Privacy Policy

This Privacy Policy explains how Kicklayer ("Kicklayer," "we," "us," or "our") collects, uses, stores, and shares information when you access or use our client onboarding and asset collection platform, including our website, authenticated agency dashboard, client onboarding portals, APIs, and related communications (collectively, the "Service").

Kicklayer is built for agencies that collect project details, files, and approvals from their clients. In many cases, we process information on behalf of an agency customer. If you are a client completing an onboarding portal for an agency, that agency may control the information submitted through its portal and may have its own privacy obligations to you.

We may collect the following categories of information:

• Account and profile data: name, email address, login credentials, profile image, organization name, and account settings.
• Authentication data: session tokens, password reset and verification data, and limited identity data from sign-in providers such as Google or GitHub when you choose social login.
• Customer and client onboarding data: client names, client email addresses, project names, due dates, templates, custom form responses, comments, approvals, activity history, and status changes.
• Files and sensitive project materials: uploaded assets, documents, URLs, structured brand information, credentials or secrets submitted through secure onboarding fields, and generated exports.
• Technical and usage data: IP address, user agent, device/browser information, timestamps, token access logs, interaction events, error logs, and rate-limit or abuse-prevention signals.
• Billing and transaction data: subscription plan, billing status, processor customer IDs, subscription metadata, and checkout status. We do not intentionally store full payment card details ourselves.
• Support and communications: emails you send us, support reports, reply-to details, and other information you choose to include in messages.

We use information we collect to:

• Provide, operate, secure, and improve the Service.
• Authenticate users, manage sessions, and prevent fraud, abuse, or unauthorized access.
• Host onboarding portals, process form submissions, store files, and deliver downloadable exports.
• Send transactional emails such as invitations, reminders, confirmations, password resets, and account verification messages.
• Process subscriptions, enforce plan limits, and manage billing relationships.
• Generate AI-assisted summaries, quality checks, briefs, or recommendations when those features are used.
• Monitor usage, troubleshoot issues, maintain audit trails, and comply with legal obligations.

Where applicable, we rely on one or more of the following legal bases: performance of a contract, legitimate interests, consent, and compliance with legal obligations.

When an agency uses Kicklayer to collect information from its clients, the agency may act as the data controller and Kicklayer may act as a processor or service provider on that agency's behalf. In those cases, the agency is responsible for providing any required notices, collecting any required consents, and handling data subject requests relating to data the agency controls.

We may share information in the following circumstances:

• With your organization or invited parties: onboarding responses and files are shared with the agency account that created the onboarding flow and with users it authorizes.
• With infrastructure and service providers: we use providers for hosting, database and object storage, authentication, email delivery, billing, OAuth login, and AI processing.
• With integrations you enable: if an agency turns on webhooks, Slack notifications, or other connected workflows, relevant event data may be sent to those destinations.
• For legal or safety reasons: when required by law, court order, or to protect rights, security, or the integrity of the Service.
• As part of a business transaction: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality measures.

Our Service may rely on third-party tools and infrastructure, including providers for authentication, cloud storage, email delivery, subscription billing, OAuth identity, and AI model access. Based on the current implementation, those providers may include services such as Better Auth, Polar, Plunk, Google, GitHub, S3-compatible or R2-compatible storage, PostgreSQL hosting, Redis infrastructure, and OpenRouter-backed AI models.

These providers process data under their own terms and privacy commitments. We share only the information reasonably necessary for them to perform services on our behalf or to carry out functionality you request.

We retain information for as long as necessary to provide the Service, maintain security and audit logs, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of data, the role of the customer, and whether an account or onboarding workspace remains active.

If you delete your account or request deletion, we will take reasonable steps to delete or de-identify applicable data, except where retention is required for legal, security, fraud-prevention, backup, or legitimate business purposes.

We use reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, loss, misuse, or alteration. These measures may include authentication controls, access restrictions, signed upload flows, encryption or secure transport, token expiration, logging, and rate limiting.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping account credentials and magic links confidential and for notifying us promptly if you suspect unauthorized use.

Depending on your location and the nature of your relationship with Kicklayer, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information.

Agency users can review and update much of their account information from within the Service. If you are a client whose data was submitted through an agency-managed onboarding portal, please contact the relevant agency first. You may also contact us at support@kicklayer.com.

Kicklayer and its service providers may process and store information in multiple countries. By using the Service, you understand that your information may be transferred to and processed in jurisdictions that may have different data protection laws than your home jurisdiction.

The Service is intended for business use and is not directed to children under 13 or the minimum age required by local law. We do not knowingly collect personal information from children for consumer use. If you believe a child has provided us personal information inappropriately, contact us so we can investigate.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above and may take additional steps to notify users when changes are material. Continued use of the Service after an updated policy becomes effective means the updated policy applies to your use of the Service.

If you have questions about this Privacy Policy or our privacy practices, contact us at support@kicklayer.com.