Clikkin is a closed-source platform on our own infrastructure.

§ 01 / WHAT WE HOLD

What Clikkin's servers store, and what they don't.

WHAT WE HOLD

Email hash (for login). Verification status (boolean). Document HMAC (Sybil defence). Device fingerprint hash. IP risk score. Encrypted ciphertext of your coin wallet and badge locker. MLS-encrypted message ciphertext. All server-side metadata auto-deletes at 12 months.

WHAT WE DON'T HOLD

Face embeddings (these live on your device, never on our servers). Raw biometric data. Plaintext passport credentials. Plaintext phone numbers. User passwords. Admin decryption keys for member-operated spaces.

§ 02 / TRUST DEPENDENCIES

The third parties we extend trust to, named.

DIDIT

Identity verification (Passport activation). Government ID image, selfie, liveness data, and the derived ArcFace face embedding are processed by Didit during activation. Raw documents are deleted within 72 hours per the Data Processing Agreement. ISO 27001 / SOC 2.

RAZORPAY (India) / STRIPE (US, EU, RoW)

Subscription billing and member-side commerce. They process payment instruments we never see. PCI-DSS compliant. We share with them the transaction amount, the subscription state, and an opaque member identifier.

REVENUECAT

Subscription orchestration for App Store / Google Play in-app purchases. Wraps Apple and Google's IAP rails. We share with them an opaque member identifier and subscription state.

HETZNER / CLOUDFLARE

Infrastructure. Hetzner runs the application servers (Frankfurt); Cloudflare runs CDN, DDoS protection, and DNS. Our architecture is designed so that even full cloud-level compromise yields ciphertext, not plaintext — but availability and integrity depend on these providers.

APPLE / GOOGLE

Hardware-backed cryptography. The Secure Vault relies on Apple's Secure Enclave (iOS) or Google's StrongBox (Android) being correctly implemented. If these hardware primitives were compromised at the OEM level, the Vault's guarantees would degrade accordingly.

YARASI ENTERPRISES PVT LTD

Indian regional platform partner. Operates the Indian payment rail (Razorpay Route) under a Platform License Agreement from Clikkin LLC. May expand to Indian subscription sales for Plus and Enclave customers wanting Indian-jurisdiction contracts.

§ 03 / OUR COMMITMENTS

What we publish; what we don't yet do.

QUARTERLY DISCLOSURES

Service uptime, government data requests received (by jurisdiction), account actions under the platform-policy hard-line offence list, P1/P2 incident reports. First edition: Q4 2026, covering Q3.

REPRODUCIBLE BUILDS

Our Android client builds are deterministic from a documented build environment. Reviewers can request read access to the source repository at audit@clikkin.com, reproduce the build, and verify a bit-for-bit match against the Play Store APK. Verifier recipe target: H2 2026.

RESPONSIBLE DISCLOSURE

security@clikkin.com. Acknowledgement within 7 days, status update within 30 days, public credit on resolution (with reporter's permission), no legal action against good-faith researchers. We do not yet run a paid bug bounty programme — that's a post-revenue commitment.

WHAT WE DON'T DO YET

Third-party cryptographic audit (planned, not yet booked — pre-revenue). Paid bug bounty programme (not affordable pre-revenue; responsible-disclosure inbox in the meantime). Federation / ActivityPub / AT Protocol portability (not in roadmap — incompatible with the closed-loop coin economy). Self-hosting outside the Enclave tier (not in roadmap).

WALLET BACKUP DISCLOSURE

Your wallet ciphertext is mandatorily backed up to our servers. The cryptographic protection is real (24-word BIP-39 recovery phrase, Argon2id, AES-256-GCM, HSM wrap) — we cannot decrypt the ciphertext without your recovery phrase. But the physical custody of the encrypted blob is ours. This is the same posture as 1Password and Bitwarden ("zero-knowledge backup"), not the same as "your keys on your device only."

§ 04 / DATA RESIDENCY

Where the data physically sits.

Clikkin's primary application servers are in Hetzner Frankfurt (Germany / EU). Static content is served via Cloudflare's global edge network. Indian payment data routes through Razorpay's Indian data residency. US, EU, and RoW payment data routes through Stripe (US data residency under Stripe's standard infrastructure). Didit's Indian data residency on AWS ap-south-1 is contingent on Didit GA in that region — until confirmed, Indian users' KYC may transit Didit's primary EU infrastructure.

We're targeting Enterprise data residency (relocate Passport-verified data to the user's jurisdiction) as a 2027+ feature, matching Notion's enterprise pattern. Year 1 posture is single primary region with tokenization.

§ 05 / GEO DETECTION PRIVACY

How we detect your country for currency display.

We read your country from the Cloudflare edge (your IP address resolves to a country via MaxMind's GeoIP database — the same database every commercial GeoIP service uses). The detection happens at our CDN edge and is never logged to any persistent store. The detected country is stored only as a cookie on your device, used to render the right currency and pricing tier on these pages.

You can override the detected country anytime in the footer language/currency switcher. Override is also persisted as a cookie on your device only.