1. Who We Are

Klipped ("we", "us", or "our") is the data controller responsible for your personal data. We operate as a performance-based content marketing platform connecting brands with content creators across the European Union and beyond.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
• applicable national data protection laws implementing the GDPR and the ePrivacy Directive (2002/58/EC)
• where you are in the United Kingdom, the UK GDPR and the Data Protection Act 2018
• Any other applicable data protection legislation

If you are located in the EU, you may also have the right to lodge a complaint with your local supervisory authority. A full list of EU supervisory authorities is available at: edpb.europa.eu.

For all privacy-related enquiries, or to contact the data controller, email privacy@klipped.io.

2. Data We Collect

2.1 Account Information

• Email address and hashed password
• Display name and username
• Date of birth (for age verification purposes)
• Profile picture
• Theme and display preferences

2.2 Workspace and Profile Data

• Workspace name, handle, image, and banner
• Public profile information (bio, description, website, country)
• Workspace membership and roles
• Visibility preferences (location, revenue, views, etc.)

2.3 Linked Social Media Accounts

• Platform identifiers and public profile data from TikTok, YouTube, Instagram, X (Twitter), and Threads
• Audience metrics: follower count, view count, like count, and engagement rates
• Content metadata: video titles, descriptions, thumbnails, durations, and performance metrics
• OAuth tokens (encrypted at rest) for API access

2.4 Device and Security Data

• Device name, browser, operating system, and device type
• Hashed IP address and approximate geolocation (city and country only)
• User agent string
• Two-factor authentication secrets (encrypted at rest)

2.5 Campaign and Transaction Data

• Campaign details, submissions, and performance metrics
• Bot Score and Trust Score values associated with your account and submissions
• Credit balances, deposits, payouts, and transaction history
• Whop customer and payment account identifiers (we do not store full payment card numbers)

2.6 Communications

• Direct messages and group messages
• Message attachments (images, videos, audio, documents, GIFs)
• Message reactions and read receipts

3. Legal Bases for Processing

We process your personal data on the following lawful grounds under GDPR Article 6:

Where we rely on legitimate interests as our legal basis, we have assessed that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 11).

4. How We Use Your Data

We use your personal data to:

• Create and manage your account and workspaces
• Facilitate campaigns between brands and creators
• Process credit deposits, payouts, and withdrawals via Whop
• Sync and display social media metrics from linked accounts
• Calculate and maintain your Bot Score and Trust Score (see Section 5)
• Enable messaging and community features
• Send transactional emails (verification, password reset, email change notifications)
• Detect and prevent fraud, metric manipulation, and abuse
• Monitor platform security and manage device sessions
• Generate analytics and performance reports for users and brands
• Comply with legal and regulatory obligations, including EU DAC7 reporting

5. Automated Decision-Making and Profiling

5.1 Klipped uses automated systems — specifically Bot Score and Trust Score — that process your personal data and produce decisions with significant effects on your use of the platform, including:

• Eligibility for payouts and payout amounts
• Auto-approval or auto-rejection of campaign submissions
• Access to certain campaigns
• Account suspension or termination

This constitutes automated decision-making within the meaning of GDPR Article 22. Automated decisions affecting payout eligibility and submission approval are permitted on the basis that they are necessary for entering into and performing your contract with Klipped (Article 22(2)(a)). Decisions that suspend or terminate your account are not taken solely by automated means: automated signals are reviewed and the final decision is made by a member of Klipped's staff. In all cases the safeguards set out below apply.

5.2 Bot Score evaluates signals including view growth patterns, account authenticity indicators, engagement ratios, and behavioural patterns to assess whether engagement on your submissions appears artificial. Trust Score evaluates your submission history, approval rates, payout history, and account longevity to determine your overall standing on the platform.

5.3 The specific weights, thresholds, and classification methods used in these systems are proprietary. However, we are required to — and do — inform you that these systems exist, that they affect your account, and that you have rights in relation to them.

5.4 Your rights regarding automated decisions: You have the right to:

• (a) Request human review of any automated decision that significantly affects you, by contacting privacy@klipped.io
• (b) Express your point of view regarding the automated decision
• (c) Contest the decision through our appeal process (see Section 18 of the Terms of Service)

5.5 To request human review of a Bot Score or Trust Score decision, contact privacy@klipped.io with the subject line "Automated Decision Review Request". We will respond within ten (10) business days.

6. Children's Privacy

6.1 Klipped is not intended for individuals under the age of 18. You must be at least 18 years of age to create an account or use the platform.

6.2 We do not knowingly collect personal data from any individual below the age of 18. If we become aware that an individual under 18 has provided us with personal data, we will take steps to delete such data promptly.

6.3 If you are a parent or guardian and believe your child has created an account, contact us immediately at privacy@klipped.io and we will delete the account and associated data promptly.

7. Third-Party Services and Data Sharing

We share personal data with the following third-party service providers, who act as data processors on our behalf under GDPR-compliant data processing agreements, except where indicated as an independent controller:

Whop acts as an independent controller (and merchant of record) in respect of the payment, payout, and identity-verification data it processes, under its own privacy policy. The remaining providers above act as processors on our behalf.

In addition to the platform APIs listed above, we use third-party data providers to retrieve publicly available view counts and engagement metrics for submitted content. Such data is sourced from public social media accounts and may be incomplete, delayed, or unavailable (for example where a post is private, removed, or region-restricted, or subject to platform rate limits). These metrics are used to calculate Creator payouts and may be revised when corrected data becomes available, as described in Section 10.10 of our Terms of Service.

We do not sell your personal data to any third party.

We may disclose personal data if required to do so by applicable law, court order, or regulatory authority, or to protect the rights, property, or safety of Klipped, our users, or others.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent data protection obligations.

8. International Data Transfers

Some of our third-party service providers process personal data outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure an adequate level of protection through one or more of the following mechanisms:

• European Commission adequacy decisions (where the destination country has been deemed adequate)
• Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c)
• EU-U.S. Data Privacy Framework certification (where applicable)

You may request information about the specific transfer mechanism applicable to any given processor by contacting privacy@klipped.io.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to the following:

Upon account deletion, we will delete or anonymise your personal data within 30 days, except where a longer retention period applies under the table above (for legal, tax, dispute-resolution, or fraud-prevention purposes) or where retention is otherwise required by law. Aggregated or anonymised data is not subject to deletion obligations.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, including:

• Passwords hashed with bcrypt
• OAuth tokens and 2FA secrets encrypted at rest
• IP addresses and device tokens stored as hashed values
• Rate limiting on authentication and sensitive API endpoints
• HMAC-signed real-time communication channels
• Secure HTTPS connections for all data transmission
• Access controls limiting internal data access to authorised personnel only

While we apply industry-standard security measures, no method of data transmission or storage is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, notify affected users without undue delay, in accordance with GDPR Articles 33 and 34.

11. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at privacy@klipped.io. We will respond within 30 days (extendable by a further two months for complex requests, with notice).

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority at any time, in particular in the EU or EEA member state of your habitual residence, place of work, or the place of the alleged infringement. A full list of EU/EEA supervisory authorities is available at edpb.europa.eu/about-edpb/board/members_en.

12. Cookies and Local Storage

Klipped uses cookies and local storage for platform functionality and, with your consent, for analytics. We categorise these as follows:

Essential (no consent required)

These are strictly necessary for the platform to function and are processed under GDPR Article 6(1)(b). They do not require consent under the ePrivacy Directive.

• Authentication session token and CSRF protection
• UI preferences (sidebar state, theme)
• Active workspace and view mode (localStorage)
• Cookie consent choice

Analytics (consent required)

These are only set after you explicitly accept analytics cookies via our cookie consent banner. You can change your choice at any time.

• PostHog analytics cookies and localStorage — used for pageview tracking, usage analytics, and session recording to help us improve the platform. EU-hosted.
• Referral attribution — set when you arrive via a referral link and used to credit the referring user. Non-essential; set only with your consent.

We do not use advertising cookies or behavioural profiling cookies.

13. Social Media Data and Unlinking

When you link a social media account to Klipped, we access platform data via OAuth on the basis of your consent (GDPR Article 6(1)(a)).

You may unlink any social media account at any time through your account settings, which withdraws your consent for future data collection from that account. Following unlinking:

• We will cease collecting new data from the unlinked account.
• Historical performance data, view counts, and payout records derived from that account prior to unlinking will be retained for the periods set out in Section 9, as this data is necessary for legal compliance, dispute resolution, and fraud prevention.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, applicable law, or regulatory guidance.

For material changes, we will notify you by email and/or via an in-platform notice at least 15 days before the changes take effect. For non-material changes, the updated policy will be posted on the platform with the updated "Last updated" date.

Continued use of the platform after the effective date of any updated Privacy Policy constitutes acceptance of the updated terms, except that, where we rely on your consent as the legal basis for processing, any material change to that processing requires your fresh consent and will not take effect through continued use alone.

15. Contact

Privacy and data requests: privacy@klipped.io

General support: support@klipped.io

We aim to respond to all privacy-related enquiries within 30 days.