Privacy Policy

KLYQR ("we", "us", "our") is committed to protecting the privacy and personal data of all users of the KLYQR platform ("Platform"), accessible at klyqr.com.

This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with your use of the Platform, in accordance with:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — "GDPR")
• French Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties ("Loi Informatique et Libertés"), as amended
• Any other applicable data protection legislation in force in your country of residence

This Privacy Policy applies to all users of the Platform, whether brands or creators, and should be read alongside the General Terms and Conditions of Use and the General Terms and Conditions of Sale.

Data Controller: KLYQR — Auto-entrepreneur registered under French law
60 Rue François 1er, 75008 Paris, France
Email: info@klyqr.com

We collect personal data in the following circumstances:

2.1 Data provided directly by you

When you create an account (all users):

• Full name
• Email address
• Password (stored in encrypted form — we never store your password in plain text)
• Role (brand or creator)
• Country of residence

When you complete your brand profile:

• Brand name
• Website URL
• Description of your products or services
• Product type (physical or digital)
• Logo or profile image

When you complete your creator profile:

• Profile photo
• Instagram and TikTok profile URLs
• Declared follower counts and engagement rate
• Niche or content sector
• Auto-entrepreneur registration number or equivalent professional status
• Country of residence

When you set up payment (brands):

• Payment card information — collected and processed exclusively by Stripe. KLYQR does not store card numbers or payment credentials.
• Billing address if required for VAT purposes

When you set up payouts (creators):

• Bank account details — collected and processed exclusively by Stripe Connect. KLYQR does not store IBAN numbers or banking credentials.
• Tax identification information as required by Stripe

When you use the Platform:

• Campaign briefs, messages exchanged between brands and creators through the in-app chat, post URLs submitted by creators, and any other content you voluntarily upload or submit

2.2 Data collected automatically

When you visit the Platform:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent on each page
• Referring URL
• Date and time of visits

When you click a KLYQR tracking link:

• Hashed IP address (your IP address is immediately converted into an irreversible hash — the original IP address is never stored)
• Browser fingerprint (a hash derived from your browser and device characteristics, used for fraud detection and deduplication)
• Country of origin (derived from IP address at the moment of the click, before hashing)
• User agent string
• Referring URL
• Date and time of the click
• Whether the click was validated or rejected, and the reason for rejection if applicable

Analytics data:

We intend to use Google Analytics to collect aggregated data about how users interact with the Platform. This data includes page views, session duration, navigation paths, and general device and browser information. Google Analytics data is anonymized and aggregated — we do not use it to identify individual users. You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout.

2.3 Data collected from third parties

Stripe: When you make a payment or set up a payout account, Stripe shares with us confirmation of payment status, subscription status, payout account status, and associated identifiers (Stripe customer ID, subscription ID, Connect account ID). We do not receive your full card number or full bank account number from Stripe.

Google OAuth: If you choose to sign in using Google Sign-In, we receive your name and email address from Google, as displayed in the Google sign-in consent screen. We do not access your Google contacts, Gmail, Google Drive, or any other Google service.

We process your personal data on the following legal bases and for the following purposes:

3.1 Performance of a contract (Article 6(1)(b) GDPR)

We process data that is necessary to provide the services you have requested, including:

• Creating and managing your account
• Processing credit purchases and subscription renewals (brands)
• Generating and managing unique tracking links (creators)
• Processing creator payout requests
• Enabling communication between brands and creators through the in-app chat
• Tracking clicks and calculating earnings
• Detecting and filtering fraudulent clicks

3.2 Compliance with legal obligations (Article 6(1)(c) GDPR)

We process data to comply with our legal obligations, including:

• Issuing VAT-compliant invoices
• Retaining accounting records for the period required by French law
• Responding to lawful requests from competent authorities
• Reporting payments to tax authorities where required by applicable law

3.3 Legitimate interests (Article 6(1)(f) GDPR)

We process data based on our legitimate interests, including:

• Improving the Platform and developing new features
• Detecting and preventing fraud, abuse, and security threats
• Sending transactional notifications related to your account (payment confirmations, campaign updates, withdrawal requests)
• Maintaining the security and integrity of the Platform
• Analyzing aggregated usage data through Google Analytics to understand how the Platform is used

3.4 Consent (Article 6(1)(a) GDPR)

Where we rely on consent as the legal basis for processing, we will ask for your consent explicitly and separately. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We retain your personal data for the following periods:

When the applicable retention period expires, personal data is either permanently deleted or anonymized so that it can no longer be attributed to an identified or identifiable individual.

We do not sell your personal data to any third party. We share personal data only in the following circumstances:

5.1 Service providers (data processors)

We share personal data with the following third-party service providers who process data on our behalf and under our instructions, in accordance with data processing agreements that comply with Article 28 GDPR:

Supabase Inc. — Role: Database hosting, authentication, and storage. Data processed: All account data, campaign data, click data, messages. Location: European Union (EU-hosted infrastructure). Privacy information: supabase.com/privacy

Stripe Inc. — Role: Payment processing (brands) and payout processing (creators via Stripe Connect). Data processed: Payment card data, payout bank account data, subscription status, payment history. Location: United States — transfers are governed by Standard Contractual Clauses approved by the European Commission. Privacy information: stripe.com/privacy

Resend Inc. — Role: Transactional email delivery. Data processed: Your email address and the content of transactional notifications sent to you. Location: United States — transfers are governed by Standard Contractual Clauses. Privacy information: resend.com/privacy

Cloudflare Inc. — Role: Content delivery network, DNS management, and click tracking infrastructure. Data processed: IP addresses (immediately hashed), user agent strings, click metadata. Location: United States — transfers are governed by Standard Contractual Clauses. Privacy information: cloudflare.com/privacypolicy

Google LLC — Role: Analytics (Google Analytics) and authentication (Google Sign-In). Data processed: Anonymized usage data (Google Analytics), name and email address (Google Sign-In only). Location: United States — transfers are governed by Standard Contractual Clauses. Privacy information: policies.google.com/privacy

5.2 Disclosure required by law. We may disclose personal data to competent public authorities, courts, or regulators where we are legally required to do so, or where disclosure is necessary to protect our legal rights or the rights of our users.

5.3 Business transfers. In the event of a merger, acquisition, or sale of all or part of KLYQR's business, personal data may be transferred to the acquiring entity. We will notify affected users before any such transfer takes effect and before their data becomes subject to a different privacy policy.

KLYQR's primary infrastructure is hosted within the European Union through Supabase. However, some of our third-party service providers are based in the United States, which does not provide the same level of data protection as the European Union under the GDPR.

When we transfer personal data to third-party providers located outside the European Economic Area, we ensure that appropriate safeguards are in place, in particular through the use of Standard Contractual Clauses approved by the European Commission under Article 46(2)(c) GDPR.

You may request a copy of the applicable transfer safeguards by contacting us at info@klyqr.com.

7.1 What are cookies. Cookies are small text files stored on your device when you visit a website. We use cookies and similar tracking technologies on the Platform for the purposes described below.

7.2 Types of cookies we use.

Strictly necessary cookies. These cookies are essential for the Platform to function and cannot be disabled. They include cookies that maintain your session after login and cookies that remember your preferences during a single visit. No consent is required for these cookies.

Analytics cookies. We use Google Analytics to collect aggregated, anonymized data about how users interact with the Platform. These cookies help us understand which pages are visited most frequently, how users navigate the Platform, and where technical issues occur. These cookies require your consent before being placed on your device.

Authentication cookies. We use cookies set by Supabase to maintain your authenticated session. These are strictly necessary for the operation of the Platform.

7.3 Managing your cookie preferences. You may control your cookie preferences through:

• The cookie consent banner displayed on your first visit to the Platform
• Your browser settings, which allow you to refuse or delete cookies
• The Google Analytics Opt-out Browser Add-on available at tools.google.com/dlpage/gaoptout

Please note that disabling certain cookies may affect the functionality of the Platform.

The Platform is strictly reserved for users who are 18 years of age or older. KLYQR does not knowingly collect personal data from individuals under the age of 18.

If we become aware that an account has been created by a person under the age of 18, we will immediately suspend and delete that account and all associated personal data.

If you believe that a minor has created an account on KLYQR, please notify us immediately at info@klyqr.com.

Under the GDPR and applicable French law, you have the following rights with respect to your personal data:

Right of access (Article 15 GDPR). You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed.

Right to rectification (Article 16 GDPR). You have the right to request correction of any inaccurate or incomplete personal data we hold about you.

Right to erasure (Article 17 GDPR). You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where the processing is unlawful. This right is subject to our legal obligations to retain certain data, particularly financial records.

Right to restriction of processing (Article 18 GDPR). You have the right to request that we limit the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have contested.

Right to data portability (Article 20 GDPR). Where we process your data on the basis of your consent or the performance of a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.

Right to object (Article 21 GDPR). You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent. Where we rely on your consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint. You have the right to lodge a complaint with the competent supervisory authority. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL), accessible at cnil.fr.

Exercising your rights. To exercise any of the rights described above, please contact us at info@klyqr.com with the subject line "Data Rights Request" and specify the right you wish to exercise. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include:

• Encryption of data in transit using TLS
• Encryption of passwords using industry-standard hashing algorithms
• Row-Level Security (RLS) policies on our database ensuring that users can only access their own data
• Immediate hashing of IP addresses at the point of click collection — original IP addresses are never stored
• Access controls limiting internal access to personal data to those with a legitimate need
• Regular review of our security practices and those of our third-party processors

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. We will notify you of material changes by email and through a notice on the Platform at least 30 days before the changes take effect.

The date of the most recent update is displayed at the top of this document. We encourage you to review this Privacy Policy periodically.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us at:

KLYQR
60 Rue François 1er, 75008 Paris, France
Email: info@klyqr.com

You may also contact the CNIL directly at:

Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
cnil.fr