This Privacy Policy explains how Cloack (“we”, “us”) collects, uses, and shares personal data when you use the Service, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and similar laws. Where we process personal data on behalf of a business customer, that customer is the controller and we act as processor under our Data Processing Addendum.
1. Data we collect
- Account data: name, email, password hash, workspace and billing details.
- Lead and contact data processed on behalf of customers: Telegram identifiers, usernames, messages, deposit and conversion events, and tags.
- Attribution and tracking data: click events, UTM parameters, referrers, and truncated/derived IP-based geo signals.
- Usage and log data: API and webhook logs, rate-limit logs, audit/activity logs, and error events.
2. Purposes of processing
We process personal data to provide and secure the Service, deliver messaging and attribution features, process payments, prevent abuse and fraud, provide support, and comply with legal obligations.
3. Legal bases (GDPR Article 6)
- Contract (Art. 6(1)(b)): to provide the Service you or your organisation signed up for.
- Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product improvement, and analytics.
- Consent (Art. 6(1)(a)): where required, for example certain marketing communications.
- Legal obligation (Art. 6(1)(c)): tax, accounting, and compliance record-keeping.
For end-user/lead data processed on a customer’s behalf, the customer is responsible for establishing the legal basis and for obtaining any required consent.
4. Retention
We retain personal data only as long as needed for the purposes above. Indicative platform retention periods (subject to change and to legal requirements):
- Telegram update/webhook logs: ~7 days
- Rate-limit logs: ~30 days
- Tracking-link click events: ~90 days
- Activity/audit logs: ~365 days (compliance default)
- Billing and credit-usage records: retained for the life of the billing relationship and as required for tax/accounting.
5. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, and port your personal data, to object to certain processing, and to withdraw consent. To exercise these rights, contact us at the address below. If we process your data on behalf of a business customer, we will direct your request to that customer.
6. Sharing and sub-processors
We share personal data with vetted service providers who help us run the Service. See our Sub-processors list for the current set of providers, their purpose, and processing regions. We do not sell personal data.
7. International transfers
Our primary database is hosted with Supabase in the ap-southeast-1 (Singapore) region, and other sub-processors may process data in the EU, US, or elsewhere. Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) [SCC references and transfer-impact assessment placeholder — to be completed with counsel].
8. Security
We apply technical and organisational measures including encryption of sensitive secrets at rest, access controls, and structured logging with automatic redaction of tokens and secrets. No method of transmission or storage is completely secure.
9. Contact
For privacy questions or to exercise your rights, contact privacy@cloack.app (placeholder). You also have the right to lodge a complaint with your local data-protection authority. [Data controller identity, registered address, and EU/UK representative — placeholders to be completed.]