Last Updated: June 23, 2026
This privacy notice for Clipto, Inc. (“Company,” “we,” “us,” or “our”) describes how and why we might collect, store, use, and/or share (“process”) your information when you use our services (“Services”), such as when you:
Visit our website at https://www.clipto.com
Download and use our mobile applications (Clipto for iOS and Android) or our Windows application
Engage with us in other related ways, including any sales, marketing, or events
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you have any questions, contact us at support@clipto.com.
This summary provides key points from our privacy notice. You can find more details about any of these topics by clicking the section in the Table of Contents below.
What personal information do we process? When you use our Services, we process personal information depending on how you interact with Clipto, the choices you make, and the features you use. This may include audio recordings, transcripts, email address, account ID, device advertising identifiers, purchase history, and crash diagnostics. See Section 2.
Do we process sensitive personal information? Audio recordings you upload may contain sensitive content depending on what you choose to record. We treat audio content as confidential and never share it with advertisers. See Section 2.2.1.
Do we receive information from third parties? Only basic attribution data (e.g., install source) from our advertising and analytics SDKs. We do not buy data from data brokers.
How do we process your information? To provide and improve our Services, communicate with you, prevent fraud, measure advertising effectiveness, and comply with law. We process information only when we have a valid legal reason. See Section 5 and Section 6.
With whom do we share personal information? Only with trusted service providers (Adjust, AppsFlyer, Firebase, Sentry, Google Play Billing, Apple StoreKit) for specific, contractually limited purposes. We do not sell your data. See Section 4 and Section 7.
How do we keep your information safe? TLS encryption in transit, encryption at rest, access controls, and regular security reviews. No system is 100% secure. See Section 13.
What are your rights? Depending on your location, you may have rights to access, correct, delete, restrict, port, or object to processing — and to withdraw consent. See Section 8 and Section 9.
How do you exercise your rights? Email support@clipto.com with the appropriate subject line tag. We respond within the legally required timeframe. See Section 17.
Scope and Controller
Information We Collect
Permissions Requested by the Mobile App
Third-Party SDKs (Mobile App)
How We Use Your Information
Legal Basis for Processing (GDPR / UK GDPR / POPIA)
Data Sharing and Disclosure
Your Privacy Rights and Choices
Jurisdiction-Specific Disclosures
Cookies and Tracking on Our Website
Do-Not-Track Controls
Data Retention
Data Security
Children’s Privacy
International Data Transfers
Changes to This Privacy Policy
Contact Us
This Privacy Policy applies to all services provided by Clipto, Inc., including our website at www.clipto.com, our applications for Android, iOS, and Windows, and any related features, tools, or communications (collectively, the “Service”).
Clipto, Inc. is the data controller for all personal data collected through the Service.
| Company Name | Clipto, Inc. |
|---|---|
| Registered Address | 425 Page Mill Rd, 2nd Floor #2065, Palo Alto, CA 94306, United States |
| Contact Email | support@clipto.com |
For all matters relating to your personal data — including data subject requests, complaints, and questions about this policy — please contact us at support@clipto.com. To help us route your request correctly and respond within the legally required timeframe, please include the relevant subject line tag (e.g., “GDPR Request”, “CCPA Opt-Out”). See Section 17 for the full list of subject line tags.
For users in the Republic of Korea (PIPA): The designated Personal Information Protection Manager can be reached at support@clipto.com.
For users in South Africa (POPIA): Our Information Officer can be reached at support@clipto.com.
For EU/UK users (GDPR): We have not appointed a formal Data Protection Officer under Art. 37 GDPR because our processing activities do not meet the mandatory appointment threshold. Our privacy team handles all data protection inquiries at support@clipto.com.
We collect different categories of personal information depending on whether you use our website or our mobile app.
When you visit our website, we automatically collect certain standard usage data:
IP address and approximate geolocation (country/city level).
Browser type, version, and language.
Operating system and device type.
Pages visited, time spent, clicks, and referral URLs.
Cookies and similar tracking technologies — we use cookies to remember your preferences, analyse site traffic, and improve user experience. You can manage cookie preferences via your browser settings.
We also collect information you voluntarily provide through web forms, such as:
Email address when you sign up for newsletters, download resources, or contact support.
Name and other contact details if you fill out a demo request or feedback form.
When you use Clipto’s mobile apps (iOS and Android), we collect the following categories of personal information to deliver core functionality, analytics, and advertising attribution.
Data elements: User-recorded or imported audio files (meetings, voice memos, etc.).
Purpose: App Functionality — transmitting audio to our cloud AI engine for transcription and storing transcribed notes for cross-device sync.
Collection method: User-triggered (tap “record” or select a local file).
Scope of use: Exclusively for transcription, note storage, and user-accessible notebooks.
Sensitive content note: Depending on what you choose to record, audio may contain sensitive personal information (e.g., health discussions, legal conversations). We treat all audio content as confidential and never share it with advertisers, analytics vendors, or any third party outside the limited service providers listed in Section 4.
Data elements: Registration email address; system-generated unique Account ID.
Purpose: Account Management — registration, login, password recovery, and linking Pro membership to the user account.
Collection method: User-provided during sign-up/login.
Scope of use: Account system, entitlement verification, and (when necessary) service notifications.
Data elements: Google Advertising ID (GAID) on Android; Identifier for Advertisers (IDFA) on iOS.
Purpose: Advertising or Marketing — attribution of ad campaigns, conversion tracking (click-to-install); Analytics — daily active user statistics.
Collection method:
Android: Automatically collected by third-party SDKs (Adjust, AppsFlyer) upon app launch or key events, subject to the runtime AD_ID permission (Android 13+).
iOS: Collected only after the user grants permission via Apple’s App Tracking Transparency (ATT) prompt. See Section 3.2 for details.
Scope of use: Only within trusted analytics/attribution platforms; never shared with ad networks for cross-platform profiling.
Data elements: In-app purchase receipts, subscription tokens.
Purpose: App Functionality & Account Management — validating and activating Pro features; Advertising or Marketing — sending purchase events to Adjust/AppsFlyer to measure ROI and LTV.
Collection method: Collected automatically upon successful purchase.
Scope of use: Backend validation and aggregated advertising performance measurement.
Data elements: Stack traces, device model, OS version, launch timings, ANR events, and error logs.
Purpose: Monitoring app stability, debugging, and performance optimisation.
Collection method: Auto-uploaded by crash-reporting and analytics SDKs (Sentry, Firebase Crashlytics) when an error occurs or on app launch.
Scope of use: Internal R&D diagnostics only; never combined with advertising profiles.
Data elements: Country/region inferred from IP address only. We do not access device GPS or precise location.
Purpose: Regional compliance routing, language defaults, and aggregate analytics.
Collection method: Derived from network traffic.
The Clipto Android app requests the following permissions. Each is requested only when needed for the listed purpose, and you may revoke any runtime permission at any time via your device settings.
| Permission | Android Manifest Name | Purpose Category | Why We Need It |
|---|---|---|---|
| Microphone / Audio Recording | android.permission.RECORD_AUDIO | App Functionality | Allows users to record meetings or voice memos in-app, which are then transcribed to text. |
| Audio Media Access (Android 13+) | android.permission.READ_MEDIA_AUDIO | App Functionality | Allows users to import existing local audio files (e.g., MP3, M4A) for transcription. |
| External Storage Read (Android ≤ 12) | android.permission.READ_EXTERNAL_STORAGE (maxSdkVersion=28) | App Functionality | Legacy compatibility for importing audio files on older Android versions. On modern Android, the Storage Access Framework is used instead. |
| Notifications (Android 13+) | android.permission.POST_NOTIFICATIONS | App Functionality / Developer Communications | Notifies users when long-running transcription jobs complete, or when subscription status changes. |
| Advertising ID | com.google.android.gms.permission.AD_ID | Advertising or Marketing / Analytics | Reads the Google Advertising ID (GAID) for ad attribution and conversion measurement, subject to user consent. |
| Internet | android.permission.INTERNET | App Functionality | Required for uploading audio for AI transcription and syncing notes to the cloud. |
| Network State | android.permission.ACCESS_NETWORK_STATE | App Functionality | Detects network availability to manage uploads and offline behavior. |
| Billing | com.android.vending.BILLING | App Functionality / Account Management | Processes in-app subscription purchases via Google Play Billing. |
The Clipto iOS app requests the following permissions through iOS system prompts. You may grant or deny each, and change your choice at any time in iOS Settings → Clipto.
| Permission | iOS Usage Description Key | Purpose Category |
|---|---|---|
| Microphone | NSMicrophoneUsageDescription | App Functionality |
| Notifications | (UNUserNotificationCenter) | App Functionality / Developer Communications |
| Tracking (ATT) | NSUserTrackingUsageDescription | Advertising or Marketing / Analytics |
App Tracking Transparency (ATT)
Apple requires apps to obtain user permission before tracking activity across apps and websites owned by other companies. In compliance with Apple’s policy, the Clipto iOS app displays the ATT prompt before any advertising attribution SDK accesses your IDFA.
What we ask: Permission to access your device’s IDFA (Identifier for Advertisers) for ad attribution and campaign measurement.
If you allow (“Allow Tracking”): Your IDFA, together with install and purchase events, is shared with our attribution providers (Adjust, AppsFlyer) to measure ad effectiveness, attribute installs, and compute campaign ROI/LTV.
If you decline (“Ask App Not to Track”): We will not collect or share your IDFA. The app continues to function normally; ad attribution falls back to Apple’s privacy-preserving aggregated mechanisms (SKAdNetwork / AdAttributionKit), which do not identify individual users.
How to change your choice: You can revoke or re-grant tracking permission at any time in iOS Settings → Privacy & Security → Tracking, or globally disable tracking requests via the same menu.
We do not access your contacts, photo library, calendar, location, or any other iOS data sources beyond those listed above.
The following third-party services receive certain categories of data as described below. Each is contractually bound to process data only for our specified purposes.
| SDK / Vendor | Purpose | Data Received |
|---|---|---|
| Adjust (Adjust GmbH) | Ad attribution, conversion measurement, LTV calculation | GAID/IDFA (when consented), IP address, purchase events, install/uninstall events, device model |
| AppsFlyer (AppsFlyer Ltd.) | Ad attribution, marketing analytics | GAID/IDFA (when consented), IP address, purchase events, install events, device model |
| Google Firebase / Crashlytics (Google LLC) | Crash reporting, app analytics, push notifications | CCrash stack traces, device model, OS version, anonymized usage events, installation ID |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | Stack traces, device model, OS version, anonymized session metadata |
| Google Play Billing (Google LLC) | Android subscription purchase processing | Purchase tokens, subscription status |
| Apple StoreKit (Apple Inc.) | iOS subscription purchase processing | Purchase receipts, subscription status |
| Cloud AI Transcription Engine (Clipto-operated) | Speech-to-text transcription | Uploaded audio files, transcripts |
We do not share your audio recordings, transcripts, or notebook contents with any of the advertising or analytics vendors listed above. Audio and transcript data are processed only by our own backend infrastructure and our self-operated AI transcription engine.
The categories of third parties we may share data with, in general terms, include: cloud computing services, data analytics services, ad attribution and measurement platforms, payment processors, crash reporting tools, and customer support tools.
We process personal information for the following purposes:
To provide and maintain the Service — including account management, audio transcription, note synchronisation, and website navigation.
To improve and optimise — analysing usage trends, fixing bugs, and enhancing performance.
For advertising and marketing — measuring ad effectiveness, attributing installs, and optimising campaigns (using GAID/IDFA and purchase events, never audio or note content).
To communicate with you — sending service updates, notifications, and support responses.
To prevent fraud and ensure security — monitoring for abuse, unauthorized access, and protecting users.
To comply with legal obligations — responding to lawful requests from regulators or law enforcement.
For users in the EU, UK, and South Africa, we rely on the following legal bases under GDPR Article 6(1) and POPIA § 11 for each category of processing:
| Processing Activity | Legal Basis | Reference |
|---|---|---|
| Audio recording, transcription, and note storage | Performance of a contract | Art. 6(1)(b) GDPR |
| Account registration, login, password recovery | Performance of a contract | Art. 6(1)(b) GDPR |
| Subscription billing and Pro entitlement validation | Performance of a contract | Art. 6(1)(b) GDPR |
| Sending transactional emails (purchase receipts, password resets) | Performance of a contract | Art. 6(1)(b) GDPR |
| Advertising attribution and conversion measurement (GAID/IDFA, install events) | Consent (via ATT on iOS / Android AD_ID permission) | Art. 6(1)(a) GDPR |
| Marketing communications (newsletters, product updates) | Consent | Art. 6(1)(a) GDPR |
| Crash logs, performance monitoring, app stability | Legitimate interests (ensuring product reliability) | Art. 6(1)(f) GDPR |
| Fraud prevention and security monitoring | Legitimate interests (protecting our users and service) | Art. 6(1)(f) GDPR |
| Aggregate analytics (DAU, retention) | Legitimate interests (improving product) | Art. 6(1)(f) GDPR |
| Responding to regulators, court orders, tax records | Legal obligation | Art. 6(1)© GDPR |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal. Where we rely on legitimate interests, you have the right to object — see Section 8 below.
We do not sell your personal information to third parties, and we have not done so in the preceding twelve (12) months.
We may share your information only in these circumstances:
Service Providers: With trusted vendors who process data on our behalf (see Section 4 for the complete list). They are contractually bound to process data only for our specified purposes and may not share it with anyone except us.
Legal Reasons: If required by law, court order, or governmental request, or to protect our rights or safety.
Business Transfers: In connection with a merger, sale of company assets, financing, or acquisition of all or a portion of our business, subject to confidentiality protections.
With Your Consent: For any other purpose after obtaining your explicit consent.
We never share your audio recordings, transcripts, or notebook contents with advertisers or external marketing platforms.
Depending on your jurisdiction, you may have the following rights:
Right of access — request a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) — request deletion of your data.
Right to restriction of processing — request that we limit processing in certain situations.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — object to processing based on legitimate interests, including direct marketing.
Right not to be subject to automated decision-making — including profiling that produces legal or similarly significant effects.
Right to withdraw consent — at any time, where processing is based on consent.
Right to opt out of advertising attribution:
On iOS: change tracking permission in Settings → Privacy & Security → Tracking.
On Android: delete or reset your advertising ID in Settings → Privacy → Ads → Delete advertising ID.
You may also email us to request opt-out.
Right to opt out of marketing emails — click the “unsubscribe” link in any marketing email, or email us. You will still receive transactional service messages.
Right to non-discrimination — we will not deny you services, charge different prices, or provide a different level of quality because you exercised your rights.
To exercise any right, contact support@clipto.com with the appropriate subject line tag (see Section 17).
Response time: Generally 30 days under GDPR; 45 days under U.S. state privacy laws (extendable once by 45 additional days when reasonably necessary, with notice).
Identity verification: To protect your data, we must verify your identity before fulfilling certain requests. We will ask you to provide information we can match against what is already in our system (e.g., the email address associated with your account). For more sensitive requests (e.g., data export, deletion), we may contact you through a previously verified communication channel. We will only use information you provide to verify your identity and will delete it once verification is complete.
Authorized agents: You may designate an authorized agent to submit a request on your behalf. We may deny the request if the agent does not submit proof of valid authorization. The agent must also provide proof of your identity, and we may contact you directly to confirm authorization.
Account deletion: You may close your account at any time by emailing us with “Account Deletion” in the subject line, or via the account settings within the app. Upon closure, your audio recordings, transcripts, and notes will be deleted within 30 days, subject to legal retention requirements.
In addition to the rights listed in Section 8, EU, UK, and Swiss residents have the following:
International data transfers: When we transfer your data outside the EEA/UK/Switzerland (primarily to the United States), we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the legal mechanism, supplemented by technical measures (TLS encryption, access controls).
No mandatory DPO: As stated in Section 1, we have not appointed a formal DPO under Art. 37 GDPR. Our privacy team at support@clipto.com handles all GDPR inquiries.
To exercise any right, email support@clipto.com with “GDPR Request” in the subject line.
California residents have the right to know what personal information we collect, disclose, or “sell” (we do not sell), and to request access, deletion, correction, or to limit the use of sensitive personal information.
Categories of personal information collected in the preceding 12 months: identifiers (email, account ID, GAID/IDFA), internet/network activity, geolocation (country-level), commercial information (purchase history), audio/electronic information (recordings, transcripts), and inferences (aggregate usage patterns).
Categories of third parties with whom we share for a business purpose: ad attribution platforms (Adjust, AppsFlyer), crash reporting (Sentry, Firebase), payment processors (Google, Apple). We have not sold personal information in the preceding 12 months.
Right to opt out of cross-context behavioural advertising: email us with “CCPA Opt-Out” in the subject line.
Shine The Light (Cal. Civ. Code § 1798.83): Once per year, California residents may request information about categories of personal information disclosed to third parties for direct marketing purposes and the names and addresses of those third parties. Email us with “Shine The Light Request” in the subject line.
Under-18 removal right (Cal. Bus. & Prof. Code § 22581): If you are a California resident under 18 with a registered Clipto account, you may request removal of content you publicly posted on our Service. Email us with “California Minor Removal Request” in the subject line and include the email associated with your account. Note that removal may not be complete or comprehensive across all systems (e.g., backups).
Right to non-discrimination: We will not discriminate against you for exercising any CCPA right.
Residents of these U.S. states have rights similar to those in CCPA, including access, correction, deletion, portability, and opt-out of targeted advertising. The categories of data processed are: identifiers (email, account ID, GAID/IDFA), device/technical data, commercial information (purchase history), and audio/content data. We share GAID/IDFA and purchase events with Adjust and AppsFlyer (service providers), but we do not sell data.
Response time: We will respond to verifiable consumer requests within forty-five (45) days. The response period may be extended once by 45 additional days when reasonably necessary, with notice to you.
Right to appeal (VCDPA, CPA, CTDPA, MCDPA, TDPSA, OCPA): If we decline to take action on your request, you may appeal our decision by emailing us with “Privacy Appeal” in the subject line. We will respond within sixty (60) days with a written explanation. If your appeal is denied, you may contact your state Attorney General.
To exercise rights, email support@clipto.com with your state’s tag in the subject line (e.g., “VCDPA Request”, “CPA Request”).
We collect basic personal data (email, internal ID, GAID/IDFA, crash logs) and may process sensitive personal data (audio recordings, which can contain sensitive information depending on what you record). You have the rights under Art. 18 of LGPD, including access, correction, anonymisation, portability, and withdrawal of consent.
To exercise, email support@clipto.com with “LGPD Request”.
In compliance with PIPA Art. 30, our Personal Information Protection Manager is reachable at support@clipto.com. Categories of data processed, retention periods, and your rights (access, correction, deletion, suspension of processing) are described in Sections 2, 8, and 12 of this policy.
For users in Mainland China, we process personal information in accordance with PIPL. Categories of data, purposes, retention, and your rights (access, copy, correction, deletion, withdrawal of consent, and portability) are described above. Cross-border transfers from China are conducted in accordance with the applicable security assessment, standard contract, or certification mechanism. To exercise rights, email support@clipto.com with “PIPL Request”.
Our Information Officer can be reached at support@clipto.com. You have the rights under POPIA to access, correct, delete, and object to processing of your personal information, and to lodge a complaint with the Information Regulator.
We process personal information in accordance with the Act on the Protection of Personal Information. You have the rights to disclosure, correction, deletion, and to request suspension of use. To exercise, email support@clipto.com with “APPI Request”.
Our website uses cookies and similar technologies (web beacons and pixels) to:
Enable essential site functions.
Analyse traffic and user behaviour (via Google Analytics).
Remember your preferences.
You can manage cookie settings through your browser.
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting that you can activate to signal your privacy preference. At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other automated mechanism communicating your choice not to be tracked online. If a uniform standard is adopted in the future, we will update our practices and inform you in a revised version of this policy.
For California residents, we honor the Global Privacy Control (GPC) signal as an opt-out of “sale” and “sharing” for cross-context behavioural advertising purposes. When we detect a GPC signal from your browser, we treat it as a valid opt-out request.
| Data Category | Retention Period |
|---|---|
| Audio recordings and transcripts | Retained until you delete them or close your account; deleted within 30 days of account closure |
| Account information (email, ID) | Duration of account + up to 90 days after closure for legal/security purposes |
| Purchase records | 7 years for tax and audit compliance |
| Crash logs and diagnostics | 90 days |
| Marketing attribution data (GAID/IDFA-linked) | 24 months |
| Support correspondence | 3 years from last contact |
We retain personal data only as long as necessary to fulfil the purposes outlined in this policy:
When data is no longer needed, we securely delete or anonymise it. Where deletion is not immediately possible (e.g., backup archives), we securely isolate the data from further processing until deletion is feasible.
We implement HTTPS/TLS encryption in transit, encryption at rest for stored audio and transcripts, access controls, and regular security reviews to protect your data. However, no online service is 100% secure; we cannot guarantee absolute security. In the event of a data breach involving your personal data, we will notify you and the relevant supervisory authorities as required by applicable law (e.g., within 72 hours under GDPR Art. 33).
You should only access the Services within a secure environment.
The Service is not intended for children under 13 (or the applicable age of digital consent in your jurisdiction, e.g., 16 in some EU member states under GDPR Art. 8). We do not knowingly collect children’s personal data. If we learn that personal information from a user under the applicable age has been collected, we will deactivate the account and take reasonable measures to delete the data from our records.
If you believe we have collected information from a child, please contact us immediately at support@clipto.com with “Children’s Privacy” in the subject line.
Your data may be transferred to and processed in countries outside your residence, including the United States. These countries may not have data protection laws as comprehensive as those in your country, but we will take all necessary measures to protect your data in accordance with this policy and applicable law.
Transfers from the EU/UK/Switzerland: We use the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
Transfers from China: We comply with applicable PIPL cross-border transfer mechanisms (security assessment, standard contract, or certification, as applicable).
Other jurisdictions: Equivalent safeguards apply.
Copies of our Standard Contractual Clauses can be provided upon request to support@clipto.com.
We may update this policy from time to time. The updated version will be indicated by an updated “Last Updated” date at the top, and will be effective as soon as it is accessible. If we make material changes, we will provide additional notice (e.g., in-app banner, prominent website notice, or email). We encourage you to review this policy periodically.
For all privacy-related inquiries, requests, and complaints:
📞 +1 724 208 6886
📬 Clipto, Inc. 425 Page Mill Rd, 2nd Floor #2065 Palo Alto, CA 94306 United States
To help us route your request and respond within the legally required timeframe, please include the relevant tag in your email subject line:
| If you are exercising rights under… | Use Subject Line Tag |
|---|---|
| GDPR (EU) / UK GDPR / FADP (Switzerland) | GDPR Request |
| CCPA / CPRA (California) | CCPA Request or CCPA Opt-Out |
| California Shine The Light Law | Shine The Light Request |
| California Minor Content Removal | California Minor Removal Request |
| VCDPA / CPA / CTDPA / UCPA / TDPSA / OCPA / MCDPA (other U.S. states) | [State Abbreviation] Request (e.g., VCDPA Request) |
| Privacy Appeal (after a denied U.S. state request) | Privacy Appeal |
| LGPD (Brazil) | LGPD Request |
| PIPA (South Korea) | PIPA Request |
| PIPL (China) | PIPL Request |
| POPIA (South Africa) | POPIA Request |
| APPI (Japan) | APPI Request |
| Account Deletion | Account Deletion |
| Children’s Privacy Concern | Children’s Privacy |
| General privacy questions | Privacy Inquiry |
We will acknowledge your request within 10 business days and provide a substantive response within the legally required timeframe (generally 30 days under GDPR; 45 days under U.S. state privacy laws).