Privacy Policy

Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support. This may include your name, email address, company information, and any other information you choose to provide.

We also automatically collect certain information when you use our services, including your IP address, browser type, operating system, referring URLs, and usage data.

MFA trusted device security data:When you choose "Remember this device" after completing multi-factor authentication, we record your IP address and a truncated User-Agent string (browser family and OS, no build or patch version) alongside an opaque device token. These are used solely to detect anomalous access — for example, a token being presented from an IP address or device type inconsistent with the one that registered it. This data is not used for advertising, analytics, or any purpose other than account security. Under the California Consumer Privacy Act, this information falls within the security-purpose exemption (Cal. Civ. Code §1798.145(d)) and is not subject to the right to opt out of sale. You may delete all trusted device records at any time from your account security settings.

Referral attribution: If you visit our site through an affiliate link containing a ?ref= parameter, we capture that referral code in a first-party cookie (see Cookiesbelow). When you subsequently create an account, the code is associated with your tenant in our database ("affiliate_referrals") so we can attribute future paid invoices to the referring affiliate. We may also retain the IP address, user agent, and timestamp of the claim event for fraud prevention.

How We Use Your Information

We use the information we collect to provide, maintain, and improve our services, to communicate with you, to personalize your experience, and to detect, prevent, and address fraud or technical issues.

We may also use your information to send you marketing communications, but only with your consent. You can opt out of marketing communications at any time.

Data Sharing & Third Parties

We do not sell your personal information to third parties. We may share your information with service providers who help us operate our services, but only as permitted by law and in accordance with this Privacy Policy.

We may also share your information when required by law, such as in response to a subpoena or other legal process, or when we believe disclosure is necessary to protect our rights, property, or safety.

Affiliate program: If you were referred to KlicForge through an affiliate link, the referring affiliate is shown limited, non-identifying information about your subscription for the purpose of tracking their earned commission — specifically: an opaque tenant identifier (UUID, not your name or email), the date you became a paying tenant, the eligibility window end date, your subscription status (active/expired), and, for each accrued commission, the opaque payment-processor invoice identifier, the gross and net invoice amounts, the commission rate, and the commission amount. We do not share your name, email address, plan tier, account contents, or any other identifying information with the referring affiliate.

Data Retention

We retain your personal information for as long as necessary to provide our services and comply with our legal obligations. If you delete your account, we will delete your personal information within 30 days, though some information may be retained for legal reasons.

Some information may remain in our backup systems for up to 90 days after deletion.

MFA trusted device records: Server-side records in the user_trusted_devices table (token hash, IP address, truncated User-Agent, expiry timestamp) are retained for the lifetime of the device token — 30 days from creation — and deleted automatically on expiry. Records are also deleted immediately when you revoke a device via security settings, change your password, or delete your account.

Affiliate records: Records related to affiliate attribution, commission accrual, payouts, and refund clawbacks are retained for the longer of (a) seven (7) years from the date of the underlying transaction, or (b) the period required by applicable tax, accounting, or financial-services regulations. This retention period applies independently of account deletion and is necessary for tax compliance, fraud investigation, and chargeback defence.

Your Rights

Depending on your location, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict the processing of your information.

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days.

Cookies

We use cookies and similar technologies to improve your experience on our website, to analyze traffic and usage, and to provide personalized content. Most web browsers accept cookies by default, but you can set your browser to remove or reject them.

The cookies we set include:

• kf_ref— affiliate referral attribution: Set when you visit our site with a ?ref=CODE parameter on the URL (typically an affiliate link). Stores only the referral code. Scoped to the parent domain (.klicforge.ai) so it can be read by both the marketing site and the dashboard after sign-up. First-party, SameSite=Lax, Secure on HTTPS, lifetime up to 60 days, not HttpOnly(set client-side from the static marketing site). Cleared automatically once the referral is claimed against your tenant. You can delete it at any time via your browser's cookie controls; doing so before sign-up will remove referral attribution.
  EU, UK and Switzerland visitors: Because this cookie is non-essential under the EU ePrivacy Directive, UK PECR and Swiss revFADP, we only set it after you affirmatively accept a consent banner shown at the bottom of the page. If you decline, dismiss or ignore the banner, no kf_ref cookie is written, no referral code leaves your browser, and any affiliate who referred you will not be credited if you later sign up. Your decision is remembered for 12 months via a local browser preference (kf_affiliate_consent) stored in localStorage, not a cookie.
• __mfa_device— MFA trusted device token: Set when you choose "Remember this device" after completing multi-factor authentication. Contains an opaque random token; the matching server-side record stores only a SHA-256 hash of that token, the expiry timestamp, your IP address at registration time, and a truncated User-Agent string. Never stores your password, TOTP code, or recovery codes. HttpOnly, Secure, SameSite=Strict, 30-day lifetime. Revoked automatically on password change, sign-out from all devices, or when you remove the device from your security settings. Strictly necessary for security functionality — no consent banner is shown for this cookie.
• Functional & analytics cookies: Used to keep you signed in, remember preferences, and measure aggregate site usage. These do not contain advertising identifiers.

Please note that removing or rejecting cookies may affect the availability and functionality of our services, including the ability to attribute a referral to the affiliate who referred you.

Security

We take the security of your personal information seriously and use appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.

However, no method of transmission over the internet or electronic storage is completely secure, so we cannot guarantee absolute security.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy on our website and update the "Last Updated" date above.

We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your information.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]
Address: See our Contact page for more information