Clicky and Data Protection – What Belongs in the Privacy Policy

Clicky is a web analytics tool for real-time user analyses. Operators of websites using Clicky must adapt their privacy policy accordingly. This guide shows what content is required and how to correctly document Clicky data protection.

A. Purpose and Function of Clicky

Clicky offers real-time analytics for website operators. The tool records visitor flows, click paths, and engagement metrics in order to optimise website performance. Further functions include heatmaps (visual representation of click patterns), session recording (recording of user interactions), and uptime monitoring (availability checking).

Implementation is via a JavaScript snippet that is embedded in the <head> or <body> area of the website. The snippet loads automatically on page visit and immediately starts data collection.

B. Mandatory Disclosures in the Privacy Policy When Using Clicky

Website operators must transparently document the following information in the privacy policy:

• Provider and contact: Name, legal form, and address of the provider
• Data processed: Specific information on which categories are collected
• Purpose of processing: Comprehensible explanation of the purposes of use
• Legal basis: Citation of the applicable GDPR articles
• Storage duration: Retention periods for data
• Opt-out option: Link or instructions for excluding oneself from tracking
• Third-country transfer: Where data is transferred to the USA

C. Provider of Clicky

Clicky is operated by Roxr Software Ltd., a US-based company. The exact address and the full contact details can be found in the provider's privacy policy.

Important: Since Roxr Software Ltd. is based in the USA, a data transfer to a third country takes place. The status under the Data Privacy Framework (DPF) – the successor to the Privacy Shield – should be checked at dataprivacyframework.gov. If Roxr Software Ltd. is not certified, Standard Contractual Clauses (SCC) or other transfer mechanisms pursuant to Art. 44–49 GDPR must be used.

Further information: Consult Clicky's privacy policy and the Data Processing Agreement (DPA) provided by Roxr Software.

D. Data Processing – Procedure in Steps

E. Data Collected by Clicky

Clicky collects the following categories of data:

• Web server log data: IP address (truncated or anonymous), user agent
• Unique identifiers: Persistent and session-based cookies, Clicky user ID
• Click paths and navigation data: URLs visited, page sequence, dwell time
• Device and browser information: Device type, operating system, browser version
• Coarse location data: Geolocation at city level
• Interaction data: Heatmap data (where users click, where they scroll)
• Session recording data: If activated, recording of user sessions including keyboard inputs and mouse pointer
• Conversion events: Custom events that make user behaviour traceable
• User profiles: User-ID-based profiles for re-identification

F. Purposes of Use

Processing by Clicky pursues the following purposes:

• General product improvement: Statistical evaluation of website performance and user behaviour
• User profile creation: Aggregation and anonymisation of data into user groups
• User-individual product improvement: Optimisation of the website based on individualised user information
• Marketing-oriented use (depending on configuration): Creation of target group profiles; partial use for personalised content adaptation

G. Legal Bases for Clicky

1. Categorisation

Clicky predominantly falls into the category of tracking for statistical purposes, but also exhibits marketing-like aspects (heatmaps, UID-based user profiles).

2. Applicable Legal Bases

Consent (Art. 6(1)(a) GDPR + § 25(1) TDDDG)

• Processing via cookies and local storage is in principle a consent matter. This must be effectively obtained before placement (e.g. via a cookie banner).
• § 25(1) TDDDG provides that the storage and retrieval of information on terminal devices is permissible only with prior consent.

Third-country transfer (Art. 44–49 GDPR)

• Data Privacy Framework (DPF): If Roxr Software Ltd. falls under the DPF, the transfer is permissible (Art. 45(3) GDPR, Adequacy Decision 2023/1250).
• Standard Contractual Clauses (SCC): Should Roxr not be certified, SCC must be used (Art. 46(2)(c) GDPR).
• Supplementary measures: In rare cases, examine additional safeguards (encryption, pseudonymisation).

H. Special Features and Notes on Clicky

• Data location USA: Roxr Software Ltd. stores data on US servers. US authorities can request access under certain conditions (FISA Amendments Act).
• Check DPF status: Verify at dataprivacyframework.gov whether Roxr is certified. If certification has expired or is not in place, SCC apply.
• Data Processing Agreement (DPA): Request an effective DPA (Art. 28 GDPR) that contains guarantees on data protection measures.
• IP anonymisation: Check whether Clicky offers IP anonymisation options and use them.
• Heatmap and session recording: These functions potentially capture more sensitive data (e.g. input fields). Document whether these are activated.
• Storage duration: Clicky typically offers retention options; document the chosen setting.
• Opt-out and right to object: Clicky usually provides an opt-out mechanism; the link should be listed in the privacy policy.

I. FAQ

J. Conclusion and Practical Approach

Clicky is a powerful analysis tool, but it requires careful data protection documentation. The following steps ensure compliance:

1. Cookie banner: Implement a legally compliant cookie consent before activating Clicky.
2. Privacy policy: Integrate all information from this guide (provider, data, purposes, legal bases, opt-out).
3. DPA conclusion: Request a signed Data Processing Agreement from Roxr Software Ltd.
4. DPF check: Regularly verify whether Roxr is certified under the Data Privacy Framework.
5. Configuration: Activate only the functions you need; document which are on (especially session recording).
6. Opt-out link: Provide an easily accessible link to opt out.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com