ClipCatalog logo ClipCatalog
EN

Privacy Policy

Last updated: 2026-05-29

Summary

  • Local-first: your video files, thumbnails, tags, and transcripts stay on your machine and are not uploaded to our servers.
  • Purchases & licensing: we store limited data to issue and validate licenses and handle refunds/chargebacks.
  • Optional app telemetry & error reporting: disabled by default; you can opt in or out at any time in the app.
  • Website analytics & embedded media: Google Analytics and YouTube embeds are only loaded after you consent to the matching category in the cookie banner.

Data controller

PAULUS DIGITAL SOLUTIONS LLC is the data controller for personal data collected through this website and the ClipCatalog application.

3833 POWERLINE RD SUITE 201
FORT LAUDERDALE, FL. US 33309
privacy@clipcatalogpro.com

EU representative (GDPR Article 27): PAULUS DIGITAL SOLUTIONS LLC is a US-established controller processing a limited volume of personal data of EU/EEA residents (email address, license entitlement, and payment data handled by our merchant of record, Paddle.com Market Limited). We have not designated a representative under GDPR Article 27 at this time. EU/EEA data subjects retain all rights under the GDPR and may exercise them by contacting privacy@clipcatalogpro.com. EU/EEA data subjects also have the right to lodge a complaint with the supervisory authority in their Member State of residence. We will reassess our Article 27 representative obligation as our processing volume grows.

Data Protection Officer: PAULUS DIGITAL SOLUTIONS LLC has not designated a Data Protection Officer under GDPR Article 37; the mandatory-appointment criteria do not apply to our scale and processing activities. Direct any data-protection enquiries to privacy@clipcatalogpro.com.

Website analytics

We use Google Analytics on this website to understand how visitors use the site and to improve it. Google Analytics cookies are only loaded after you consent to the Analytics category via the cookie banner.

When you consent, data such as your IP address, browser type, pages visited, and time spent on the site may be collected and processed by Google. For more information, see Google's Privacy Policy.

Google Analytics is only enabled after you consent. You can withdraw consent at any time (see our Cookies page).

Embedded video (YouTube)

Some pages on this website embed a short product-tour video served from YouTube. The embed uses youtube-nocookie.com (Google's privacy-extended variant) and is not loaded until you actively consent to the External media category via the cookie banner. Until then a placeholder is shown and no data flows to Google.

When you grant consent and the player loads, Google receives your IP address, browser user-agent, referrer (limited via strict-origin-when-cross-origin) and — if you are signed into a Google account in the same browser — your Google account cookies. Google may set storage on its own origin to remember playback preferences and similar. See Google's Privacy Policy and YouTube's Terms of Service.

Lawful basis (EEA/UK): consent under GDPR Article 6(1)(a), given by enabling the External media category in the cookie banner (or by clicking Enable external media in the inline placeholder on a video card). You can withdraw consent at any time via the Cookie settings link in the site footer or by clearing the External media checkbox; subsequent page loads will not load YouTube and already-rendered embeds will revert to the placeholder.

Provider: YouTube is operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) for users in the EEA/UK/Switzerland, and by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) elsewhere. International transfer: any US transfer relies on Google's certification under the EU-US Data Privacy Framework, with Google's published Standard Contractual Clauses as a fallback where the framework does not apply.

You can change your choice by clearing your browser's site data for this domain, or see details in our Cookies page.

App data

ClipCatalog is designed to work locally on your machine. Your video files, thumbnails, tags, and transcripts remain on your storage and are not uploaded to our servers.

Telemetry and error reporting are prompted on first launch and disabled unless you opt in. No video content is ever sent.

Face recognition data (biometric)

ClipCatalog includes an optional face recognition feature that is disabled by default. You must explicitly enable it in the app settings to use it. Enabling face recognition is entirely at your discretion.

Face recognition data may constitute biometric data under applicable data protection laws, including Article 9 of the EU General Data Protection Regulation (GDPR), which classifies biometric data as a special category of personal data.

All face recognition processing happens entirely on your local device. Face data (such as face embeddings, groupings, and associated metadata) is stored only on your machine and is never uploaded, transmitted, or shared with us or any third party. We have no access to your face recognition data.

You can permanently delete all face recognition data at any time using the dedicated delete button in the app. Disabling the face recognition feature stops all further face-related processing.

In keeping with the EU AI Act (Regulation (EU) 2024/1689) Article 50 transparency obligations, ClipCatalog discloses the on-device AI face-detection system to you inside the app under Settings → Face Detection, noting that AI results may be inaccurate.

Beyond face recognition, ClipCatalog ships an on-device image-tagging vocabulary that labels scenes and objects in your videos. That vocabulary does not contain tags that infer your race or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life, or sexual orientation. These are the categories whose deduction from biometric data is prohibited by Article 5(1)(g) of the EU AI Act. The vocabulary does contain general object and scene labels with cultural or religious associations (for example, “church”, “mosque”, “synagogue”, “bible”, “cross”) and occupation labels that may apply based on visible attire and setting (for example, “monk”, “nun”, “preacher”). These labels classify the visual content of the frame as a whole; they are not produced by a biometric-categorisation system within the meaning of Articles 3(40) and 5(1)(g) of the EU AI Act, because they are derived from overall image content (clothing, setting, objects), not from biometric features extracted from a person. Beyond this labelling vocabulary, ClipCatalog does not train, build, or deploy any model whose purpose is to infer sensitive attributes (race, religion, sexual orientation, political opinion, trade-union membership, or any other Article 9 GDPR special category) from biometric features extracted from a person.

Professional and business users

ClipCatalog is designed primarily for personal and household use. If you use the application in a non-personal capacity — for example to process footage of employees, clients, talent, or members of the public — the household exemption of GDPR Art. 2(2)(c) and AI Act Art. 2(10) does not apply to your use, and you act as an independent data controller (under the GDPR) and AI Act deployer with respect to the people in your footage. Your typical duties include identifying a lawful basis for processing biometric data under GDPR Art. 9(2), informing data subjects under Art. 13 or 14, and providing any AI Act transparency required toward those persons. Nothing in the application architecture relieves you of those duties; ClipCatalog provides the tool, not the legal basis for its use.

Licensing & purchase data (Paddle + our backend)

If you purchase ClipCatalog, we process limited data to issue your license, validate activations, provide support, and handle refunds or chargebacks. Purchases are processed by Paddle as our Merchant of Record (see Merchant of Record below). Paddle is the contractual seller toward the buyer; afterwards Paddle shares limited buyer data with us, which we then process as our own controller for the purposes set out here.

  • Identifiers: license key, Paddle customer ID, Paddle transaction ID, Paddle price ID.
  • Customer contact: customer email address (from Paddle) for purchase and support purposes.
  • License details: plan, license status, activation limits, validity/expiry (if applicable), and timestamps for relevant events.
  • Payment metadata: currency code and amount paid (stored as purchase metadata).

Email subscriptions & marketing list (double opt-in)

ClipCatalog operates a double-opt-in email list ("ClipCatalog updates") used to share occasional release notes about new features and major releases. You only enter the list after you (a) submit one of the consent surfaces below AND (b) click the confirmation link in the email Brevo sends to your address. Submitting the form alone does not subscribe you — without the click, your address is purged after 30 days and never reaches the marketing list.

  • 14-day trial extension: inside the app, you can request a 14-day full-library trial by providing your email address. Alongside the email field is an unchecked marketing-consent checkbox; ticking it triggers a confirmation email asking you to click a link to subscribe. The trial extension is granted regardless of whether the box is ticked — and regardless of whether you later click the confirmation link. The trial-grant confirmation email goes out from us under GDPR Article 6(1)(b) (performance of contract); the marketing list-add only happens after your DOI click.
  • Post-purchase opt-in: after a successful Paddle checkout, our "Thank you" page presents an unchecked marketing-consent checkbox. Ticking it triggers a confirmation email asking you to click a link to subscribe. Paddle's own checkout does not collect marketing consent on our behalf — the checkbox is shown only on our post-redirect page, and your address only enters the marketing list after the DOI click.
  • Website newsletter signup: the website's release-notes pages include an unchecked opt-in form. Submitting your email through that form triggers a confirmation email; you only enter the list after you click the link inside.

Lawful basis (EEA/UK): consent under GDPR Article 6(1)(a) — perfected by clicking the confirmation link in the email Brevo sends after you submit the form. The form submission alone is not consent; the click is. You can withdraw consent at any time afterwards by clicking the unsubscribe link in the footer of any email we send — no login or account required.

Both the form-submission step and the confirmation click are voluntary and independent of every other feature: the 14-day trial extension, the 500-video free trial, your purchase, and the install-link email all proceed exactly the same whether you submit the form, click the link, or do neither. Refusing consent — at either step — has no effect anywhere in the product.

Abuse-prevention record (regardless of marketing consent). When we issue a 14-day trial extension we keep a small backend record of your email and the grant timestamp so we can enforce a 12-month per-email cooldown — without it, a user could wipe their installation identifier and re-request another extension on the same email indefinitely. If you didn't tick the marketing box, this record carries only your email and the grant timestamp; it stores none of the consent metadata listed below. It is processed under GDPR Article 6(1)(f) (legitimate interest in preventing repeat-grant abuse) and is deleted 12 months after the grant. Refusing the marketing-consent checkbox still has no effect on the trial itself or on any other part of the product.

Transactional emails about your trial. The trial-extension confirmation email is sent under GDPR Article 6(1)(b) (performance of contract — the 14-day grant is the contract) regardless of whether you ticked the marketing-consent checkbox. It contains no marketing copy. We also send a single reminder approximately 3 days before your 14-day trial expires, on the same lawful basis (Article 6(1)(b), regardless of marketing consent) and equally free of marketing copy.

Paywall-decline feedback. If you submit a reason or free-text comment alongside your trial-extension request, that feedback is stored in a separate table under GDPR Article 6(1)(f) (legitimate interest in product improvement), independently of whether you ticked the marketing-consent checkbox.

For each subscription we store the following on our backend so that we can honour your consent and prove its provenance if asked:

  • Subscription identity: email address; signup source (trial-extension, paddle-purchase, or web-newsletter); first-seen timestamp; current consent state (pending_doi until you click the confirmation link, then confirmed; rows that stay pending_doi for 30 days are deleted).
  • Consent audit (populated when you tick the marketing-consent checkbox at signup, and the audit anchor is re-stamped with doi_confirmed_at on your DOI click): the form-submission timestamp; the moment you clicked the confirmation link; the version tag of the privacy policy displayed at the form; a stable identifier (consent_label_id) for the exact wording of the consent label you saw at signup, so old records can be matched against the label revision they agreed to; your client IP truncated to a network prefix (an anonymised /24 for IPv4 or /48 for IPv6 — we never store the full address in this consent record); and your user-agent string at the time of consent. We retain these audit fields under our accountability obligation (GDPR Articles 5(2) and 7(1)) so we can prove your consent existed if you or a regulator ask, for as long as we rely on your consent — that is, while your subscription record exists. They are deleted when your subscription record is deleted (for example, when you ask us to erase it; see your rights below).
  • Context: your interface language (used by Brevo to send the matching language variant of campaigns) and, for the 14-day trial-extension path, a reference to the installation that requested the grant (used solely to enforce our anti-abuse rules — one grant per installation).
  • Subscription state: a Brevo contact id used to keep our backend and Brevo in sync; an unsubscribe timestamp once you opt out (set permanently — we will not re-add your address even on a later purchase; if you later want to re-subscribe, email us at privacy@clipcatalogpro.com and we'll add you back manually); and a hard-bounce counter for deliverability hygiene (processed under our legitimate interest in maintaining list quality, GDPR Article 6(1)(f)).
  • Email-validity preflight result: when you submit an email through the 14-day extension path, we run it through an external email-validation service before adding it to the list (see Subprocessors below). We store the validation result string and a credit-balance gauge so we can monitor the service quota; we do not store rejected addresses (invalid, disposable, role-only) — those are blocked at submit time and discarded.

Subprocessors:

  • Sendinblue SAS (operating as Brevo; SIREN 498 019 298), 17 rue Salneuve, 75017 Paris, France, hosts the contact list and delivers our newsletter campaigns. EU/EEA subscriber data is processed on Brevo's EU infrastructure — no transfer outside the EEA for this leg. Brevo receives your email, your interface language, and a coarse subscription-tier label so it can segment campaigns. Brevo's privacy policy is at brevo.com/legal/privacypolicy.
  • ZeroBounce performs the email-validity preflight before we add an address to the list, so we don't send mail to typo'd, undeliverable, or disposable addresses (which would harm everyone's deliverability). We call ZeroBounce's EU-only endpoint (api-eu.zerobounce.net), so the email is processed within the EEA. ZeroBounce receives only the email address you submitted; we receive back a verdict and discard the address if rejected. We have a Data Processing Agreement with ZeroBounce under Article 28 GDPR (provided at sign-up), together with Standard Contractual Clauses covering any third-country access by ZeroBounce personnel based in the United States. The email validation itself is processed on ZeroBounce's EU-only infrastructure (api-eu.zerobounce.net). ZeroBounce's privacy policy is at zerobounce.net/privacy-policy; copies of the DPA and SCCs are available on request to privacy@clipcatalogpro.com. The lawful basis for this preflight is GDPR Article 6(1)(f) — our legitimate interest in deliverability and abuse prevention, balanced against the minimal data shared (the email address only) and the absence of any profiling.
  • Cloudflare, Inc. provides Turnstile, an anti-bot challenge widget that protects the website's email-submission forms (the trial-extension flow inside the app does not use Turnstile). Turnstile uses behavioural signals to distinguish human visitors from automated bots without requiring a visible CAPTCHA puzzle. It does not set tracking cookies, does not build cross-site profiles, and is not used for analytics. Cloudflare receives minimal request metadata (your IP address, user-agent, and a session token) solely to evaluate whether the form submission is human; we receive only a pass/fail verdict and the timestamp. Cloudflare's privacy policy is at cloudflare.com/privacypolicy; their Turnstile-specific information is at developers.cloudflare.com/turnstile. Cloudflare is US-headquartered with EU data-processing locations; we rely on Cloudflare's published Standard Contractual Clauses for any incidental third-country access.

Open and click tracking in newsletters: the campaign emails we send through Brevo contain a small remote image (a "tracking pixel") that loads from Brevo when you open the email, plus links that route through Brevo before reaching their final destination. Brevo records per-recipient open and click events by design — that is how email-service providers measure deliverability and engagement. We consume only aggregate statistics from those records (e.g. "this campaign had a 28% open rate") and do not export, sell, share, or otherwise act on per-recipient open/click data; we do not build per-recipient profiles. The underlying per-recipient rows are stored by Brevo on its EU infrastructure under our service agreement and are deleted together with your subscription record when you unsubscribe or we honour an erasure request. Unsubscribing stops further emails — and therefore further tracking — at the next campaign send. To suppress the pixel on a per-message basis, most email clients let you disable remote-image loading.

How to unsubscribe: every newsletter we send carries a one-click unsubscribe link in its footer. Clicking it stamps an "unsubscribed" timestamp on your backend record permanently — we will not re-add your address even on a later purchase, even if the post-purchase marketing-consent box is ticked again. You can also email us at privacy@clipcatalogpro.com to request unsubscribe or full deletion of your subscription record. All of the GDPR rights enumerated under GDPR (EEA/UK) below also apply to your subscription record (access, correction, deletion, portability, objection, complaint to a supervisory authority).

Retention: active subscription records are retained while you remain subscribed. The consent-audit fields (timestamps, anonymised IP, user-agent, policy version) are retained alongside your subscription record under our accountability obligation, for as long as we rely on your consent, and are deleted when your subscription record is deleted (for example, on an erasure request). Unsubscribe timestamps are retained as long as needed to honour your withdrawal of consent.

ClipCatalog is a Windows desktop application that cannot be installed on a phone. To make it easier for visitors who discover us on a mobile device to install on a PC later, the website offers an "Email me the install link" form. Submitting the form sends you a single transactional email containing a link to the download page on your computer. This email is service information, not marketing.

Lawful basis (EEA/UK): performance of a pre-contractual measure taken at your request under GDPR Article 6(1)(b) — you asked us to send you the install link, and the email is the act of sending it.

For each request we store the email address and a timestamp on our backend (in a dedicated transactional-email audit table, separate from the marketing-list table described under Email subscriptions), used solely to (a) send the install-link email, (b) prevent abuse via a 24-hour per-email submission cap, and (c) preserve a consent-audit trail consistent with our other email flows (anonymised IP /24 or /48, user-agent, privacy-policy version, locale). We pass the email through the same ZeroBounce email-validity preflight described above; rejected addresses are not stored. The form is also protected by Cloudflare Turnstile (see Subprocessors above) to block automated submissions.

The install-link form does not offer marketing consent. The form's only output is the transactional install-link email; if you want occasional release notes, use the website's newsletter signup card on the changelog or download pages. The two flows are entirely separate — the install-link request never enters the marketing list and never appears in the data flow described under Email subscriptions.

Retention: the email address and timestamp are retained for the same window as our other transactional-email audit records — while needed to enforce the 24-hour cap and to honour your audit trail, and otherwise deleted in line with the email-list retention rules above.

Installation & device data (optional)

ClipCatalog uses an installation identifier to support licensing and activation management. If you opt in to telemetry/error reporting, we may also receive basic device/app information (for example: platform, OS version, CPU cores, RAM, architecture, model, distro, and app version).

If you opt out, we stop collecting and sending this optional telemetry and error reporting. Any data already collected is retained only as described in the Data retention section below.

App telemetry & error reporting (opt-in)

Telemetry and error reporting are disabled by default. If you enable them, we may process aggregate usage metrics and error/crash information to improve ClipCatalog and diagnose issues.

On first app start, ClipCatalog will ask whether you want to enable optional telemetry and error reporting. You can change this choice at any time in the app settings.

We do not use app telemetry to collect or upload your video content, thumbnails, tags, or transcripts.

When enabled, telemetry/error reporting may include the following categories of data:

  • Device & app basics: platform, app version, OS version, CPU cores, RAM, and similar high-level system information.
  • Coarse GPU metrics (Windows): counts/booleans and buckets such as number of adapters, integrated vs. discrete availability, selected GPU type (integrated/discrete), vendor bucket (for example: Intel/NVIDIA/AMD/Other), and VRAM size bucket. We do not need or intend to collect full GPU model names or hardware IDs for this optional telemetry.
  • Aggregate library statistics: totals such as number of videos, thumbnails, tags, transcription words, faces/people, directories/volumes, total duration, and total asset size. These are counts/aggregates only and do not include your file contents.
  • Aggregate usage/performance metrics: anonymized processing and search analytics (for example, stage timing and counts) to help us improve performance and reliability.
  • Error/crash diagnostics: error messages, stack traces, and structured diagnostic fields (where applicable) to help us identify and fix bugs. Please avoid including sensitive personal data in free-text error messages.

Update checks (non-identifying)

Independent of optional telemetry, every running copy of ClipCatalog periodically contacts our update-check endpoint so you can be notified of new versions and security fixes. These requests run at app start and every two hours thereafter, regardless of your telemetry choice.

Each update-check request carries aggregate-only fields in its query string: the currently installed app version, your interface language, a coarse OS label (for example win10, win11, mac, or linux), and a single token indicating your telemetry choice (granted, declined, or undecided). No installation ID, account identifier, or other per-user identifier is attached to these requests, and we do not retain client IP addresses from them.

Update-check records are kept for up to 30 days, matching the retention for other API logs (see Data retention below). Our lawful basis in the EEA/UK is legitimate interest under Article 6(1)(f) GDPR — providing security and feature updates is a service we owe you, and the accompanying aggregate signals let us measure distribution (OS mix, language mix, decline rate) without identifying individual users.

Security advisories (in-app notification channel)

Independently of the update check described above, ClipCatalog periodically fetches a public, static JSON feed published at https://clipcatalogpro.com/security/advisories/active.json to discover security advisories that affect your installed version. The fetch runs at app launch and roughly every 24 hours thereafter. When an advisory applies to the version you have installed, the app surfaces it as a red banner with a link to the full advisory page. This channel exists so that we can fulfil the obligation we will have under Article 14(8) of the EU Cyber Resilience Act (applicable from 11 September 2026) to inform you, without undue delay, about exploited vulnerabilities affecting your product — see our Security policy for the coordinated-disclosure context behind these advisories.

Each request is a plain anonymous HTTP GET to the URL above. What is not sent: no installation identifier, no licence key, no JWT, no telemetry, no list of advisories you have dismissed locally, and no per-user state of any kind. The request body is empty and the URL has no query string. We do not receive your video content, search history, tags, transcripts, or any other application data through this channel. The feed is served as a static file via Amazon CloudFront (see Server and access logs below for the IP-level processing inherent in any HTTPS request).

Lawful basis (EEA/UK): legitimate interest under GDPR Article 6(1)(f). Our balancing test: the only personal data processed is the IP address that your TCP/IP stack must transmit to reach our server; we do not use that IP to profile you, contact you, or correlate the fetch with any account; the IP appears only in the 30-day CloudFront access log described under Server and access logs; and the processing is necessary to operate the security-notification channel that the EU Cyber Resilience Act will require us to provide (from 11 September 2026) for your benefit. We do not ask for consent because consent is not the appropriate legal basis for a security-notification channel that protects your security.

Integrity and anti-tamper events

To protect the service and prevent abuse, ClipCatalog may send a minimal integrity event if it detects that the application has been modified or tampered with. This event is intended for security and may be sent even if optional telemetry/error reporting is disabled. It does not include your video content.

Server and access logs

Like most online services, we process server and access logs for security, reliability, and troubleshooting. This can include IP address, user agent, request metadata, and timestamps for website, download, and API access.

Website CDN access logs. Static content for both clipcatalogpro.com (the main website, which also hosts the security advisory feed described in Security advisories above) and download.clipcatalogpro.com (the installer and machine-learning model download mirror used by the app) is delivered through Amazon CloudFront. CloudFront writes access logs to a private S3 bucket; each log entry includes the source IP address, user-agent string, requested URI, HTTP response status, and timestamp. We retain these CloudFront access logs for 30 days, after which they are automatically deleted by an S3 lifecycle policy.

Our logs may also include identifiers you send to us (such as installation IDs, license keys or tokens) and data contained in telemetry and error reports. Please avoid including sensitive personal data in telemetry or error messages.

Update-check exception: requests to the update-check endpoint described in Update checks above are not accompanied by an IP address in our retained logs. The update-check endpoint is served by API Gateway (not CloudFront); API Gateway access logging is not enabled for it, and the application log entries for it do not record the client IP.

GDPR (EEA/UK)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR):

  • Access: You may request a copy of the personal data we hold about you.
  • Correction: You may request that we correct inaccurate personal data.
  • Deletion: You may request that we delete your personal data, subject to legal requirements.
  • Restriction: You may request that we restrict processing of your personal data in certain cases.
  • Portability: You may request a copy of certain personal data in a portable format.
  • Objection: You may object to processing based on our legitimate interests in certain cases.
  • Withdraw consent: You may withdraw consent at any time (for example, analytics cookies via the cookie banner, optional app telemetry/error reporting via in-app settings, or the newsletter list via the unsubscribe link in any email — see Email subscriptions).
  • Supervisory authority: You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe your data protection rights have been violated.

To exercise your rights, contact privacy@clipcatalogpro.com. We may ask you to verify your identity before responding.

Lawful bases (EEA/UK)

  • Contract: to provide licensing and activation functionality you request when you purchase ClipCatalog.
  • Legitimate interests: to keep our services secure and reliable, prevent abuse, respond to support requests, deliver software updates with the aggregate signals described in Update checks, and maintain newsletter-list deliverability hygiene (the hard-bounce counter described in Email subscriptions).
  • Consent: for Google Analytics cookies, optional app telemetry/error reporting (when enabled), and the opt-in newsletter list (see Email subscriptions & marketing list above).
  • Accountability obligation (Articles 5(2) and 7(1) GDPR): retention of consent-audit fields (timestamps, anonymised IP, user-agent, policy version tag) for the newsletter list, kept solely to demonstrate consent existed if asked.

California residents (CCPA/CPRA)

If you are a California resident, this section sets out the disclosures and rights provided under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). The processing it describes is the same processing detailed in the sections above; the structure follows what is required by Cal. Civ. Code §§1798.100 and 1798.130.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the preceding 12 months.

Categories of personal information collected (as defined in Cal. Civ. Code §1798.140(v)):

  • Identifiers: email address, license key, Paddle customer ID, Paddle transaction ID, installation ID, and the IP address recorded in server/access logs (the update-check endpoint is excluded — see Update checks).
  • Commercial information: plan, license status, activation history, currency code, and amount paid; full enumeration under Licensing & purchase data.
  • Internet or other electronic activity: aggregate website-analytics signals (only after cookie consent), update-check query-string fields, user-agent strings recorded in server logs, Cloudflare Turnstile challenge signals collected on our behalf when you submit a protected website form (see Subprocessors), and, if you have enabled it, opt-in app telemetry and error reports.
  • Geolocation: country code received from Paddle as purchase metadata, and coarse country inference by Google Analytics from your IP address (after cookie consent). We do not collect precise geolocation.
  • Biometric information: see Sensitive personal information below — face recognition data is processed only on your local device and is not collected by us.
  • Inferences: none. We do not draw inferences from collected data to build profiles about you.
  • Encrypted local-catalog recovery key (paid licenses): when a paid license is activated, the app uploads an AES-256-GCM-encrypted copy of your local SQLCipher database key, decryptable only with your license key, so you can reopen your catalog after a Windows-account or PC migration. The escrowed copy is stored against your license on our AWS backend and is removed when you request account deletion.

We do not collect protected classifications, audio/visual/thermal information about you, professional or employment-related information, or education information.

Categories of sources:

  • Directly from you — when you provide your email, contact support, request a 14-day trial extension, sign up for the newsletter on this website, tick the marketing-consent checkbox on our post-purchase "Thank you" page after a Paddle checkout, or use the website's "Email me the install link" form (see Download-link emails).
  • Paddle, our Merchant of Record (independent controller), which forwards limited purchase metadata to us after a transaction completes — see Merchant of Record.
  • The ClipCatalog application installed on your device — installation identifier, license activation events, update-check pings, and (if enabled) telemetry and error reports.
  • ZeroBounce — an email-validity verdict returned at trial-extension, newsletter, or install-link signup time (see Email subscriptions).
  • Brevo (Sendinblue SAS) — bounce signals and a Brevo contact ID returned to keep our subscription state in sync with the newsletter platform.
  • Cloudflare — a Turnstile pass/fail verdict and timestamp returned for each protected website-form submission to confirm the request is human.

Business and commercial purposes for which personal information is collected and used:

  • Issuing and validating licenses, enforcing activation limits, and handling refunds and chargebacks.
  • Providing customer support and responding to enquiries.
  • Operating the opt-in newsletter (only for users who have opted in) and maintaining list deliverability hygiene.
  • Sending transactional service emails — for example, the install-link email when a mobile visitor uses the website's "Email me the install link" form (see Download-link emails).
  • Delivering software updates and security fixes via the update-check endpoint.
  • If you have enabled it, processing optional telemetry and error reports to improve the product.
  • Securing our services, preventing abuse (including the Cloudflare Turnstile challenge on website forms), and detecting integrity events.
  • Complying with legal, accounting, and tax obligations.

Categories of third parties and service providers to whom personal information is disclosed for the business purposes above (none of these disclosures constitute a "sale" or "sharing" under CCPA/CPRA):

  • Paddle — independent controller for purchase and payment data (see Merchant of Record).
  • Brevo (Sendinblue SAS) — service provider hosting the opt-in newsletter list and delivering campaign emails. Only opt-in subscribers are disclosed.
  • ZeroBounce — service provider performing email-validity preflight at trial-extension, newsletter, and install-link signup time.
  • Cloudflare (Turnstile) — service provider for anti-bot challenge on the website's email-submission forms; receives request metadata (IP, user-agent, session token), returns a pass/fail verdict.
  • Amazon Web Services — service provider hosting our backend, databases, and logs (primary region eu-west-1, Ireland). We use Amazon Simple Email Service (Amazon SES) in the same region (eu-west-1) as the channel for transactional email — license delivery after a Paddle purchase, install-link emails sent through the website's "Email me the install link" form, the trial-extension confirmation email, and the single T-3 reminder sent approximately three days before a 14-day trial expires.
  • Google Analytics — third-party analytics on this website, loaded only after cookie consent.
  • YouTube / Google LLC — embedded product-tour video player, loaded only after you enable "External media" in the cookie banner. Google receives your IP address, user-agent, referrer, and Google-account cookies (if you are signed in). Google determines its own purposes for that data — see Embedded video (YouTube) above for the full disclosure.

Sensitive personal information. ClipCatalog's optional face recognition feature processes biometric information, which CCPA/CPRA classifies as sensitive personal information. As described under Face recognition data (biometric) above, all face-related processing happens entirely on your local device; face embeddings, groupings, and metadata are stored only on your machine and are never transmitted to us or to any third party. We have no access to that data and do not collect it. No other category of "sensitive personal information" under §1798.140(ae) — government identifiers, financial-account access credentials, precise geolocation, racial or ethnic origin, religious beliefs, communications contents, genetic data, or health information — is collected by us. Because we do not collect or process sensitive personal information, the right to limit its use and disclosure has nothing to limit on our side; we honour the right by design.

Retention. We retain each category of personal information for the periods set out in Data retention.

Your rights as a California resident:

  • Right to know: request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes, and the categories of third parties to whom we disclosed it (Cal. Civ. Code §§1798.100, 1798.110, 1798.115).
  • Right to delete: request that we delete personal information we have collected from you, subject to the statutory exceptions in §1798.105(d) (e.g. completing a transaction, security, legal compliance).
  • Right to correct: request that we correct inaccurate personal information we maintain about you (§1798.106).
  • Right to data portability: receive personal information you provided to us in a portable, readily usable format (§1798.130(a)(2)).
  • Right to limit use of sensitive personal information: as set out under Sensitive personal information above, this right has no underlying processing to limit on our side (§1798.121).
  • Right to opt out of sale or sharing: we do not sell or share personal information, including for cross-context behavioural advertising, but the right exists under §1798.120 and we will record and honour any opt-out you submit.
  • Right to non-discrimination (§1798.125): we will not deny you goods or services, charge you a different price, or provide a different level or quality of service because you exercised any CCPA/CPRA right.

Verifiable consumer requests. To exercise any of these rights, email privacy@clipcatalogpro.com from the email address associated with your ClipCatalog purchase or newsletter subscription, and tell us which right you are exercising. Because we hold a limited dataset about each consumer, we verify identity by matching the requesting email against our records together with one or more additional identifiers you have already supplied us — for example, a license key, a Paddle transaction ID, or an installation ID. We respond within the 45-day window required by §1798.130(a)(2)(A), extendable once by a further 45 days with notice to you. If we cannot verify a request to the standard required by the CCPA/CPRA Regulations §7060 (a "reasonable degree of certainty" generally, or a "reasonably high degree of certainty" for deletion), we will tell you, ask for additional information, and decline the request with an explanation if verification still fails. An authorised agent may submit a request on your behalf with your written, signed permission, in line with CCPA/CPRA Regulations §7063.

Automated decision-making

We do not make automated decisions with legal or similarly significant effects based on your personal data. AI features in ClipCatalog (such as tagging, transcription, and face recognition) run locally on your device and are not used by us to make decisions about you.

Children's data

ClipCatalog is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact privacy@clipcatalogpro.com and we will delete it.

International transfers

Our backend services and the email-list infrastructure are hosted in the EEA, but some service providers we rely on are based outside the EEA/UK or may route data to non-EEA processing locations. The current picture:

  • Brevo / Sendinblue SAS (newsletter list) — EU-based; EU/EEA subscribers' data is processed on Brevo's EU infrastructure. No third-country transfer for this leg.
  • ZeroBounce (email-validity preflight) — we call ZeroBounce's EU-only endpoint (api-eu.zerobounce.net), so the email submitted on the 14-day extension form is processed within the EEA. ZeroBounce has US-based personnel who may have administrative access to their account/registration data; that third-country access is covered by our Standard Contractual Clauses with ZeroBounce, in addition to our written Article 28 GDPR Data Processing Agreement.
  • Paddle (Merchant of Record) — Paddle.com Market Ltd. is established in the UK with EU operations in Ireland, and Paddle Inc. operates in the US. As an independent controller (see Merchant of Record above), Paddle determines its own transfer mechanisms; for any non-EEA flows it relies on its published Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
  • Google Analytics (website analytics, US) — only loaded after you consent via the cookie banner. Transfers to Google in the US rely on Google's certification under the EU-US Data Privacy Framework; where that framework does not apply, on Google's published Standard Contractual Clauses.
  • YouTube / Google LLC (embedded product-tour video, US) — only loaded after you consent to the External media category via the cookie banner. The embed targets youtube-nocookie.com, Google's privacy-extended variant. Transfers to Google in the US rely on Google's certification under the EU-US Data Privacy Framework; where that framework does not apply, on Google's published Standard Contractual Clauses.
  • Hosting and backend providers — primary processing region is AWS eu-west-1 (Ireland); incidental data flows (e.g. SDK telemetry from AWS) rely on AWS's published Data Processing Addendum and Standard Contractual Clauses.
  • Cloudflare (Turnstile anti-bot widget) — Cloudflare is US-headquartered with EU data-processing locations. Turnstile is invoked only on the website's email-submission forms; transfers rely on Cloudflare's published Standard Contractual Clauses.

Where data flows leave the EEA/UK we rely on appropriate Article 46 GDPR safeguards (Standard Contractual Clauses, equivalent contractual protections, or — where applicable — adequacy frameworks such as the EU-US Data Privacy Framework). You can request copies of the relevant transfer documents by emailing privacy@clipcatalogpro.com.

Service providers (processors)

The following service providers process personal data on our behalf and under our written instructions, as processors within the meaning of GDPR Article 28. They may not use the data for their own purposes.

  • Hosting provider(s): hosting, storage, databases, and logs for our website and backend services.
  • Brevo (Sendinblue SAS): hosts our opt-in newsletter list and delivers campaign emails. Only opt-in subscribers (see Email subscriptions above) are shared with Brevo.
  • ZeroBounce: email-validity preflight at signup time, processed via the EU-only endpoint. Receives only the email you submitted on the trial-extension, newsletter, or install-link form; rejected addresses are not stored.
  • Cloudflare (Turnstile): anti-bot challenge for the website's email-submission forms. Receives request metadata; we receive only a pass/fail verdict.
  • Amazon SES (Amazon Web Services, Inc.): delivers transactional email — license keys, install-link emails, trial-extension confirmations, and trial-expiry reminders. Receives only the recipient address, sender, subject, and message body. Operates in our primary AWS region (eu-west-1 / Ireland) under the published AWS Data Processing Addendum and Standard Contractual Clauses for any incidental US administrative access. Lawful basis: GDPR Article 6(1)(b) (performance of the licensing contract, including pre-contractual measures such as the install-link request).
  • Google Analytics: website analytics (only after cookie consent).

Note: YouTube/Google LLC is not listed above because it is not a GDPR Article 28 processor for the embedded video — Google determines its own purposes for player data and acts as an independent controller, similar to Paddle for payments. See Embedded video (YouTube) above for that disclosure.

Merchant of Record (independent controller)

Paddle (Paddle.com Market Ltd., UK, or Paddle Inc., as applicable to the buyer's region) acts as our Merchant of Record for all ClipCatalog purchases. Under this arrangement, Paddle is the contractual seller toward the buyer and processes purchase and payment data as an independent controller — not a processor. Paddle determines its own purposes for that data, including know-your-customer (KYC) checks, fraud prevention, anti-money-laundering, tax compliance, and chargeback handling, and is independently subject to GDPR, UK GDPR, and other applicable data-protection laws.

After a transaction, Paddle shares limited buyer data with us under its privacy policy and the Paddle data-sharing arrangement: customer email address, country, currency code, amount paid, Paddle customer ID, Paddle transaction ID, and Paddle price ID. We process that received data as our own controller for license issuance, support, refund handling, and accounting (see Licensing & purchase data above).

Where you exercise rights that relate to Paddle's checkout or payment records (e.g. refunds, statutory rights of withdrawal, or GDPR rights toward Paddle's records), those requests are handled by Paddle directly under its own privacy policy.

Data retention

  • Google Analytics: 14 months (as configured in Google Analytics).
  • App telemetry and error reports: retained for up to 30 days for debugging, reliability, and security purposes.
  • API logs: typically retained for up to 30 days.
  • Website/download access logs: CloudFront access logs are retained for up to 30 days (see Server and access logs).
  • Licensing and purchase records: kept while needed to provide licensing, handle refunds/chargebacks and support, and comply with legal/accounting obligations.
  • Installations and activations: kept while needed for licensing/anti-abuse and support.
  • Email-list (consent) records: retained while your subscription record exists (while you are subscribed, plus the minimal record — including the unsubscribe timestamp — we keep after you unsubscribe to honour your withdrawal of consent). The consent-audit fields are deleted when your subscription record is deleted (for example, on an erasure request). See Email subscriptions.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law (including GDPR Articles 33 and 34) without undue delay.

Changes to this policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the most recent revision. Material changes affecting current subscribers will be announced via on-site notice; we may also request renewed consent when changes materially alter the basis on which data was collected.

Contact

For privacy questions, contact privacy@clipcatalogpro.com.