Privacy Policy
Effective date: June 10, 2026 Last updated: June 10, 2026
At a glance
Tākt is a personal supplement and peptide tracker. We collect what you tell us (account info and the wellness data you log) and the minimum technical data needed to run the Service.
- We do not sell your data.
- We do not use your health data for advertising.
- We do not use your data to train AI models.
- You can export everything and delete your account at any time from settings.
- You have full access, correction, deletion, and portability rights regardless of where you live.
The full policy is below. This summary doesn't replace it; it's there so you don't have to read 4,000 words to understand what we do.
1. Who we are
This Privacy Policy explains how Clique Agency Inc. ("Tākt," "we," "us," "our") collects, uses, discloses, and protects personal information when you use Tākt, including the website at get-takt.com, any associated subdomains, and any related services (collectively, the "Service").
Clique Agency Inc. is a corporation incorporated in Ontario, Canada, with its registered office at 88 Blue Jays Way, Toronto, ON M5V 0L7. References to "you" mean the individual using the Service.
Roles under data protection laws:
- GDPR / UK GDPR: Clique Agency Inc. is the data controller.
- PIPEDA / Quebec Law 25: Clique Agency Inc. is the organization accountable for your personal information. Our designated Privacy Officer (and Quebec Law 25 "person in charge of the protection of personal information") is reachable at support@get-takt.com.
- CCPA/CPRA and other US state privacy laws: Clique Agency Inc. is the business.
- DPO: We have assessed our processing under GDPR Article 37 and concluded a Data Protection Officer is not legally required at this stage. We will reassess as our processing scale changes. Privacy questions go to the Privacy Officer at support@get-takt.com.
- EU/UK representative under Art. 27: Not yet appointed. We will appoint and disclose a representative once our offering to EU/UK users meets the Article 27 thresholds.
If you do not agree with this Policy, do not use the Service.
2. What we collect
2.1 Account and identity information
- Email address
- Password (stored as a salted hash; we never see your password)
- Name or display name (if provided)
- Date of birth (used only to verify you are at least 18, then stored as your age range)
- Profile information you choose to add (body composition goals, baseline measurements, pronouns)
2.2 Health and wellness information you log
This is special category data under GDPR (Article 9), sensitive personal information under CPRA, and sensitive personal information under Quebec Law 25. It is treated with the heightened protections in Section 3.2.
It may include:
- Supplements, peptides, and other compounds you choose to track, including names, doses, schedules, and notes
- Reconstitution inputs (vial size, BAC water volume) used by calculators
- Injection site selections and rotation history
- Body metrics (weight, measurements, energy, sleep, mood, side effects, lab values)
- Goals, protocols, and adherence
You decide what to log. We do not require any specific category of information.
2.3 Payment information
Tākt is free during the beta. We do not collect or process any payment information. If we introduce paid plans, we will update this Policy and describe our payment processing before any charge.
2.4 Technical and usage information
- IP address and approximate location derived from it (city or region level only)
- Device type, operating system, browser, language
- Pages and features accessed, timestamps, referring URLs
- Crash reports and error logs
- Cookie and similar identifiers (see Section 11)
2.5 Communications
If you contact support, we collect the contents of your message and your email address so we can respond.
2.6 Information we do not collect
To make the boundaries clear:
- We do not collect biometric identifiers (face, fingerprint, voice).
- We do not import data from Apple Health, Google Health Connect, wearables, EMR systems, or pharmacy records. If we add such integrations, we will update this Policy and seek consent before importing.
- We do not buy data about you from third-party data brokers.
- We do not collect government-issued identifiers (SIN, SSN, driver's license, passport).
- We do not knowingly collect data about anyone other than you.
3. Legal basis and how we use your information
3.1 General purposes and legal basis
| Purpose | GDPR / UK GDPR basis | PIPEDA / Quebec Law 25 basis |
|---|---|---|
| Create and operate your account | Contract performance (Art. 6(1)(b)) | Necessary to provide requested service |
| Display and store the data you log (non-sensitive parts) | Contract performance | Express consent at point of entry |
| Service emails (receipts, password resets, security notices, terms changes) | Contract performance; legitimate interests (Art. 6(1)(f)) | Reasonable purposes |
| Marketing emails and product updates (only if you opt in) | Consent (Art. 6(1)(a)) | Express consent (also required under CASL) |
| Customer support | Contract performance; legitimate interests | Reasonable purposes |
| Security, abuse prevention, fraud investigation | Legitimate interests; legal obligations | Reasonable purposes; legal obligations |
| De-identified, aggregated usage analysis to improve the Service | Legitimate interests | Reasonable purposes |
| Comply with law and respond to lawful requests | Legal obligations (Art. 6(1)(c)) | Legal obligations |
| Establish, exercise, or defend legal claims | Legitimate interests | Reasonable purposes |
3.2 Special category / sensitive health data
The wellness data you log is sensitive. We process it only on the following bases:
- GDPR Art. 9(2)(a), your explicit consent. When you create your account and when you first log a sensitive category (a medication, a body metric, a symptom), you give explicit consent through clear affirmative action. You can withdraw consent at any time, which results in deletion of that data within 30 days subject to Section 9.
- GDPR Art. 9(2)(f), establishment, exercise, or defense of legal claims, where applicable.
- CPRA sensitive personal information. We use sensitive personal information only to provide the Service you have requested and for purposes California law permits without an additional consent (security, fraud prevention, complying with the law). We do not use it to infer characteristics about you for marketing. You may direct us to limit our use to those purposes by emailing support@get-takt.com, though we already operate within that limit.
- Quebec Law 25. We obtain express consent for sensitive personal information at the point of collection. Sensitive information is not communicated outside Quebec without a Privacy Impact Assessment that concludes the information will receive adequate protection, taking into account contractual and technical safeguards.
We do not use your health and wellness data to target advertising. We do not sell or share it. We do not use it to train third-party AI models. If we ever introduce AI features that operate on your data, we will obtain a new, specific consent and offer an opt-out before any processing begins.
3.3 Automated decision-making (GDPR Art. 22 / Law 25)
Tākt provides calculators (e.g., reconstitution math) and surfaces educational notices (e.g., known interactions between two compounds you log). These features apply pre-defined logic to inputs you provide. They are not decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22 or equivalent provisions. They are educational tools.
If we ever build a feature that does produce significant automated decisions, we will notify you in advance, explain the logic and consequences, and offer human review.
4. Marketing and CASL (Canada's anti-spam law)
We send marketing emails only to people who have opted in. As required by CASL we will:
- Identify ourselves clearly in every marketing message
- Provide a working unsubscribe mechanism in every marketing message
- Honor unsubscribe requests within 10 business days
- Keep a record of consent and how it was obtained
You can unsubscribe at any time using the link in any marketing email or by adjusting preferences in your account.
5. Children
The Service is not intended for anyone under 18. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, email support@get-takt.com and we will delete it.
6. Who we share your information with
6.1 We do not sell or share
We do not sell your personal information for money or other valuable consideration under the CCPA/CPRA, Quebec Law 25, or any other law. We do not "share" your personal information for cross-context behavioral advertising. We do not enable third-party advertising or profiling on the Service.
6.2 Service providers (processors)
We use a small set of vendors to operate the Service. Each is bound by a written agreement (Data Processing Agreement / Standard Contractual Clauses where required) that limits their use of your information to what we instruct. The current list is in Section 7.
6.3 Legal and safety disclosures
We may disclose information when we are required to by law, when a valid legal request is served, or when we reasonably believe disclosure is necessary to investigate, prevent, or take action against suspected fraud, abuse of the Service, threats to health or safety, or violations of our Terms.
When we receive a legal request that we believe is overbroad or invalid, we push back. We will notify you of a legal request affecting your account unless we are legally prohibited from doing so.
6.4 Corporate transactions
If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred. We will notify you in advance and give you a meaningful opportunity to object or close your account before any change of controller takes effect.
6.5 With your consent
We will share information for purposes not described in this Policy only with your consent.
7. Sub-processors
The current sub-processors we rely on:
| Provider | Purpose | Primary processing location | Transfer mechanism for EU/UK data |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States | EU SCCs + UK Addendum |
| Vercel Inc. | Web hosting, edge delivery | United States and global edge network | EU SCCs + UK Addendum |
We notify users of material sub-processor changes by updating this list and, for users in the EEA / UK, by sending notice via email or in-app at least 14 days before a new sub-processor begins processing.
The current list is the one in this Section.
8. International transfers
Tākt is operated from Canada. Personal information is primarily stored in the United States via our cloud providers (Supabase and Vercel), and may be processed in other jurisdictions where our service providers operate.
For transfers from the European Economic Area, the United Kingdom, and Switzerland, we rely on:
- The European Commission's adequacy decision for Canada (renewed January 2024) for transfers to our Canadian operations.
- The European Commission's Standard Contractual Clauses (Module 2 controller-to-processor) for transfers from us to processors outside adequate jurisdictions, with the UK International Data Transfer Addendum where applicable.
- Supplementary measures, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and contractual commitments to challenge unlawful access requests.
You can request a copy of the transfer mechanism that applies to your data by emailing support@get-takt.com.
For Quebec residents, before disclosing personal information outside Quebec we conduct a Privacy Impact Assessment (PIA) under Law 25 and document our determination that the information will receive adequate protection, taking into account contractual and technical safeguards.
9. How long we keep your information
| Data | Retention |
|---|---|
| Account record (email, profile) | Until you delete your account, then 30 days for backup purge |
| Health and wellness logs | Until you delete the entry or your account, then 30 days for backup purge |
| Support correspondence | 3 years from last interaction |
| Server access logs | 90 days |
| Crash and error logs | 90 days |
| Marketing consent and unsubscribe records | Indefinitely, in a separate suppression list, to honor your unsubscribe |
If you delete your account, we delete your account record, profile, and logs within 30 days, except information we are required to retain by law (such as transaction records) and information needed to defend a legal claim that has been asserted.
10. Security
We take reasonable technical and organizational measures to protect personal information:
- TLS 1.2+ for connections in transit
- Encryption at rest for the database and file storage (AES-256), provided by our infrastructure providers
- Passwords stored only as salted hashes by our authentication provider; we never see your password
- Supabase Row Level Security so your data is accessible only to your account
- Multi-factor authentication on the accounts that can access production systems
- Access limited to what is needed, with review of access and dependencies from time to time
No system is perfectly secure. If we discover a breach affecting your personal information, we notify you and the relevant supervisory authorities as required by law:
- GDPR / UK GDPR: notify the supervisory authority within 72 hours and notify affected users without undue delay where the breach is likely to result in high risk to their rights and freedoms.
- PIPEDA: notify the Office of the Privacy Commissioner of Canada and affected users as soon as feasible where the breach poses a real risk of significant harm; maintain a breach record for 24 months.
- Quebec Law 25: notify the Commission d'accès à l'information du Québec and affected users where the incident presents a serious risk of harm; maintain a register of confidentiality incidents.
- US state laws: notify under the applicable state breach notification statute.
11. Cookies and similar technologies
We use only strictly necessary cookies, for authentication, session management, and security. The Service cannot function without them. We remember your in-app preferences such as theme and units in your browser's local storage, not in cookies.
We do not use advertising cookies, we do not allow third parties to set advertising cookies on the Service, and we do not set non-essential cookies, so no cookie consent banner is required. If we use analytics, we use a cookieless, privacy-first provider that does not build cross-site profiles.
We do not sell or share your personal information, and we honor Global Privacy Control (GPC) signals where the law gives you that right.
12. Your rights and choices
12.1 Rights available to all users
- Access. Get a copy of the personal information we hold about you.
- Correction. Correct inaccurate or incomplete information.
- Deletion. Delete your personal information.
- Export (portability). Receive your data in a structured, commonly used, machine-readable format (JSON).
- Withdraw consent. Where we rely on consent, withdraw it at any time. Withdrawal does not affect lawful processing before withdrawal.
- Stop marketing. Unsubscribe via the link in any marketing email or via account settings.
12.2 Additional rights under GDPR / UK GDPR (EEA, UK, Switzerland)
- Restriction of processing (Art. 18)
- Object to processing based on legitimate interests (Art. 21)
- Lodge a complaint with your supervisory authority
12.3 Additional rights under PIPEDA / Quebec Law 25 (Canada)
- Be informed of the existence, use, and disclosure of your personal information
- Challenge accuracy and completeness
- File a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, with the Commission d'accès à l'information du Québec (cai.gouv.qc.ca)
- Quebec Law 25 specific rights: right to data portability, right to be informed before automated decision-making with significant effects, right to de-indexation in defined circumstances
12.4 Additional rights under CCPA/CPRA (California) and other US state privacy laws
- Know categories of personal information collected, sources, purposes, recipients
- Delete personal information collected from you
- Correct inaccurate personal information
- Limit use and disclosure of sensitive personal information (we already operate within these limits)
- Opt out of sale/share. We do not sell or share for cross-context behavioral advertising; we honor GPC signals nonetheless.
- Non-discrimination for exercising rights
- Designate an authorized agent
Similar rights exist under the privacy laws of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other US states; we honor them.
12.5 How to exercise your rights
To exercise any of your rights, email support@get-takt.com from the email address on your account and we will action it within the timelines below. This covers access, a copy of your data, correction, and deletion of specific entries or your whole account. Where a self-serve control exists in your account settings, you can use it directly. Authorized agents (CCPA) and other representatives can submit on your behalf with proof of authorization.
We respond within the timelines required by law:
- PIPEDA: within 30 days, extendable in defined circumstances with notice
- Quebec Law 25: within 30 days
- GDPR / UK GDPR: within one month, extendable by two months for complex requests
- CCPA/CPRA: within 45 days, extendable by 45 days
We may need to verify your identity before acting on a request. For sensitive requests we may ask you to confirm details from your account.
13. Changes to this Policy
We may update this Policy. The "Last updated" date at the top reflects the most recent change.
For material changes (changes to the categories of data we collect, purposes of use, sub-processors, or your rights), we will give advance notice by email and in-app and, where required by law, obtain your renewed consent. Continued use of the Service after a change takes effect means you accept the updated Policy.
We keep prior versions and can provide an earlier version on request.
14. Contact
For any privacy question, request, or concern:
Clique Agency Inc. Attn: Privacy Officer 88 Blue Jays Way, Toronto, ON M5V 0L7 Email: support@get-takt.com
If you are not satisfied with our response, you can complain to:
- Canada: Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec K1A 1H3, priv.gc.ca, 1-800-282-1376
- Quebec: Commission d'accès à l'information du Québec, 525 René-Lévesque Boulevard East, Suite 2.36, Quebec City G1R 5S9, cai.gouv.qc.ca
- EEA: Your local Data Protection Authority (list at edpb.europa.eu/about-edpb/about-edpb/members_en)
- UK: Information Commissioner's Office, ico.org.uk, 0303 123 1113
- California: California Privacy Protection Agency, cppa.ca.gov, or California Attorney General, oag.ca.gov/privacy