Open Clixa →
Back

Privacy Policy

Last updated: May 2026

Clixa AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, applications, and services (the "Service"). By using the Service, you consent to the practices described in this policy.

1. Information We Collect

We collect information that you provide directly to us, that we obtain automatically when you use the Service, and that we receive from third parties where applicable.

Information you provide

  • Account data: email address, password (stored in hashed form), and optionally username when you register or sign in.
  • Profile and usage data: content you create (e.g. thumbnails, prompts, saved visual characters), settings, and how you use the Service.
  • Billing data: when you subscribe or purchase credits, our payment processor (see §3) collects your name, billing address, tax/VAT ID where applicable, and payment instrument details. Clixa AI receives only a customer reference, transaction status, and non-sensitive summary data — we never store full card numbers, CVV, or bank details.
  • Uploaded content: images you upload as reference material for thumbnail generation. You confirm at upload time that you own these materials or have the rights to use them.
  • Communications: messages you send to us (e.g. support requests or feedback).

Information collected automatically

  • Device and log data: IP address, browser type, operating system, device identifiers, and access times.
  • Cookies and similar storage: we use a small number of strictly-necessary technologies — primarily browser local storage — to keep you signed in and remember your preferences. We do not place third-party analytics or advertising tracking cookies on our domain. When you complete a purchase, Paddle's hosted checkout sets its own cookies on Paddle's domain to support the transaction; when you embed or watch YouTube content, Google may set cookies on its own domains. Those third-party cookies are governed by the respective providers' privacy notices. You can clear or block cookies and local storage at any time in your browser settings.

Third-party data

If you connect a YouTube or other third-party account, we may receive information that you authorize (e.g. channel ID, basic profile) to provide features like analytics or content suggestions.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process your requests and deliver AI-generated content (e.g. thumbnails, titles)
  • Send you service-related notices, updates, and support messages
  • Analyze usage and trends to improve our product and user experience
  • Detect, prevent, and address fraud, abuse, or security issues
  • Comply with legal obligations and enforce our Terms of Service
  • With your consent, send marketing communications (you may opt out at any time)

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service providers (subprocessors): vendors who help us operate the Service, under contracts that limit their use of your data. Current subprocessors:
    • Paddle.com Market Ltd — Merchant of Record for all paid subscriptions and credit packs. Paddle collects your billing information directly, processes your payment, handles sales tax / VAT collection and remittance where required, and transmits a transaction reference back to Clixa AI. Paddle's privacy notice: paddle.com/legal/privacy.
    • Amazon Web Services (AWS) — cloud hosting in the us-east-1 region: EC2 compute, S3 object storage, and CloudFront CDN. Our Postgres account database runs inside an EC2 instance under our control. We do not use AWS Cognito, RDS, or any other AWS managed identity service — authentication is handled in-house (see the “Authentication” note below). Subprocessor terms: aws.amazon.com/agreement.
    • Cloudflare — DNS hosting and registrar for the clixa.app domain. Cloudflare may receive request metadata (e.g. IP address, request URL) when resolving DNS. Cloudflare's privacy notice: cloudflare.com/privacypolicy.
    • OpenAI — image-generation infrastructure for AI-generated thumbnails. Your prompts and reference images are transmitted to OpenAI under their API terms, which prohibit training on customer data submitted via the API. OpenAI privacy: openai.com/policies/privacy-policy.
    • Google Gemini — text and analysis infrastructure (titles, brainstorms, content insights). Prompts and related metadata are transmitted to Google under their Gemini API terms. Google privacy: policies.google.com/privacy.
    • Google (YouTube Data API) — when you connect your YouTube channel, with the scopes you explicitly authorise. We use this only for the channel/thumbnail features you opt into.

    Authentication. Clixa AI authenticates accounts using JSON Web Tokens (JWT) issued by our own backend; passwords are stored as bcrypt hashes and never in plaintext. Where you choose to sign in with Google, the OAuth flow is initiated directly between your browser, Google, and our backend; no third-party identity broker is involved. We do not currently support Apple Sign-In.

  • Legal and safety: when required by law, court order, or government request, or to protect the rights, property, or safety of Clixa AI, our users, or the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the same privacy commitments.
  • With your consent: when you have given us explicit permission to share your information.

3a. Payment Processing (Paddle — Merchant of Record)

Clixa AI uses Paddle.com Market Ltd as its Merchant of Record for all paid subscriptions, recurring renewals, and one‑time credit pack purchases. That means:

  • When you complete a purchase, your payment details (card number, billing address, tax details) are entered into Paddle's hosted checkout and are collected, stored, and processed by Paddle — not by Clixa AI.
  • Paddle handles sales tax, VAT, GST, and equivalent transaction taxes on our behalf and remits them to the relevant authorities.
  • Your invoice, receipts, and renewal emails are issued by Paddle under our name.
  • Clixa AI receives a customer ID, subscription status, and transaction metadata back from Paddle so we can grant and manage your account entitlements.

Paddle is an independent data controller for the payment data it processes. Its privacy practices are governed by Paddle's Privacy Notice. For refund requests, invoice corrections, or billing disputes, please contact us first (see §10) — we coordinate with Paddle on your behalf.

4. Data Retention

We retain your account data and content for as long as your account is active. After you delete your account, we may retain certain information as needed for legal, security, or operational purposes (e.g. fraud prevention, dispute resolution) for a limited period, after which it is deleted or anonymized. Log and analytics data may be retained in aggregated or anonymized form.

5. Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption in transit and at rest where applicable, access controls, and regular security assessments. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

6. Your Rights and Choices

Depending on your location, you may have the right to:

  • Access and portability: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request deletion of your personal data, subject to legal exceptions.
  • Restriction or objection: object to or request restriction of certain processing.
  • Withdraw consent: where we rely on consent, you may withdraw it at any time.
  • Opt out of marketing: unsubscribe from promotional emails via the link in each email or in your account settings.

To exercise these rights, contact us using the details below. If you are in the European Economic Area or the UK, you also have the right to lodge a complaint with a supervisory authority.

7. International Transfers

Your information may be processed in countries other than your country of residence. We ensure appropriate safeguards (e.g. standard contractual clauses) are in place where required by applicable law for such transfers.

8. Children

The Service is not intended for users under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we may provide additional notice (e.g. by email or in-product notice). Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For questions about this Privacy Policy or our privacy practices, or to exercise your rights, please contact us at support@clixa.app. We respond to verifiable requests within a reasonable period and at minimum within the timeframes required by applicable law.