Fast.  Secure.  Free.  Forever.
๐Ÿ”’
How we protect your data
Updated April 21, 2026

Security & Privacy
at ClickOff.

We built ClickOff to give people control over their digital footprint. It would be absurd if we didn't hold ourselves to the same standard. Here's what we do, what we don't do, and how you can verify it yourself — with radical transparency instead of NDA-gated attestations.

AES-256
Encryption at Rest
TLS 1.3
Transit Encryption
$0.00
Data We've Ever Sold
100%
Public Policy
Our Approach

Transparency beats certifications.

Most privacy companies hide behind SOC 2 badges and NDA-gated audit reports. We believe that's backwards. If we're asking people to trust us with information about themselves, we should be radically open about how we operate — not hide our practices behind paywalls and legal agreements.

Everything on this page is publicly accessible. Our privacy policy is in plain English. Our security practices are documented here in detail. If something isn't clear, email us at security@clickoff.io and we'll answer honestly.

What we do

Encrypt everything
AES-256 encryption for all stored user data. TLS 1.3 for all data in transit. Same standard as enterprise SaaS platforms.
Minimize data collection
We store only what's necessary to fulfill a request. First name, email, and state — nothing more. No SSN. No driver's license. No financial accounts.
Multi-factor authentication
All administrative access to systems requires MFA. Role-based access controls limit who can see what. Access logs retained for 90 days.
Automated backups
Daily encrypted backups with 30-day retention. Disaster recovery plan tested quarterly.
Incident response plan
Documented procedures for suspected breaches. Affected users notified within 72 hours in accordance with GDPR / state privacy law standards.
Regular security reviews
Quarterly internal audits. Annual third-party penetration testing. Responsible disclosure program for independent researchers.
What We Don't Do

The promises we keep by refusing to.

Most privacy policies read like defensive legal disclaimers — "we may do these 47 things with your data." Ours reads like a list of things we refuse to do.

Sell or rent user data
Not to advertisers. Not to data brokers. Not to anyone, ever. Our revenue comes from Shield subscriptions and affiliate partnerships — not from monetizing you.
Share data during "corporate sale"
Some competitor privacy policies include a clause allowing data sharing if the company is acquired. Ours doesn't. Any acquirer must honor the same privacy commitments we make today.
Request sensitive identifiers
We don't ask for your SSN, driver's license number, passport, or financial account information. Our product simply doesn't need them to work.
Track you across the web
We use only first-party analytics (Google Analytics 4, minimal configuration). No third-party tracking pixels. No cross-site retargeting. No behavioral advertising cookies.
Use dark patterns
No retention calls when you cancel. No "are you sure?" guilt prompts. No confirmshaming. The cancel button looks like a cancel button.
Hide behind legalese
Our privacy policy is written in plain English. When we update it, we document what changed. No stealth modifications, no dense footnotes.
Vs. the Industry

How we compare to DeleteMe.

DeleteMe is a well-known, legitimate privacy service that charges $129/year. They have SOC 2 Type 2 certification (2021) and recently achieved ISO 27001:2022 (2026). These are real credentials with real costs. Here's the honest comparison:

Practice
DeleteMe
ClickOff
AES-256 at rest
Yes
Yes
TLS 1.2+ in transit
Yes (1.2)
Yes (1.3)
MFA for admin access
Yes
Yes
Public security documentation
Yes (some)
Yes (full)
SOC 2 Type 2 attestation
Yes (since 2021)
In progress (Q4 2026)
ISO 27001 certification
Yes (2026)
No
SOC 2 report requires NDA
Yes
N/A (we'll publish publicly)
"Corporate sale" data-sharing clause
Yes (flagged by privacy experts)
No
Client-side / zero-knowledge
No
No (same as DeleteMe)
Price per year
$129
$49 (62% less)

The honest take: DeleteMe has more certifications than us. Those certifications cost real money and reflect real rigor — we respect them. But certifications are one signal of trustworthiness, not the only one. We argue that public documentation + no "corporate sale" clause + radical transparency offers a different kind of credibility, built on openness rather than gated attestation.

We're also pursuing SOC 2 Type 2 — just not before we have the revenue base to justify the $30K+ cost of a proper audit. That's the honest trade-off we're making.

Compliance Roadmap

Where we're going, stated publicly.

Month 0 (now): Radical transparency via this page, BBB accreditation application, responsible disclosure program (security@clickoff.io).
Month 3-6: Automated compliance tooling (Vanta or Drata). Internal SOC 2 controls implementation. Employee security training.
Month 6-9: SOC 2 Type 1 audit (point-in-time controls assessment).
Month 12-18: SOC 2 Type 2 attestation (12-month observation period completed).
Year 2+: ISO 27001, GDPR attestation, HIPAA compliance if we expand into regulated sectors.

Responsible Disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers and independent parties. If you've identified a security issue — whether it's a technical vulnerability, a privacy concern, or a gap between what this page claims and how we actually operate — we want to know.

How to report:

We don't yet have a formal bug bounty program, but we recognize meaningful security contributions publicly (with your permission) and, where appropriate, offer compensation for critical findings.

โœ‰๏ธ Have a security question?
Email our security team.
Response within 48 hours. No automated replies. Real humans reading your message.
security@clickoff.io
Security & Privacy ยท FAQ
The questions worth asking.
Does ClickOff sell or share my data? +
No. ClickOff does not sell, rent, license, or monetize user data. Our business model is subscription-based for Shield ($4.99/mo or $49/year) and affiliate partnerships for cancel and subscribe guides. Your personal information is never a product, ever.
What encryption does ClickOff use? +
AES-256 encryption at rest for all stored user data. TLS 1.3 for all data in transit. Both standards match or exceed industry-standard practices used by enterprise SaaS platforms. We rotate encryption keys quarterly.
Is ClickOff SOC 2 certified? +
Not yet. ClickOff is actively pursuing SOC 2 Type 2 attestation, targeting completion by Q4 2026. We believe in being transparent about what we have and haven't achieved, rather than claiming credentials we don't hold. SOC 2 Type 2 requires a 12-month observation period, so we're building the controls, implementing automated evidence collection, and will undergo audit once revenue scale justifies the $30K+ investment.
Why don't you have SOC 2 now if it's so important? +
Honest answer: cost. A proper SOC 2 Type 2 audit runs $25K-$50K upfront, plus $15K+/year ongoing, plus 6-12 months of preparation time. At our current stage, that money is better invested in the product, the legal research behind each state's privacy framework, and the infrastructure to support Shield at launch. SOC 2 is on our roadmap — just not ahead of building something worth certifying.
What happens to my data if ClickOff is acquired? +
User data would transfer to the acquiring entity subject to the same privacy commitments in our current privacy policy. Unlike some competitors, we do not have a broad "corporate sale" data-sharing clause that would permit the acquirer to use your data for new purposes. Any future changes to privacy practices would require affirmative user consent, not silent policy updates.
Where is user data stored? +
User data is stored in US-based data centers operated by established cloud providers (AWS, GCP). We do not transfer user data internationally. Backups are encrypted and retained for 30 days before automatic deletion.
Can I request deletion of my ClickOff account data? +
Yes, obviously — it would be hypocritical otherwise. Email security@clickoff.io or use our account dashboard once logged in. Deletion processed within 7 days with confirmation. Associated backup data purged within 30 days.
Does ClickOff have a "zero-knowledge" architecture? +
No — and we want to be honest about this. A true zero-knowledge system would mean ClickOff couldn't read your data even if compelled to. To submit deletion requests to data brokers on your behalf, we need to see the data we're sending. This is the same architectural limitation as DeleteMe and every other data broker removal service. What we can promise: we see it, we submit it, we don't store it longer than necessary, and we never sell or share it.
How do I verify what this page claims? +
Fair challenge. Until SOC 2 is completed, our claims are verified by: (1) transparency — we publish these practices openly rather than hiding behind NDAs; (2) our privacy policy, which is legally binding; (3) technical verification — researchers can test our security claims (TLS version, header configurations, etc.) directly on our live domain; and (4) responsible disclosure — we actively invite scrutiny and commit to acknowledge findings within 48 hours. Imperfect? Yes. But it beats certifications you can't read.
Who runs ClickOff? +
ClickOff is operated by Phion Systems, LLC, a US-based company. We're a small independent team, not a private-equity-owned aggregator. Our leadership is publicly identifiable (ClickOff founder is a named individual with LinkedIn presence). No shell companies, no offshore complexity.