Privacy Policy
Last updated: 2026-04-03
Privacy Policy
Last updated: 2026-04-03 Effective: 2026-04-03
Controller
CLK.AM is operated by:
O2 Consulting Services & Investment (O2CS&I) SASU au capital variable SIRET: 797 575 339 RCS Paris TVA intracommunautaire: FR63797575339
Represented by: Olivier ORABONA, Président Contact: privacy@clk.am
Scope
This policy covers all CLK.AM services:
| Service | Domain | Data processing |
|---|---|---|
| IP Tool | ip.clk.am | Stateless — IP displayed to the visitor, never stored |
| Analytics | analytics.clk.am | Pageview and event aggregation for site owners |
| Links | links.clk.am | Link shortening and click tracking |
| Uptime | uptime.clk.am | Endpoint monitoring |
| Website | clkam.com | Marketing site, account management |
1. IP Tool (ip.clk.am)
What we process
The IP Tool reads your IP address from the incoming HTTP request (via Cloudflare's cf-connecting-ip header) and displays it back to you. It also reads optional geolocation metadata provided by Cloudflare's edge network (country, city, ASN, timezone).
What we store
Nothing. The IP Tool is stateless. Your IP address exists in server memory only for the duration of the HTTP request and is never written to any database, log, file, or cache. There are:
- No server-side logs
- No analytics or tracking scripts
- No cookies
- No local storage
- No fingerprinting
- No third-party data sharing
Legal basis
Not applicable — no personal data is stored or processed beyond the technical necessity of responding to your HTTP request (GDPR Art. 6(1)(b) — performance of the service you requested).
Third parties
| Party | Role | Data exposed |
|---|---|---|
| Cloudflare | Infrastructure provider (CDN, DNS, Workers runtime) | Your IP address transits Cloudflare's network. See Cloudflare Privacy Policy |
| OpenStreetMap | Map tiles (loaded in your browser) | Your browser makes requests to OSM tile servers. See OSM Privacy Policy |
| 1.1.1.1 / api4.ipify.org | IPv4 detection (client-side fetch, only when you have IPv6) | Your browser may fetch your IPv4 address from these services |
No data is sent from our servers to any third party.
2. Analytics (analytics.clk.am)
Who is the controller?
When a site owner uses CLK.AM Analytics to track their website, the site owner is the data controller and CLK.AM is the data processor (GDPR Art. 28). This section describes how CLK.AM processes data on behalf of site owners.
What we collect from website visitors
The CLK.AM Analytics SDK collects:
| Data point | Purpose | Storage |
|---|---|---|
| Page URL | Pageview tracking | Stored (path only, no query strings with PII) |
| Referrer URL | Traffic source attribution | Stored (domain only) |
| UTM parameters | Campaign tracking | Stored |
| Country | Geographic breakdown | Derived from IP at edge, stored |
| Device type, browser, OS | Technology breakdown | Derived from User-Agent, stored as category (not raw UA) |
| Custom events | Conversion tracking | Stored (as defined by site owner) |
| Screen size | Responsive design analytics | Stored as category (mobile/tablet/desktop) |
What we explicitly do NOT collect
- IP addresses — Never stored. Used only at the Cloudflare edge to derive country, then discarded
- Cookies — None. We do not set any cookies
- Fingerprints — No browser fingerprinting of any kind
- Personal identifiers — No names, emails, user IDs, or cross-site identifiers
- Session data — No session tracking, no user journeys across visits
- Keystrokes or form inputs — Never captured
Unique visitor counting
We use a daily-rotating hash to estimate unique visitors without tracking individuals:
hash = SHA-256(site_id + visitor_ip + date + daily_salt)
- The hash changes every day (no cross-day tracking)
- The salt rotates daily and is never persisted
- The raw IP is discarded after hashing
- The hash itself is not stored — only the aggregate count
This approach follows EDPB Opinion 05/2019 on pseudonymization techniques and CNIL deliberation n2023-091 on audience measurement tools exempt from consent.
Data retention
| Tier | Raw events | Aggregated data |
|---|---|---|
| Free | 7 days | 7 days |
| Starter | 90 days | 12 months |
| Pro | 12 months | 24 months |
| Team | 24 months | 36 months |
| Enterprise | Custom | Custom |
After the retention period, data is permanently deleted via automated purge (daily cron job).
Legal basis
Legitimate interest (GDPR Art. 6(1)(f)) for aggregate audience measurement without cookies or cross-site tracking. This is consistent with CNIL's exemption for audience measurement tools that meet specific criteria (no cross-site tracking, no user identification, limited retention).
Site owners using CLK.AM Analytics are not required to show a cookie consent banner for CLK.AM's basic tracking (pageviews, events, UTM). Features involving behavioral observation (session replay, heatmaps) may require updated privacy analysis — see product documentation for guidance.
Prohibition on personal data in events
Site owners must not send personal data (names, email addresses, user IDs, IP addresses, or other directly identifying information) in custom event names or properties. CLK.AM does not validate event payloads for PII. If personal data is sent in events, the site owner is solely responsible as data controller. CLK.AM reserves the right to purge event data containing identifiable PII upon detection.
3. Links (links.clk.am)
What we collect on link clicks
When someone clicks a CLK.AM short link:
| Data point | Purpose | Storage |
|---|---|---|
| Click timestamp | Click counting | Stored |
| Country | Geographic breakdown | Derived from IP at edge, stored |
| Device type | Technology breakdown | Derived from User-Agent, stored as category |
| Referrer domain | Click source attribution | Stored (domain only) |
| Network type | Click quality (residential vs datacenter) | Derived from ASN at edge, stored |
| ASN | Network identification | Derived from IP at edge, stored |
| Geo confidence score | Data quality indicator | Computed at edge, stored |
What we explicitly do NOT collect
- IP addresses — Never stored. Used only at edge for geo/ASN derivation
- Destination browsing behavior — We redirect and forget. No tracking after the redirect
- Cookies — None
- Cross-link tracking — No correlation between clicks on different links by the same person
Legal basis
Legitimate interest (GDPR Art. 6(1)(f)) for the link creator to measure link performance. No personal data is stored; all data points are derived and aggregated.
4. Website and Accounts (clkam.com)
Account data
When you create a CLK.AM account:
| Data point | Purpose | Legal basis |
|---|---|---|
| Email address | Account identification, notifications | Contract (Art. 6(1)(b)) |
| Name (optional) | Display in dashboard | Consent (Art. 6(1)(a)) |
| Password (hashed) | Authentication | Contract |
| Billing information | Payment processing via Stripe | Contract |
Cookies on clkam.com
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Authentication | Essential | Session |
| Theme preference | UI preference (dark/light) | Essential | 1 year |
No analytics cookies, no advertising cookies, no third-party tracking cookies.
If Stripe.js is loaded on checkout pages, Stripe may set its own cookies. See Stripe's Cookie Policy.
5. Sub-processors
See Sub-processor List for the current list of third parties that process data on our behalf.
6. Your Rights
Under GDPR, you have the right to:
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Email privacy@clk.am |
| Rectification (Art. 16) | Update your account settings, or email us |
| Erasure (Art. 17) | Delete your account in settings, or email us |
| Restriction (Art. 18) | Email privacy@clk.am |
| Portability (Art. 20) | Export your data from the dashboard (CSV/JSON) |
| Object (Art. 21) | Email privacy@clk.am |
For website visitors tracked by CLK.AM Analytics: since we do not collect directly identifying data or set cookies, there is no directly identifying personal data to access, rectify, or delete. Aggregate visitor counts derived from daily-rotating hashes cannot be linked back to individuals. If you believe a site using CLK.AM is processing your personal data, contact that site's owner (the data controller).
We respond to all requests within 30 days.
7. International Transfers
CLK.AM runs on Cloudflare's global network. Data may be processed at any Cloudflare edge location. Cloudflare maintains Standard Contractual Clauses (SCCs) for international transfers. See Cloudflare's Data Processing Addendum.
Payment data processed by Stripe may be transferred to the United States under Stripe's Data Processing Agreement and SCCs.
8. Data Security
- All data in transit is encrypted (TLS 1.2+)
- All data at rest is encrypted (Cloudflare D1 encryption at rest)
- Authentication uses secure password hashing (bcrypt/argon2)
- Access to production systems requires authenticated Cloudflare Access sessions
- No employee has access to raw visitor data (it doesn't exist — see sections above)
9. Changes to This Policy
We may update this policy from time to time. Material changes will be announced via email to account holders and posted on this page. The "Last updated" date at the top reflects the most recent revision.
10. Contact
For privacy-related questions or requests:
- Email: privacy@clk.am
- Data protection officer: Not yet appointed. A DPO will be appointed if processing meets thresholds under GDPR Art. 37(1) (large-scale systematic monitoring or special category data)
For complaints, you may also contact the French data protection authority (CNIL): https://www.cnil.fr/
Questions? privacy@clk.am — See also: Terms of Service, Sub-processors