Privacy Policy

CLICKABOOM PRIVACY POLICY Version 1.0 Last Updated: May 7, 2026 Clickaboom Inc. ("Clickaboom," "we," "us," or "our") is committed to maintaining robust privacy protections for its users. This Privacy Policy describes how we collect, use, share, and protect information about you when you access or use our website at https://www.clickaboom.com (the "Site") and our YouTube thumbnail generation services (the "Service"). By accessing our Site or using our Service, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site or use the Service. I. INFORMATION WE COLLECT A. Personal Information We collect the following personal information when you register for and use our Service: - Account Information: Email address, first name, and last name (collected through our authentication provider, Clerk). - Payment Information: We do not directly collect or store your payment card details. All payment processing is handled by Stripe, Inc., a PCI-DSS compliant payment processor. We store only Stripe-assigned identifiers (customer ID, subscription ID, invoice ID) to manage your account and billing. - Support Communications: If you contact us via our support form, we collect the information you provide, including your name, email address, and any attachments you include. B. User-Uploaded Content To use our Service, you may upload the following content: - Persona Images: Photographs of individuals to be used as subjects in thumbnail generation. - Style Reference Images: Example thumbnails or images that define the visual style for generation. - Addon Images: Additional reference images for specific generation requests. - Audio Files: Audio content (e.g., extracted from videos) used to support thumbnail and title generation. - Text Instructions: Descriptions, captions, and other text input you provide for thumbnail generation. - Video Uploads and YouTube URLs (for Auto-Persona Detection and Transcript Extraction): When you provide a video URL or upload a video for analysis, our Service may use facial detection and clustering technology to identify the most-frequent face appearing in the video, which is then used to create a "persona" image automatically. The detection runs only on videos you have explicitly submitted to the Service. The cluster output (a face crop) is stored as a persona image associated with your account, which you may delete at any time. We do not use this facial data to identify individuals across users, do not perform 1:1 facial recognition for authentication, and do not share facial data with third parties for identification purposes. Video content you submit may also be used for transcript extraction to support generation. C. Generated Content Our Service produces the following content on your behalf: - Generated Thumbnails: AI-generated images created based on your inputs. - Generated Titles and Descriptions: AI-generated text created based on your inputs. D. YouTube Data We access YouTube data in two ways: Publicly Available Data (no authorization required): We use the YouTube Data API v3 with an API key to retrieve publicly available video metadata, including: - Video metadata (titles, descriptions, thumbnail URLs, view counts, like counts) - Channel information (channel name, channel ID) - Playlist information Private Data (with your authorization): If you choose to connect one or more YouTube channels, we request access to your YouTube account(s) through Google OAuth with the following scopes: - `youtube.readonly` — to read your YouTube channel data, including your uploaded videos and their metadata. - `yt-analytics.readonly` — to read your YouTube Analytics data, including per-video impressions, click-through rates (CTR), watch time, and view counts. - `youtube.force-ssl` — to manage your YouTube videos, including updating video titles, descriptions, and thumbnails directly from our Service. You may connect or disconnect any of your YouTube channels at any time through the Service. Granting access is optional and is not required to use the core thumbnail generation features. YouTube API Services: Clickaboom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. E. Automatically Collected Information When you visit our Site, we automatically collect certain information, including: - Usage Data: Pages visited, features used, interactions with the Service, referring URLs, and browser type. - Device Information: Device type, operating system, and screen resolution. - Cookies and Tracking Technologies: See Section VI (Cookies and Tracking) below. F. Guest Users (Unauthenticated Visitors) Visitors who try our Service before creating an account ("Guests") may submit a YouTube video URL to generate sample thumbnails. For Guests, we collect: - The YouTube URL provided - IP-derived approximate location (used for rate limiting and abuse prevention) - Public video metadata fetched via the YouTube Data API for the URL provided - Any thumbnails generated from the URL during the Guest session Guest data is retained for up to 30 days for service operation and abuse prevention, and is automatically purged thereafter — unless the Guest creates an account during that window, in which case the data is migrated to the new account and treated under the standard user data terms in this Policy. II. HOW WE USE YOUR INFORMATION We use the information we collect for the following purposes: - Provide and Operate the Service: To process your thumbnail generation requests, manage your account, and deliver generated content. - YouTube Channel Management: If you connect one or more YouTube channels, to display your video analytics, and to update your video titles, descriptions, and thumbnails at your direction. - Process Payments: To manage your subscription, process credit purchases, and maintain billing records. - Communicate with You: To respond to support inquiries, send service-related notifications, and provide updates about the Service. - Improve the Service: To understand how users interact with our Site and Service, identify issues, and improve functionality. - Ensure Security: To detect and prevent fraud, abuse, and unauthorized access. - Comply with Legal Obligations: To comply with applicable laws, regulations, and legal processes. We do not sell your personal information to third parties. We do not use your personal information for advertising or marketing purposes beyond communicating with you about our own Service. III. HOW WE SHARE YOUR INFORMATION We share your information only in the following circumstances: A. Third-Party Service Providers We use the following third-party services to operate our platform. Each processes data only as necessary to provide their respective service: Clerk (clerk.com) — User authentication and identity management. Data shared: email address, name, authentication credentials. Stripe (stripe.com) — Payment processing and subscription management. Data shared: email address, payment method (handled directly by Stripe). Supabase (supabase.com) — Database hosting and file storage. Data shared: all user data, uploaded images, generated content. Google AI Studio (Gemini API) (ai.google.dev) — AI image and text generation. Data shared: uploaded images and text instructions (processed in real-time; on the paid tier, Google does not retain inputs for training, per Google's Gemini API Additional Terms of Service). OpenAI (openai.com) — AI text generation and image analysis. Data shared: text instructions, context, and image URLs (processed in real-time per OpenAI's data usage policy). YouTube Data API (developers.google.com) — Public video metadata retrieval. Data shared: search queries; no user data is sent. YouTube Analytics API (developers.google.com) — Authorized analytics data retrieval. Data shared: OAuth tokens; analytics data is retrieved on your behalf. Google Tag Manager (tagmanager.google.com) — Website analytics. Data shared: usage data, device information (see Section VI). FirstPromoter (firstpromoter.com) — Referral and affiliate tracking. Data shared: referral source information. Apify (apify.com) — YouTube video transcript retrieval. Data shared: YouTube video URLs for transcript extraction. Gmail SMTP (google.com) — Sending support-related emails. Data shared: email address, support message content. Vercel (vercel.com) — Frontend hosting and edge delivery. Data shared: request metadata, IP addresses, browser type. OpenAI Whisper API (openai.com) — Speech-to-text transcription of uploaded audio. Data shared: audio file content (processed in real-time, not retained per OpenAI API terms). B. Legal Requirements We may disclose your information if required to do so by law or in the good faith belief that such action is necessary to: - Comply with a legal obligation or government request - Protect and defend the rights or property of Clickaboom - Prevent or investigate possible wrongdoing in connection with the Service - Protect the personal safety of users of the Service or the public C. Business Transfers If Clickaboom is involved in a merger, acquisition, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Site of any change in ownership or uses of your personal information. IV. DATA STORAGE AND RETENTION A. Where Your Data Is Stored Your data is stored on servers operated by our third-party infrastructure provider, Supabase. User-uploaded files (images, audio) and generated content (thumbnails) are stored in Supabase Storage. Database records are stored in Supabase PostgreSQL with Row Level Security (RLS) enforced to ensure users can only access their own data. B. How Long We Retain Your Data - Account Data: Retained while your account is active. Inactive accounts (no login in 24 months) may be deleted with 30 days' email notice. When you delete your account, all associated data is permanently deleted. - Request Data and Generated Content: Retained until you delete the request or for 24 months after creation, whichever is sooner. You may delete individual requests and their associated files at any time through the Service. - YouTube Data: Authorized YouTube data (channel metadata, video metadata, analytics) is retained for no more than 30 calendar days from the most recent authorization or refresh, in accordance with the YouTube API Services Developer Policies. If our access has not been refreshed within that period, the data is automatically deleted. Authorized YouTube data is also deleted when you disconnect the corresponding YouTube channel or delete your account. - Guest Data: As described in Section I.F, retained for up to 30 days unless migrated to a created account. - Payment Records: Transaction records are retained as required by applicable tax and financial regulations. - Support Communications: Retained for as long as necessary to resolve your inquiry and for our records. C. Data Deletion - You may delete individual generation requests and all associated files at any time through the Service. - You may delete uploaded persona images, style references, addon images, video files, and audio files at any time through the Service. - You may disconnect any connected YouTube channel at any time. If you disconnect a YouTube channel or otherwise revoke our access to YouTube user data, all stored YouTube user data associated with that channel is deleted within 7 calendar days, in accordance with the YouTube API Services Developer Policies. - You may request complete account deletion. Upon deletion, all your data — including account information, uploaded content, generated content, YouTube data, and associated records — will be permanently deleted within 30 calendar days. - To request account deletion, use the account settings page or contact us at support@clickaboom.com. V. DATA SECURITY We implement industry-standard security measures to protect your information, including: - Encryption: Data is encrypted in transit using TLS/SSL. - Access Controls: Row Level Security (RLS) policies enforce data isolation between users at the database level. All storage buckets use signed URLs with time-limited access. - Authentication: Secure token-based authentication (JWT) for all API interactions. User sessions are managed by Clerk with industry-standard security practices. - OAuth Token Security: YouTube OAuth tokens are stored securely and are used only to access YouTube data on your behalf. Tokens can be revoked at any time by disconnecting your YouTube channel. - Payment Security: All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified. We never receive, store, or process your payment card details. - Infrastructure: Our database and storage are hosted on Supabase with managed security. While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. VI. COOKIES AND TRACKING TECHNOLOGIES A. What We Use We use the following cookies and tracking technologies: - Google Tag Manager (GTM): We use GTM to manage analytics and tracking scripts on our Site. GTM may set cookies to collect information about how you interact with our Site, including pages visited, features used, and user interactions. GTM Container ID: GTM-PZFBV25H. - FirstPromoter: We use FirstPromoter for referral and affiliate tracking. It may set cookies to track referral sources. - Clerk: Our authentication provider may set cookies necessary for maintaining your login session and security. B. Your Choices Most web browsers allow you to control cookies through their settings. You may choose to block or delete cookies, but doing so may affect the functionality of the Site and Service. Specifically: - Essential Cookies (authentication, security): Required for the Service to function. Disabling these will prevent you from using the Service. - Analytics Cookies (GTM, FirstPromoter): Used to understand usage patterns and improve the Service. You may disable these without affecting core functionality. VII. YOUR RIGHTS A. All Users Regardless of your location, you have the right to: - Access the personal information we hold about you - Request correction of inaccurate personal information - Delete your account and all associated data - Disconnect your YouTube channel and revoke our access to your YouTube data - Opt out of non-essential communications B. European Economic Area (EEA) / UK Users If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including: - Right to Access: Request a copy of the personal data we hold about you. - Right to Rectification: Request correction of inaccurate or incomplete data. - Right to Erasure: Request deletion of your personal data. - Right to Restriction: Request that we restrict processing of your data in certain circumstances. - Right to Data Portability: Request your data in a structured, commonly used, machine-readable format. - Right to Object: Object to processing of your data for certain purposes. - Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent as a legal basis for processing. To exercise any of these rights, contact us at support@clickaboom.com. We will respond to your request within 30 days. Legal Basis for Processing (GDPR): - Contract Performance: Processing necessary to provide you with the Service you have requested. - Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service and ensuring security. - Consent: Processing based on your consent, such as analytics cookies and YouTube channel access. - Legal Obligation: Processing necessary to comply with applicable laws. Special Category Data: Where face-detection features process biometric identifiers (as described in Section I.B, "Video Uploads"), we rely on your explicit consent under GDPR Article 9. You may withdraw this consent at any time by deleting the resulting persona images and refraining from using auto-persona features. We do not use facial data for cross-user identification, do not perform 1:1 facial recognition for authentication, and do not share facial data with third parties for identification purposes. C. California Users If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. VIII. YOUTUBE API SERVICES Our Service uses YouTube API Services in two ways: 1. Public Data Access: We use the YouTube Data API v3 to retrieve publicly available video metadata (titles, descriptions, thumbnails, view counts, channel information) to support thumbnail generation. This does not require your YouTube account authorization. 2. Authorized Access (optional): If you choose to connect your YouTube channel, we use Google OAuth to access: - YouTube Data API v3 (`youtube.readonly`, `youtube.force-ssl`): To read your channel's video list and metadata, and to update video titles, descriptions, and thumbnails at your direction. - YouTube Analytics API v2 (`yt-analytics.readonly`): To retrieve per-video performance metrics including impressions, click-through rates, watch time, and views. By using features of our Service that interact with YouTube data, you are also bound by: - YouTube Terms of Service - Google Privacy Policy Data Handling: - Public YouTube data (video titles, descriptions, thumbnails, view counts, channel information) is accessed without authorization and stored within generation request metadata. - Authorized YouTube data (analytics, video management) is accessed only with your explicit consent via Google OAuth. - YouTube Analytics data is stored within your account and is refreshed periodically while your channel remains connected. Authorized YouTube data is retained for no more than 30 calendar days from the most recent authorization or refresh, in accordance with the YouTube API Services Developer Policies. - You may disconnect any connected YouTube channel at any time through the Service. Upon disconnection or revocation, stored YouTube data associated with that channel is deleted within 7 calendar days. - You may also revoke our access to YouTube API data at any time via the Google security settings page. Limited Use of YouTube Data: Clickaboom's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: - We do not transfer YouTube user data to any third party except as required to provide and improve user-facing features (e.g., to AI service providers strictly to fulfill the user's own generation requests, or to our infrastructure providers under contractual data-protection terms). - We do not use YouTube user data for advertising, including retargeting, personalized advertising, or interest-based advertising. - We do not allow human beings to read YouTube user data unless: (i) we have obtained the user's affirmative agreement for specific data; (ii) it is necessary for security purposes (such as investigating abuse); (iii) it is necessary to comply with applicable law; or (iv) the data has been aggregated and is used for internal operations. - We do not sell or transfer YouTube user data to data brokers, information resellers, or any other party that uses it for advertising, credit-worthiness assessments, or similar purposes. - We do not use YouTube user data to develop, improve, or train generalized or foundational artificial intelligence or machine learning models. IX. AI-GENERATED CONTENT Our Service uses artificial intelligence (Google Gemini and OpenAI) to generate thumbnails, titles, and descriptions based on your inputs. - Inputs: Your uploaded images, video files, audio files, and text instructions are sent to AI service providers for processing. These providers process your data in real-time and, per their respective policies, do not retain your inputs for training purposes when accessed via their API services. - Outputs: You retain ownership of the content generated through our Service. Clickaboom does not claim ownership of your generated thumbnails, titles, or descriptions. - No Training on Google Data: Clickaboom does not train, develop, or improve any generalized or foundational AI / ML model on YouTube user data, persona images, video uploads, or any other Google-API-derived data. AI features are provided exclusively via third-party APIs operating under their respective no-training data-processing terms. - Accuracy: AI-generated content may not always be accurate, appropriate, or free of errors. You are responsible for reviewing and approving all generated content before use. X. CHILDREN'S PRIVACY Our Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at support@clickaboom.com. Furthermore, our Service is not intended for use in generating thumbnails, titles, or descriptions for content directed at children, and we do not knowingly process content related to Made-for-Kids YouTube channels. XI. THIRD-PARTY LINKS Our Site and Service may contain links to third-party websites or services, including YouTube. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit. XII. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last Updated" date. For material changes that affect how we handle your personal data, we will provide notice via email or a prominent notice on our Site at least 30 days before the changes take effect. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. XIII. CONTACT US If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: Clickaboom Inc. Email: support@clickaboom.com Website: https://www.clickaboom.com