Legal

Privacy Policy

Effective date: April 20, 2026
Last updated: April 22, 2026

This Privacy Policy explains how Modern Software Systems Ltd ("Klixey", "we", "us", "our") collects, uses, shares, and protects personal information when you use the Klixey platform, websites, and related services (together, the "Services"). We are a company registered in England and Wales with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

This Policy applies to the following individuals: (i) visitors to our websites; (ii) Creators who register for an account to sell digital products, courses, memberships, community access, appointments, or events through Klixey; (iii) Customers who purchase or access products through a Creator's storefront; and (iv) Invited users such as workspace team members, community members, and event attendees. If you are a Customer or Invited user, the Creator whose storefront you interact with is typically an independent controller of your personal data alongside Klixey — please review their own privacy notice as well.

Contents

  1. Definitions
  2. Our role: controller and processor
  3. Personal data we collect
  4. Sources of personal data
  5. Purposes and lawful bases for processing
  6. Cookies and similar technologies
  7. How we share personal data
  8. International data transfers
  9. Data retention
  10. Security
  11. Your rights under UK and EU data protection law
  12. Your rights under US state privacy laws
  13. Sensitive personal information
  14. Children's privacy
  15. Automated decision-making
  16. Third-party sites and Creator storefronts
  17. Changes to this Policy
  18. How to contact us & complaints

1. Definitions

  • "Creator" — a registered user of the Services who operates a storefront to sell products.
  • "Customer" — an end-user who purchases from, subscribes to, or otherwise accesses a Creator's storefront or products.
  • "Workspace" — the isolated tenant within Klixey where a Creator (and optionally team members) manages their storefront, products, and Customer data.
  • "Personal data" / "personal information" — has the meaning given under applicable law.
  • "Sub-processor" — a third party that processes personal data on our behalf (for example, our hosting provider).
  • "UK GDPR" and "EU GDPR" — the United Kingdom General Data Protection Regulation and the EU Regulation (EU) 2016/679, respectively, each as amended.
  • "CCPA/CPRA" — the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

2. Our role: controller and processor

Klixey plays different roles depending on the personal data and the context in which it is processed. It is important to understand which role we play in each case, because your rights and our obligations may differ.

2.1 When we act as controller

We are the controller of personal data we collect and use for our own purposes, including:

  • Information about Creators, team members, and visitors that we use to operate, market, and improve the Services;
  • Account, authentication, and billing information for Creator subscriptions to Klixey;
  • Device, cookie, and log data collected across our websites and the creator dashboard;
  • Support correspondence and survey responses sent to us directly.

2.2 When we act as processor

When a Creator uses the Services to manage their own business, the Creator is the controller of their Customer data, and Klixey acts as a processor on the Creator's behalf under our Terms of Service and Data Processing Addendum ("DPA"). This applies, for example, to:

  • Customer account records, order history, and subscription status within a Creator's workspace;
  • Community posts, comments, direct messages, and member profiles within a Creator's community;
  • Customer files and media uploaded to a Creator's workspace;
  • Customer lists and tags managed through the Creator CRM.

When we act as a processor, we process Customer personal data only on the Creator's documented instructions, except where applicable law requires otherwise. If you are a Customer and wish to exercise rights in respect of such data, please contact the relevant Creator first. We will support Creators in responding to your requests where we are able to do so.

2.3 Payments and Stripe Connect

Payments on the Services are processed by Stripe, Inc. and its affiliates (including Stripe Payments Europe Ltd and Stripe Technology Europe Ltd ("STEL") for card network transactions in the United Kingdom and European Economic Area) (together, "Stripe") using Stripe Connect in a direct-charge configuration. For payment card and payout data, Stripe typically acts as an independent controller and, for certain categories, as our processor. Stripe's handling of personal data is governed by its own Privacy Policy, and our processor relationship with Stripe is governed by Stripe's Data Processing Agreement, which we have entered into. Klixey does not store full card numbers.

Stripe may collect personal data, including via cookies and similar technologies, when you interact with checkout, subscription, or onboarding pages on the Services. This may include transactional data and identifying information about the devices that connect to Stripe's services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, regulatory compliance, and analytics related to the performance of its services. Stripe processes this data as described in its Privacy Policy.

3. Personal data we collect

We collect the categories of personal data listed below. Not every category applies to every individual.

3.1 Account and identity data

  • Name, email address, password (stored hashed and salted), profile image, time zone, language preference;
  • For Creators: workspace name, business name, storefront slug, social links, custom domain(s);
  • For Customers: display name and avatar associated with a Creator's storefront or community.

3.2 Commerce and billing data

  • Order history, subscription status, invoice records, currency, amounts, tax information, discount codes used, refund and chargeback history;
  • For Creator subscriptions to Klixey: billing address, last four digits of payment card, card expiry, and Stripe customer ID;
  • For Customer purchases: billing information passed to Stripe at checkout. We receive a token and metadata from Stripe; we do not receive or store full card numbers or bank account numbers.

3.3 Content you upload or generate

  • Product descriptions, course lessons and videos, community posts and comments, direct messages, files uploaded to digital products, images, and other content you choose to share through the Services;
  • Appointment details, calendar events (if you connect Google Calendar), and booking notes.

3.4 Usage, device, and log data

  • IP address, approximate location derived from IP, browser type and version, device identifiers, operating system;
  • Pages visited, referring URLs, timestamps, actions taken in the dashboard or storefront, error reports and crash diagnostics;
  • Authentication events, session identifiers, and security-related metadata.

3.5 Third-party integration data

  • Google: if you connect Google Calendar, we receive OAuth tokens and the calendar data you authorise (e.g., busy/free information, events for conflict detection). We use this data solely to provide the appointment-booking feature and do not use it for advertising or to train generalised artificial-intelligence models. We do not transfer Google user data to third parties, except as necessary to provide or improve the user-facing features you requested, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users. Klixey personnel do not read your Google user data, except where you have given us affirmative consent for specific items (for example, to help resolve a support request), where access is necessary for security purposes, where required by applicable law, or where the data has been aggregated or anonymised for internal operations. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • Stripe: identifiers linking your Klixey account to your Stripe Connect account and payment metadata.

3.6 Communications with us

  • Emails, support tickets, in-app chat messages, and survey responses;
  • Records of marketing preferences and consent.

3.7 Information we derive

We derive additional information from the categories above, for example aggregated analytics, fraud-risk signals, and product usage metrics. Where derived information is linked to an identifiable person, we treat it as personal data.

4. Sources of personal data

  • Directly from you when you register, configure a store, upload content, book an appointment, or contact us;
  • Automatically from your device and browser when you use the Services (see §6 Cookies);
  • From Creators if you are a Customer — for example when a Creator uploads a contact list or enters a manual booking;
  • From third parties such as Stripe (payments, identity verification), Google (if you use OAuth sign-in or Calendar), domain registrars and DNS providers (for custom-domain verification), and service providers that help us detect fraud and abuse.

5. Purposes and lawful bases for processing

Under the UK GDPR and EU GDPR, we process personal data only where we have a lawful basis under Article 6 (and, for special category data, an additional Article 9 condition). The table below summarises our principal processing activities, the personal data involved, and the lawful basis on which we rely.

Purpose Categories of data UK/EU lawful basis
Providing the Services and performing our contract with you Account, content, commerce, usage Art. 6(1)(b) performance of a contract
Processing payments and preventing fraud Commerce and billing, device, IP Art. 6(1)(b) and Art. 6(1)(f) legitimate interests
Keeping the Services secure and abuse-free Usage, device, authentication logs Art. 6(1)(f) legitimate interests in platform security
Transactional and service emails Account, contact details Art. 6(1)(b) and Art. 6(1)(f)
Marketing to Creators about Klixey features Contact details, usage Art. 6(1)(f) soft opt-in (for existing customers) or Art. 6(1)(a) consent (for prospects) where required
Improving and developing the Services Usage, device, aggregated data Art. 6(1)(f) legitimate interests
Complying with legal, tax, and regulatory obligations Account, commerce, financial records Art. 6(1)(c) legal obligation
Establishing, exercising, or defending legal claims As necessary Art. 6(1)(f) legitimate interests; Art. 9(2)(f) where applicable

For US residents, we process the categories of personal information for the business and commercial purposes set out above. We do not sell personal information for monetary consideration and we do not "share" personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA.

6. Cookies and similar technologies

We use cookies and similar technologies to operate the Services, remember your preferences, and measure performance.

6.1 Categories of cookies

  • Strictly necessary — required to log you in, keep your session secure, protect against cross-site request forgery (CSRF), and load the correct storefront on custom domains. These cannot be disabled.
  • Functional — remember your preferences (such as language, theme, or dismissed notices). We do not use functional cookies to track you across unrelated websites.
  • Analytics — first-party analytics and error reporting that help us understand how the Services are used. Where consent is required by law, we will ask for it before setting non-essential analytics cookies.

We do not set third-party advertising cookies on our own websites. Individual Creator storefronts may integrate third-party tools (e.g., the Creator's own analytics) subject to the Creator's privacy notice.

6.2 Managing cookies

You can manage non-essential cookies via the banner shown on your first visit and through your browser's cookie controls. Blocking strictly necessary cookies will prevent parts of the Services from working properly.

7. How we share personal data

We share personal data only in the limited circumstances described below.

7.1 With Creators

If you are a Customer, we share your data with the Creator whose storefront you interact with, so that the Creator can fulfil your purchase, respond to your messages, and manage their business. The Creator is an independent controller of that data.

7.2 With sub-processors

We engage carefully selected sub-processors to deliver the Services. Each is bound by written data protection terms, confidentiality obligations, and appropriate security measures. A current list of our principal sub-processors follows.

Sub-processor Purpose Region
Stripe, Inc. Payment processing, Stripe Connect, fraud prevention United States / Ireland
Amazon Web Services (Amazon SES) Transactional email delivery, bounce and complaint handling United States / EU
Cloudflare, Inc. Content delivery, DDoS protection, object storage (R2) for media Global edge network
Google LLC Google Calendar integration, optional OAuth sign-in United States
Hetzner Online GmbH Edge server and infrastructure hosting Germany / Finland
Laravel Cloud / Forge (Taylor Otwell LLC) Application hosting, deployment, and managed database infrastructure United States / EU

We will update this list from time to time as our infrastructure evolves. Creators with a signed DPA will receive advance notice of new sub-processors where required by the DPA.

7.3 With professional advisers and corporate transactions

We may share personal data with our accountants, auditors, lawyers, insurers, and similar advisers where necessary. In the event of a merger, acquisition, restructuring, financing, or sale of assets, personal data may be transferred as part of the transaction, subject to appropriate safeguards.

7.4 With authorities and in response to legal process

We may disclose personal data to public authorities, law enforcement, or other third parties where we reasonably believe disclosure is required by applicable law, necessary to comply with valid legal process, or needed to protect the rights, property, or safety of Klixey, our users, or the public. We will review each request on its merits and will challenge requests that appear overbroad or otherwise inappropriate.

7.5 With your consent or at your direction

We will share personal data in any other way described to you at the point of collection, or otherwise with your consent.

8. International data transfers

Klixey is based in the United Kingdom. The Services and our sub-processors operate globally, and your personal data may therefore be transferred to, and processed in, countries outside the United Kingdom and European Economic Area, including the United States. These countries may have data protection laws that differ from those in your country.

Where we transfer personal data from the UK or EEA to a country that is not the subject of an adequacy decision, we rely on:

  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for transfers out of the UK;
  • the EU Standard Contractual Clauses (Commission Decision 2021/914) for transfers out of the EEA;
  • for transfers to recipients in the United States that are certified under the EU-US Data Privacy Framework (and its UK Extension), the Framework as a valid transfer mechanism;
  • additional technical, contractual, and organisational safeguards where required by applicable transfer-impact assessments.

You can request a copy of the safeguards we apply by contacting privacy@klixey.com.

9. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

  • Active account data — retained while your account or workspace is active, and for a reasonable period after closure to allow for reactivation, dispute resolution, and legal compliance.
  • Financial and tax records — retained for a minimum of six years after the end of the relevant accounting period, in line with UK HMRC and US IRS record-keeping rules.
  • Customer records held on behalf of a Creator — retained in accordance with the Creator's instructions and our DPA. On termination of a Creator's workspace, data is deleted or returned within 90 days, subject to any legal retention requirements.
  • Server, security, and access logs — typically retained for up to 12 months, with security-event logs retained longer where justified by investigation needs.
  • Backups — encrypted backups are retained on a rolling basis and overwritten within normal backup cycles; deleted data may persist in backups until the relevant cycle completes.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include:

  • TLS encryption for data in transit and encryption at rest for databases and media storage;
  • Role-based access controls, least-privilege provisioning, and audit logging of administrative actions;
  • Multi-tenant data isolation at the workspace level;
  • Secure software development practices, dependency scanning, and periodic penetration testing;
  • Background checks and confidentiality obligations for personnel with access to personal data;
  • An incident response plan covering detection, containment, notification, and remediation.

No method of transmission or storage is 100% secure. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected compromise.

11. Your rights under UK and EU data protection law

If you are located in the United Kingdom or the European Economic Area, you have the following rights, subject to applicable conditions and exemptions:

  • Right of access — request a copy of the personal data we hold about you;
  • Right to rectification — ask us to correct inaccurate or incomplete data;
  • Right to erasure — ask us to delete personal data in specified circumstances;
  • Right to restrict processing — ask us to suspend processing while we verify or investigate;
  • Right to data portability — receive certain data in a structured, commonly used, machine-readable format;
  • Right to object — object to processing based on legitimate interests or direct marketing;
  • Rights related to automated decision-making — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not carry out such processing — see §15);
  • Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting prior processing;
  • Right to lodge a complaint — with the UK Information Commissioner's Office (ico.org.uk) or your local EEA supervisory authority.

To exercise any of these rights, email privacy@klixey.com. We may need to verify your identity before responding. We will respond within one month, which we may extend by up to two further months for complex or numerous requests, and we will tell you if we do so.

12. Your rights under US state privacy laws

If you are a resident of the United States, your rights depend on the state in which you live. The following jurisdictions have comprehensive consumer privacy laws that may apply to our processing: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others as they come into force.

12.1 Rights common to most US states

  • Right to know / access the categories and specific pieces of personal information we have collected;
  • Right to delete personal information we have collected from you, subject to legal exceptions;
  • Right to correct inaccurate personal information;
  • Right to data portability — obtain a copy of your data in a portable, readily usable format;
  • Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising (also called "targeted advertising");
  • Right to limit the use and disclosure of sensitive personal information to purposes permitted by applicable law (California);
  • Right of non-discrimination for exercising your privacy rights;
  • Right to appeal a refusal to act on a request (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, among others).

12.2 Our practices: no sale, no targeted advertising

Klixey does not sell personal information for monetary consideration, and does not share or process personal information for cross-context behavioural advertising or targeted advertising as those terms are defined under applicable US state privacy laws. We have not done so in the preceding 12 months, and we do not knowingly sell or share the personal information of minors under 16.

12.3 Categories of personal information collected and disclosed (CCPA/CPRA)

For California residents, during the preceding 12 months we have collected the categories of personal information set out in §3 and may have disclosed those categories for a business purpose to the service providers and third parties described in §7. We do not use sensitive personal information for purposes that require the right to limit to be offered under Cal. Civ. Code §1798.121(a).

12.4 How to exercise your rights

To submit a verifiable consumer request, email privacy@klixey.com with the subject line "US Privacy Request" and tell us your state of residence and the right you wish to exercise. We will verify your identity using information already associated with your account or, for non-account holders, additional attestation. Authorised agents may submit requests on your behalf with written authority and proof of identity.

Where supported by your browser, we recognise the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing for the browser and device on which it is enabled. Because we do not sell or share personal information, the GPC signal does not change our processing, but we honour it as a preference for any future processing that would be in scope.

12.5 Right to appeal

If we decline to act on a request, you may appeal our decision by replying to the response email or writing to privacy@klixey.com with "Appeal" in the subject. If your appeal is denied, you may contact the attorney general of your state, including (for California residents) the California Privacy Protection Agency at cppa.ca.gov.

12.6 "Shine the Light" (California)

California Civil Code §1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information for such purposes.

12.7 Financial incentives

We do not offer financial incentives in exchange for the collection, sale, or retention of personal information.

13. Sensitive personal information

We do not intentionally collect special category personal data (as defined by UK/EU GDPR) or sensitive personal information (as defined by US state privacy laws), except where strictly necessary and with an appropriate lawful basis — for example, where a Creator sells services that require such information and has obtained explicit consent from their Customer. Creators must not upload sensitive information to the Services without a lawful basis and, where applicable, appropriate consents.

14. Children's privacy

The Services are not directed to, and we do not knowingly collect personal data from, children under the age of 13 (or, in the EEA and the UK, the age of digital consent in your jurisdiction, which is 13 in the UK and between 13 and 16 in EU member states). If you believe that a child has provided us with personal data, please contact privacy@klixey.com and we will take appropriate steps to delete it, consistent with the Children's Online Privacy Protection Act (COPPA) in the United States and corresponding UK/EU rules.

15. Automated decision-making

We do not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing. Some features, such as fraud risk scoring on payments (performed primarily by Stripe), involve automated analysis; where these contribute to a decision that significantly affects you, a human will review the outcome if you request it.

16. Third-party sites and Creator storefronts

The Services may contain links to third-party websites and may be used by Creators to host their own storefronts on custom domains. Creators are independent controllers of personal data they collect through their storefronts. We are not responsible for the privacy practices of third-party sites or Creator storefronts. We encourage you to review the applicable privacy notices before providing personal data.

17. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of the Policy. Material changes will be notified in advance where required by law — for example by email, in-app notice, or a prominent banner on our websites. Your continued use of the Services after changes take effect means you accept the updated Policy.

18. How to contact us & complaints

For questions, privacy requests, or complaints about this Policy or our processing of your personal data, please contact us:

  • Email: privacy@klixey.com
  • Post: Data Protection, Modern Software Systems Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

If you are in the UK and are not satisfied with our response, you may contact the Information Commissioner's Office. If you are in the EEA, you may contact your local supervisory authority — a list is available at edpb.europa.eu. If you are in the United States, you may also contact the attorney general of your state.