Plain-English summary
Short version: Clientlink is a tool you use to run your business. Your customer data is yours. We process it to run the platform, we don't sell it, we don't use it to train AI models for other customers, and you can export or delete all of it at any time with one click.
This policy is the formal version. Read it if you're due-diligencing us, doing a security review, or you just like reading privacy policies. Otherwise the callout above covers 90% of it.
Who this applies to
This Privacy Policy applies to Clientlink, Inc. ("Clientlink", "we", "us"), a Delaware corporation headquartered at 548 Market St, Suite 92810, San Francisco, CA 94104. It covers:
- Visitors to
clientlink.ioand our marketing surfaces ("Visitors") - People who book demos, fill in lead forms, or contact us ("Prospects")
- People with a login to a Clientlink workspace ("Users")
- End users whose data is processed in a customer's workspace ("End Users")
For Users and Visitors, Clientlink is the data controller. For End User data inside a workspace, the customer is the controller and Clientlink is the data processor — your DPA with us governs that relationship.
Data we collect
Information you give us
- Account information — name, email, password hash, company, role.
- Billing information — handled by Stripe; we store the last 4 digits of your card and your billing address.
- Customer data — anything you import into your workspace (contacts, deals, conversations, content). You own it. We process it on your instructions.
- Communications — your support tickets, demo notes, and any feedback you send us.
Information we collect automatically
- Product analytics — pages viewed, features used, performance metrics. Aggregated; not used to identify End Users.
- Device & log data — IP, user agent, referrer, timestamps. Retained 90 days.
- Cookies & local storage — see Cookies & tracking.
How we use it
We use the data we collect for six purposes and six purposes only:
- To provide the platform — sending email on your instructions, storing your contacts, processing payments.
- To secure the platform — detecting abuse, preventing fraud, responding to incidents.
- To support you — answering questions, fixing bugs, running your migration.
- To improve the product — aggregated analytics on which features get used and where things break.
- To contact you — about your account, security, and (if you opted in) product updates.
- To meet our legal obligations — tax, audit, valid legal process.
Things we do not do: sell your data. Share it with advertisers. Use customer data in your workspace to train any AI model that touches another customer. Build "intent data" products from your traffic. We've never done these things and we never will.
Who we share with
We share data with three categories of recipient, and no one else:
Sub-processors
Vendors we hire to operate the platform. We keep the list public and notify customers of changes 30 days in advance.
| Sub-processor | Purpose | Region |
|---|---|---|
| AWS | Compute, storage, DBs | US / EU / AU |
| Stripe | Payment processing | US |
| Twilio | SMS & voice infrastructure | US / EU |
| SendGrid | Transactional email delivery | US |
| Anthropic | AI Compose & AI lead scoring | US |
| Datadog | Application performance monitoring | US |
| Linear | Internal issue tracking | US |
The current list lives at clientlink.io/subprocessors and is the source of truth.
Service providers acting on your instructions
If you connect an integration — Stripe, Shopify, QuickBooks, etc. — we share the data necessary to make that integration work, only when triggered by you or your workflows.
Legal recipients
We respond to valid legal process. We notify the affected customer before producing data unless the request comes with a gag order or notification would obstruct an investigation. We publish a Transparency Report annually.
Cookies & tracking
We use cookies in three categories:
- Strictly necessary (always on): session, CSRF, security. Cannot be disabled.
- Functional: remembering your preferences (timezone, language, sidebar collapsed). On by default; you can disable in your cookie settings.
- Analytics: aggregated product usage. Off by default for visitors in the EU/UK/Switzerland (opt-in). On by default elsewhere (opt-out).
We do not run third-party advertising trackers. No Facebook Pixel, no Google Ads tag, no LinkedIn Insight Tag.
Your rights
Regardless of where you live, you can:
- Access your data — one-click CSV export of everything, anytime, in your workspace settings.
- Correct it — directly in the product, or by emailing privacy@clientlink.io.
- Delete your account and all associated data — one-click in settings; we hard-delete within 30 days.
- Restrict or object to specific processing — email privacy@clientlink.io; we respond within 7 days.
- Port your data — CSV (always free) or JSON via the API.
- Withdraw consent at any time for processing based on consent.
Residents of California (CCPA/CPRA), the EU/UK (GDPR), Brazil (LGPD), and equivalent regimes have additional rights enumerated in the schedules at clientlink.io/privacy/regional. We honor those rights regardless of where you live — that's our floor.
Retention
We retain different categories of data for different lengths of time:
| Category | Retention |
|---|---|
| Customer data in active workspace | For as long as the workspace exists |
| Customer data after account deletion | Hard-deleted within 30 days |
| Backups | Encrypted; rolled off within 35 days |
| Application logs | 90 days |
| Billing & tax records | 7 years (legal requirement) |
| Support conversations | 2 years |
Security
Encryption at rest (AES-256), in transit (TLS 1.3), customer-managed keys on Scale. SOC 2 Type II audited annually with a clean 2026 report. SAML SSO, SCIM, role-based access control, audit log. Bug bounty active at HackerOne. Full details on our Security page.
International transfers
Our customers are global. If you're an EU/UK customer, we rely on the EU Standard Contractual Clauses (2021 modules) plus a Data Processing Addendum, with US/EU/AU data residency options on Scale. The DPA is auto-attached to every order form and is also downloadable at clientlink.io/dpa.
Children
Clientlink is a B2B platform. We do not knowingly collect data from anyone under 16. If a workspace owner imports a list that contains the data of minors, that's a contractual breach — let us know at privacy@clientlink.io and we'll help unwind it.
Changes to this policy
We'll post material changes here and email Users at least 30 days before they take effect. The "Last updated" date at the top is canonical. Past versions are archived at clientlink.io/privacy/archive.
How to reach us
Privacy questions, DSAR requests, complaints: privacy@clientlink.io. We reply within 7 calendar days.
For EU/UK customers, our representative under Article 27 GDPR is VeraSafe Ireland Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, T23 AT2P, Ireland.
Our Data Protection Officer is Sara Kowalski, VP Finance & Operations · dpo@clientlink.io.
Clientlink, Inc. · 548 Market St, Suite 92810, San Francisco, CA 94104, USA · © 2026.