete data controlled by a Customer. We may, in our discretion, attempt to identify the responsible Customer and direct your request to them, but are under no obligation to do so. You may also have rights directly against the original source or data provider, depending on applicable law.

Note on accuracy: Output Data, including any enrichment results generated using AI-assisted methods, may be inaccurate, incomplete, or out of date, and ClickSet does not guarantee its accuracy. Customers are solely responsible for independently verifying Output Data before relying on it for any purpose. If you believe Output Data about you is inaccurate, you may contact us, and we will consider the request and may, in our discretion, forward it to the relevant Customer.

11. Children's Privacy

The Services are intended for business use by adults and are not directed to anyone under 18. We do not knowingly collect personal data from individuals under 18 in connection with account registration.

12. Changes to This Policy

We will post the updated effective date here whenever this Policy changes. We may, but are not obligated to, provide additional notice of changes beyond posting the updated Policy, except where notice is required by applicable law or the Terms of Service.

13. Regional Disclosures

• California (CCPA/CPRA): See Section 6 regarding "sale." California residents have the rights described in Section 10. Submit requests to privacy@clickset.ai.
• EEA/UK/Switzerland (GDPR): Our legal bases for processing Account Information are performance of a contract, legitimate interests (security, fraud prevention), and legal obligation. For Customer Content processed as a processor, the Customer's legal basis and obligations are addressed in the DPA.