1. Who We Are

Klipped ("we", "us", or "our") is the data controller responsible for your personal data. We operate as a performance-based content marketing platform connecting brands with content creators across the European Union and beyond.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
• The Maltese Data Protection Act (Chapter 586 of the Laws of Malta)
• The EU ePrivacy Directive (2002/58/EC) as implemented in Malta
• Any other applicable EU or national data protection legislation

If you are located in an EU member state other than Malta, you may also have the right to lodge a complaint with your local supervisory authority. A full list of EU supervisory authorities is available at: edpb.europa.eu.

For all privacy-related enquiries, contact us at privacy@klipped.io.

Data Controller contact: privacy@klipped.io

Lead Supervisory Authority: Information and Data Protection Commissioner (IDPC), Malta — idpc.org.mt

2. Data We Collect

2.1 Account Information

• Email address and hashed password
• Display name and username
• Date of birth (for age verification purposes)
• Profile picture
• Theme and display preferences

2.2 Workspace and Profile Data

• Workspace name, handle, image, and banner
• Public profile information (bio, description, website, country)
• Workspace membership and roles
• Visibility preferences (location, revenue, views, etc.)

2.3 Linked Social Media Accounts

• Platform identifiers and public profile data from TikTok, YouTube, Instagram, X (Twitter), and Threads
• Audience metrics: follower count, view count, like count, and engagement rates
• Content metadata: video titles, descriptions, thumbnails, durations, and performance metrics
• OAuth tokens (encrypted at rest) for API access

2.4 Device and Security Data

• Device name, browser, operating system, and device type
• Hashed IP address and approximate geolocation (city and country only)
• User agent string
• Two-factor authentication secrets (encrypted at rest)

2.5 Campaign and Transaction Data

• Campaign details, submissions, and performance metrics
• Bot Score and Trust Score values associated with your account and submissions
• Credit balances, deposits, payouts, and transaction history
• Stripe customer and Connect account identifiers (we do not store full payment card numbers)

2.6 Communications

• Direct messages and group messages
• Message attachments (images, videos, audio, documents, GIFs)
• Message reactions and read receipts

3. Legal Bases for Processing

We process your personal data on the following lawful grounds under GDPR Article 6:

Where we rely on legitimate interests as our legal basis, we have assessed that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 11).

4. How We Use Your Data

We use your personal data to:

• Create and manage your account and workspaces
• Facilitate campaigns between brands and creators
• Process credit deposits, payouts, and withdrawals via Stripe
• Sync and display social media metrics from linked accounts
• Calculate and maintain your Bot Score and Trust Score (see Section 5)
• Enable messaging and community features
• Send transactional emails (verification, password reset, email change notifications)
• Detect and prevent fraud, metric manipulation, and abuse
• Monitor platform security and manage device sessions
• Generate analytics and performance reports for users and brands
• Comply with legal and regulatory obligations, including EU DAC7 reporting

5. Automated Decision-Making and Profiling

5.1 Klipped uses automated systems — specifically Bot Score and Trust Score — that process your personal data and produce decisions with significant effects on your use of the platform, including:

• Eligibility for payouts and payout amounts
• Auto-approval or auto-rejection of campaign submissions
• Access to certain campaigns
• Account suspension or termination

This constitutes automated decision-making within the meaning of GDPR Article 22.

5.2 Bot Score evaluates signals including view growth patterns, account authenticity indicators, engagement ratios, and behavioural patterns to assess whether engagement on your submissions appears artificial. Trust Score evaluates your submission history, approval rates, payout history, and account longevity to determine your overall standing on the platform.

5.3 The specific weights, thresholds, and classification methods used in these systems are proprietary. However, we are required to — and do — inform you that these systems exist, that they affect your account, and that you have rights in relation to them.

5.4 Your rights regarding automated decisions: You have the right to:

• (a) Request human review of any automated decision that significantly affects you, by contacting privacy@klipped.io
• (b) Express your point of view regarding the automated decision
• (c) Contest the decision through our appeal process (see Section 10 of the Creator Terms of Service)

5.5 To request human review of a Bot Score or Trust Score decision, contact privacy@klipped.io with the subject line "Automated Decision Review Request". We will respond within ten (10) business days.

6. Children's Privacy

6.1 Klipped is not intended for individuals under the age of 18. You must be at least 18 years of age to create an account or use the platform.

6.2 We do not knowingly collect personal data from any individual below the age of 18. If we become aware that an individual under 18 has provided us with personal data, we will take steps to delete such data promptly.

6.3 If you are a parent or guardian and believe your child has created an account, contact us immediately at privacy@klipped.io and we will delete the account and associated data promptly.

7. Third-Party Services and Data Sharing

We share personal data with the following categories of third-party service providers acting as data processors on our behalf under GDPR-compliant data processing agreements:

We do not sell your personal data to any third party.

We may disclose personal data if required to do so by applicable law, court order, or regulatory authority, or to protect the rights, property, or safety of Klipped, our users, or others.

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent data protection obligations.

8. International Data Transfers

Some of our third-party service providers process personal data outside the European Economic Area (EEA). When we transfer personal data outside the EEA, we ensure an adequate level of protection through one or more of the following mechanisms:

• European Commission adequacy decisions (where the destination country has been deemed adequate)
• Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c)
• EU-U.S. Data Privacy Framework certification (where applicable)

You may request information about the specific transfer mechanism applicable to any given processor by contacting privacy@klipped.io.

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to the following:

Upon account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law, for dispute resolution, fraud prevention, or enforcement of our Terms of Service. Aggregated or anonymised data is not subject to deletion obligations.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, including:

• Passwords hashed with bcrypt
• OAuth tokens and 2FA secrets encrypted at rest
• IP addresses and device tokens stored as hashed values
• Rate limiting on authentication and sensitive API endpoints
• HMAC-signed real-time communication channels
• Secure HTTPS connections for all data transmission
• Access controls limiting internal data access to authorised personnel only

While we apply industry-standard security measures, no method of data transmission or storage is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the IDPC within 72 hours and, where required, notify affected users without undue delay, in accordance with GDPR Articles 33 and 34.

11. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at privacy@klipped.io. We will respond within 30 days (extendable by a further two months for complex requests, with notice).

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority at any time. Our lead supervisory authority is:

Information and Data Protection Commissioner (IDPC) idpc.org.mt | commissioner.idpc@gov.mt

If you are located in another EU member state, you may also contact your local supervisory authority. A full list is available at edpb.europa.eu/about-edpb/board/members_en.

12. Cookies and Local Storage

Klipped uses essential cookies and local storage only for authentication, session management, and user preferences (such as theme selection).

We do not use third-party tracking cookies, advertising cookies, or behavioural profiling cookies.

Essential cookies are strictly necessary for the platform to function. They are processed under GDPR Article 6(1)(b) (contract performance) and do not require separate consent under the ePrivacy Directive.

If we introduce any non-essential cookies in the future, we will update this policy, implement a compliant consent mechanism, and obtain your consent before placing any such cookies.

13. Social Media Data and Unlinking

When you link a social media account to Klipped, we access platform data via OAuth on the basis of your consent (GDPR Article 6(1)(a)).

You may unlink any social media account at any time through your account settings, which withdraws your consent for future data collection from that account. Following unlinking:

• We will cease collecting new data from the unlinked account.
• Historical performance data, view counts, and payout records derived from that account prior to unlinking will be retained for the periods set out in Section 9, as this data is necessary for legal compliance, dispute resolution, and fraud prevention.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, applicable law, or regulatory guidance.

For material changes, we will notify you by email and/or via an in-platform notice at least 14 days before the changes take effect. For non-material changes, the updated policy will be posted on the platform with the updated "Last updated" date.

Continued use of the platform after the effective date of any updated Privacy Policy constitutes acceptance of the updated terms.

15. Contact

Privacy and data requests: privacy@klipped.io

General support: support@klipped.io

We aim to respond to all privacy-related enquiries within 30 days.