Privacy Policy

1.1. Anonymous usage data (Free tier)

When you use Clicklore without signing in, the app sends a small anonymous heartbeat to our backend approximately once per day. This heartbeat contains:

• installation_id — a random identifier generated locally on first launch and stored on your device;
• application version;
• operating system family (macOS / Windows / Linux) and version;
• system locale (e.g. en_US);
• country derived from your IP address by our network provider; the raw IP address is discarded immediately and never stored.

The installation_id is never linked to any account or to other personal data. You may opt out of telemetry from the Clicklore first-launch dialog or, in the future, from Settings.

1.2. Account data (when you sign up)

When you create a Lorenest account, we collect:

• your email address;
• a hashed copy of your password (we never store raw passwords);
• if you sign in with Google: a Google account identifier received through OAuth (we do not receive your Google password);
• email verification status;
• authentication sessions and refresh tokens.

1.3. Billing data

Payments are processed by Paddle.com Market Limited (“Paddle”) acting as our Merchant of Record. We never see or store your card number, expiry, CVC, or full payment instrument. From Paddle we receive and store:

• your Paddle customer and subscription identifiers;
• subscription status and renewal dates;
• masked payment-method information (e.g. card brand, last four digits);
• transaction status and history.

Paddle is the data controller for billing data they collect to process your payment, calculate VAT/sales tax, and issue invoices. See Paddle’s privacy notice for details.

1.4. Crash and error reports

If we enable error tracking, the Service may send anonymised crash and exception reports to Sentry.io to help us diagnose problems. Such reports are scrubbed of personal identifiers before transmission where technically possible.

1.5. Contact form submissions

If you fill out the form on /contact we receive your name, email address, subject, and message via Web3Forms (web3forms.com), which relays the message to our support inbox. We process this data solely to respond to your enquiry.

1.6. Information we do not collect

• Payment card data — handled exclusively by Paddle on their infrastructure.
• The contents of your scripts or recordings — everything you create in Clicklore stays on your local device.
• Screenshots, clicks, keystrokes made while running a script — Clicklore does not transmit any of this to our servers.

We use the information we collect to:

• provide and operate the Service (authenticate you, sync subscription status, enable Pro features);
• process payments through Paddle and issue confirmations;
• send transactional emails (verification, password reset, payment failures, subscription notices);
• understand aggregate usage trends (number of installations per country, version adoption);
• respond to your enquiries and support requests;
• detect, prevent, and address technical issues, abuse, or security incidents;
• comply with legal obligations, including tax and accounting requirements (via Paddle).

Where the General Data Protection Regulation (GDPR) or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to provide the Service you have requested (account data, billing data, subscription management).
• Legitimate interests — to keep the Service secure and to understand aggregate usage through anonymous telemetry. You may object to this processing at any time.
• Consent — for any optional analytics or marketing communications, which you can withdraw at any time.
• Legal obligation — to retain records required by tax, accounting, or anti-fraud laws.

We do not sell your personal data. We share data only with the service providers listed below, each acting as a processor under our instructions or as an independent controller for their part of the service:

• Paddle.com Market Limited (United Kingdom) — payment processing, billing, VAT/sales-tax handling, invoicing, refunds.
• Resend Inc. (United States) — delivery of transactional emails (account verification, password reset).
• Render Services, Inc. (United States) — hosting of our backend API and static website.
• Cloudflare, Inc. (United States, global) — DNS and request routing.
• GitHub, Inc. (United States) — source-code hosting, CI, and software release distribution.
• Functions Online LLC (Sentry) (United States) — error tracking and crash reports.
• SaaSWits LLP (Web3Forms) (India) — relay of website contact-form submissions to our support email.
• Google LLC (United States) — only if you choose to sign in with Google OAuth.

We sign a Data Processing Agreement (DPA) with each sub-processor that acts on our behalf and use providers that contractually commit to appropriate safeguards for international data transfers (Standard Contractual Clauses where applicable).

Our website uses only the strictly necessary cookies required to serve the site (for example, your selected language). We do not use third-party advertising or behavioural-tracking cookies.

If we introduce privacy-friendly analytics in the future (such as Plausible or Umami), we will update this section and, where required, display a cookie banner with opt-in controls.

• Account data — retained while your account is active. If you delete your account, we anonymise or remove your personal data within thirty (30) days, except for records we must keep for legal or accounting reasons.
• Billing records — retained by Paddle and by us for the period required by tax and accounting law (typically up to ten (10) years depending on jurisdiction).
• Anonymous telemetry — retained while the installation remains active; removed automatically if no heartbeat is received for an extended period.
• Support correspondence — retained for as long as needed to resolve your enquiry and for a reasonable period afterwards to handle follow-ups.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of your personal data (“right to be forgotten”);
• request restriction of, or object to, certain processing;
• request a copy of your data in a portable format;
• withdraw consent at any time, without affecting prior lawful processing;
• opt out of anonymous telemetry from within the Clicklore application;
• lodge a complaint with your local data-protection authority.

To exercise any of these rights, contact us at lorenest.support@gmail.com. We will respond within thirty (30) days.

Our sub-processors are located in the United States, the United Kingdom, India, and other regions. Where personal data is transferred outside your country of residence, we rely on appropriate legal mechanisms — such as the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum — to ensure your data is protected to an equivalent standard.

The Service is not directed to children under the age of sixteen (16). We do not knowingly collect personal data from children under sixteen. If you believe a child has provided us with personal data, please contact us and we will delete it.

We apply reasonable technical and organisational measures to protect your personal data, including password hashing with Argon2, encrypted transport (HTTPS/TLS), storage of authentication tokens in your operating-system keychain, and access controls on our backend. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Material changes will be communicated through the Service or by email where appropriate.

For questions about this Privacy Policy or to exercise your rights, contact us at:

[Company legal name]
[Company address]
Email: lorenest.support@gmail.com