ClickBomb is operated by Serpply Ltd, a company registered in England and Wales (this document refers to that company as "we", "us", or "ClickBomb"). This page explains what personal data we collect, why, where it is processed, how long we keep it, and the rights you have over it under the UK GDPR and the Data Protection Act 2018.
Serpply Ltd is the controller of all personal data we collect through clickbombs.com and the related app surfaces. Contact: hello@clickbombs.com.
| Data | When collected | Purpose | Lawful basis |
|---|---|---|---|
| Email address | Signin and magic-link auth | Authenticate your account; send transactional and lifecycle email | Contract; legitimate interest for lifecycle |
| Phone number (optional) | Stripe Checkout | Sales follow-up on higher-tier purchases | Consent (you choose to provide) |
| Payment details | Stripe Checkout | Process payment, refund handling, fraud prevention | Contract |
| Target URL, keyword, geo, claimed rank bucket | Pre-check and order forms | Run the requested ClickBomb test | Contract |
| IP address, user agent, country | Every API request | Security, rate limiting, abuse prevention, basic analytics | Legitimate interest |
Cookies and the Meta pixel _fbp / _fbc | Page view, form interaction | Ad measurement and conversion attribution | Consent (where consent is required by your jurisdiction) |
| UTM parameters, fbclid, referer | First touch on any lander | Marketing attribution to the ad or referrer that brought you | Legitimate interest |
We do not store full card numbers, CVCs, or bank details. Those go directly to Stripe.
We use the following sub-processors to deliver the service. Each is GDPR-compliant under either an adequacy decision or Standard Contractual Clauses:
We do not sell personal data. We do not share it for direct-marketing purposes outside the processors above.
We run the Meta (Facebook / Instagram) pixel on our marketing landers (the homepage, /test/, /pricing/, /upgrade/, /signin/, /auth/verify/, and the post-purchase /dashboard/) to measure ad performance. Server-side events sent through the Meta Conversions API hash your email and phone with SHA-256 before transmission so the raw values are never sent to Meta in plain text. You can opt out of personalised advertising at facebook.com/settings/ads.
Under UK GDPR you have the right to: access the personal data we hold about you, request correction of inaccurate data, request deletion (subject to the legal retention requirements above), restrict processing, port your data to another controller, and object to processing on legitimate-interest grounds. You also have the right to withdraw consent for any processing that relies on consent, including the Meta pixel.
To exercise any of these rights, email hello@clickbombs.com from the address on the account. We respond within 30 days. If you are not satisfied with our response you can complain to the UK Information Commissioner's Office at ico.org.uk.
Some sub-processors are based in the United States. Transfers are covered by the EU–US Data Privacy Framework where the processor is certified, otherwise by Standard Contractual Clauses.
We use TLS in transit, password-less authentication, hashed token storage, encrypted secrets, and role-based access on our infrastructure. We log access to administrative actions and keep an immutable audit trail for sensitive operations.
ClickBomb is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided data to us, email hello@clickbombs.com and we will delete it.
We will update this page when material changes are made. The "Last updated" date at the top reflects the most recent revision. Substantial changes will also be communicated by email to active customers.