Clikr

Privacy Policy

Last updated: May 21, 2026

This policy explains how Clikr handles personal data and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (revFADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (the CCPA), and other applicable privacy laws.

Data controller

The data controller for personal data processed through Clikr is Mawal AB, a Swedish private limited company registered in Sweden under Org.nr 559279-0462 (VAT SE559279046201), with its registered office at Hallandsgatan 38, 118 57 Stockholm, Sweden. For any privacy question, or to exercise the rights described below, write to us at hello@clikr.app or by post at the registered address above.

What we collect

Clikr turns your phone into a wireless pointer for presentations. We deliberately collect very little, and the pointer movement itself never reaches us. The categories below are everything we process.

  • Session data. When you pair your phone with the browser extension, a temporary session identifier is created so the two devices can find each other. It is not retained after the session ends.
  • Device motion and pointer data. Pointer position and gesture data is sent in real time between your phone and the extension. This data travels directly between your two devices and never reaches our servers (see "How pointer data travels" below).
  • Account data. If you sign in, we store your email address and an account identifier in Firebase Authentication so we can associate a Clikr Pro purchase or a Pro free trial with your account. An account is only needed for Pro.
  • Payment data. If you buy Clikr Pro, the Paddle entity shown in checkout and on your order confirmation collects your payment details and billing address directly from you. We receive only downstream order information from Paddle, such as the transaction identifier and the email address you used at checkout. We do not receive or store full card details.
  • Diagnostic and error data. On the production site, our error monitoring tool records error and exception details, console warnings and errors, and failed network request details so we can find and fix faults. This data can include technical context such as an IP address. If you allow the Performance category in our cookie banner, it also captures a short error-triggered session replay, with all text masked and all images and media blocked.
  • Analytics data. We use Vercel Analytics for anonymous, aggregated usage statistics (page views and visitor counts). It uses no cookies, stores nothing on your device, and collects no information that identifies you.

Where the data comes from

Most of the data above you give us directly, by pairing a device, signing in, or contacting us. Two categories reach us from a third party: downstream order information comes from Paddle after you complete a purchase, and your federated-login identifier comes from Firebase Authentication when you sign in.

Lawful basis for processing

We process personal data only where a lawful basis under Article 6(1) of the GDPR applies.

  • Running the free pairing service. Processing session and device motion data so the phone and extension can connect rests on our legitimate interest in providing a working presentation tool (Article 6(1)(f)).
  • Providing Clikr Pro and the Pro free trial. Processing account and payment data to deliver the Pro features you purchased or are trialing rests on performance of a contract (Article 6(1)(b)).
  • Service email. Sending you account, sign-in, and order confirmation messages rests on performance of a contract (Article 6(1)(b)).
  • Error monitoring. Processing error and exception details, console warnings and errors, and failed network request details to keep the service secure, find faults, and fix them rests on our legitimate interest in a reliable and secure service (Article 6(1)(f)).
  • Session replay. The error-triggered session replay is part of our error monitoring, but because it stores information on your device it runs only with your consent (Article 6(1)(a)), given through the Performance category in our cookie banner. You can withdraw that consent at any time, which stops the replay.
  • Legal compliance. Keeping payment records and responding to lawful requests rests on compliance with a legal obligation (Article 6(1)(c)).

Special category data

We do not intentionally collect special category data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person's sex life or sexual orientation (Article 9 GDPR). Clikr has no free-text fields or content uploads that would invite it.

How pointer data travels

Pointer and gesture data is sent over a WebRTC peer-to-peer connection. Your motion data travels directly between your phone and your computer and does not pass through our servers. The Firebase Firestore signaling server is used only to set up that initial connection. It is not a channel for pointer movement.

Sub-processors and recipients

We share personal data with the recipients below, strictly for the purposes described in this policy. Each acts as our processor on our instructions, except Paddle, which is an independent controller for the buyer relationship.

  • Google Firebase (Google Ireland Limited). Provides Firebase Authentication and Firestore signaling for pairing sessions. See firebase.google.com/support/privacy.
  • Paddle. Merchant of Record and an independent data controller for payment, billing, fraud prevention, and tax-compliance data it collects directly from you at checkout. The specific Paddle entity is the one shown in checkout and on your order confirmation. Paddle handles card data under the PCI DSS standard; we never receive it. See paddle.com/legal/privacy.
  • Vercel Inc. Hosts the web application and provides cookieless, anonymous analytics. See vercel.com/legal/privacy-policy.
  • Sentry (Functional Software, Inc.). Provides error monitoring and the error-triggered session replay described above. It processes error and exception data, console warnings and errors, failed network request details, and the masked replay. Ingestion is handled through Sentry's European endpoint. See sentry.io/privacy.

We may disclose personal data when we are legally required to do so, for example to comply with a court order, a regulatory request, or other legal process, or when disclosure is necessary to protect our rights or the safety of others. The basis for this is compliance with a legal obligation (Article 6(1)(c)) and our legitimate interests (Article 6(1)(f)). Where the law allows and it does not prejudice an investigation, we will tell you before we respond.

Business transitions

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your personal data may pass to the acquiring party or successor entity as part of that transaction. We will require any successor to honor the commitments in this policy. For California residents, this kind of asset transfer is not a sale of personal information under the CCPA.

International transfers

Some of our recipients process data outside the European Economic Area, including in the United States. Where that happens, we rely on the safeguards in Chapter V of the GDPR. For transfers to a US recipient that is certified under the EU-US Data Privacy Framework, we rely on that Framework, and for UK personal data on the UK Extension to it (the UK-US Data Bridge). For all other non-adequate transfers we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), and for UK personal data on the UK International Data Transfer Addendum. You can ask us which mechanism applies to a given recipient.

Retention

Session identifiers and device motion data exist only for the lifetime of an active pairing session and are deleted when the session ends. Account data is kept while your account exists and is deleted on request. Diagnostic and error data is kept for as long as needed to investigate and fix faults and to keep the service secure, and longer where the law requires. Payment, order, and invoice records that Mawal AB holds are kept for seven years to meet Swedish accounting and tax obligations (Bokföringslagen 1999:1078). Paddle keeps its own records under its own privacy notice.

Your rights

Under the GDPR and the UK GDPR you have the right to access your personal data, to have it corrected, to have it erased, to restrict its processing, to receive a portable copy, to withdraw consent where processing is based on consent, and not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You also have the right to lodge a complaint with a supervisory authority (see below). To exercise any of these rights, write to us at hello@clikr.app. Residents of Switzerland and of US states with comprehensive privacy laws have comparable rights, described where they differ in the sections below.

Your right to object

You have the right to object at any time to our processing of your personal data where that processing is based on our legitimate interests. This includes the processing of session, motion, and error-monitoring data described above. If you object, we will stop that processing unless we can show compelling legitimate grounds that override your interests, rights, and freedoms, or unless we need the data to establish, exercise, or defend legal claims. To object, email us at hello@clikr.app.

Verifying requests and timing

To protect your data, we confirm your identity before acting on a rights request, normally by asking you to send it from the email address on your account or to provide information that matches it to our records. We do not use that information for anything else. Under the GDPR and the UK GDPR we respond within one month, extendable by up to two further months for complex or numerous requests, and we will tell you within the first month if an extension is needed. For California residents we respond within 45 days, extendable by a further 45 days with notice to you.

US state privacy rights

If you live in a US state with a comprehensive privacy law (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Minnesota, Maryland, and other states whose laws come into force from time to time), you may have the right to know what personal information we hold about you, to delete it, to correct it, to receive a portable copy, to opt out of the sale or sharing of personal information and of targeted advertising, and to appeal a decision we make about a request. Mawal AB does not meet the statutory thresholds that would make the CCPA or similar laws mandatory for us, so we extend these rights voluntarily to residents of those states. To exercise them, email us at hello@clikr.app. You may use an authorized agent; we will still need to verify your identity and the agent's authority.

We do not sell your personal information and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA. We run no advertising or marketing pixels and operate no financial incentive program, and we will not discriminate against you for exercising any privacy right. Because there is no sale or sharing to opt out of, there is no opt-out signal for us to act on. If we ever change that, we will treat a valid Global Privacy Control (GPC) signal from your browser as a request to opt out of any sale or sharing.

Children

Clikr is a general-audience tool and is not directed to children. Under the GDPR (Article 8) the digital-consent age is 16 by default, and EU and EEA member states may lower it to no less than 13. In Sweden, where we are established, it is 13. Other countries may set a different age. We do not knowingly collect personal data from children below the applicable age. If you are a parent or guardian and believe a child has given us personal data, contact us and we will delete it promptly.

Automated decisions

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects. Clikr has no artificial intelligence or machine learning features, and your Pro free trial simply stops at the end of its 14-day period with no automatic charge and no automated profiling.

Email we send you

We send only service email: account and sign-in messages and order confirmations. These are necessary to provide the service and rest on performance of a contract (Article 6(1)(b)), so they are not marketing messages and have no opt-out. We do not run marketing email, SMS, or push notifications today.

We may later add product update email: occasional messages about new Clikr features and notable changes to the service that we think you will want to know about. Although this kind of email is informational rather than promotional, we treat it as a marketing communication. We do not send it yet. If we start, we will rely on a lawful basis for direct marketing, every message will include a clear and easy way to opt out, and opting out will never affect the service email above, which is part of the service itself. We will update this policy before the first such message goes out. We have no plans for marketing SMS or push notifications; if that changes, the same commitment applies.

Cookies

Our use of cookies and similar technologies, the categories we use, and how to give or withdraw consent are described in our separate Cookie Policy.

Security

We protect personal data with measures appropriate to the risk: encryption in transit, access controls on our systems, vendor due diligence, and data processing agreements with our processors. The peer-to-peer design means pointer data is never collected on our servers in the first place. No online service can be perfectly secure, but we work to keep the risk low.

Data breach notification

If a personal data breach occurs, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, as required by Article 33 of the GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay under Article 34, and we will meet any applicable US state breach notification requirements.

Complaints and supervisory authorities

You have the right to lodge a complaint with a data protection supervisory authority. Our lead supervisory authority in the EU is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), at imy.se. EU and EEA residents may also complain to the authority in their own country, which you can find through the European Data Protection Board's directory at edpb.europa.eu. If you are in Switzerland, you can complain to the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch. If you are in the United Kingdom, you can complain to the Information Commissioner's Office at ico.org.uk. California residents can also contact the California Privacy Protection Agency or the California Attorney General. In any other country, please contact your local data protection authority.

Changes to this policy

We may update this policy as Clikr evolves. The "Last updated" date at the top reflects the most recent change. If a change is material, we will tell you by email or with a prominent notice on the site before it takes effect.

Contact us

For any privacy question, or to exercise a right described above, contact Mawal AB at hello@clikr.app or by post at Hallandsgatan 38, 118 57 Stockholm, Sweden.