Legal
Privacy Policy
Plain English, no dark patterns. If something here is unclear, email contact@citeca.ai and we’ll fix it.
Effective May 25, 2026
What we collect
From you directly: your name, email address, business name + website, billing details (held by Stripe, we never see card numbers), and anything you type into the dashboard (prompts, competitor names, brand-kit edits).
From your website:we scrape your public pages to extract your brand voice, services, and on-page SEO state. We only fetch pages reachable from a browser. We don’t bypass logins, paywalls, or robots.txt blocks.
From AI engines: the verbatim text of AI responses to your tracked prompts, plus any source URLs the engine cited. We store these so we can show you where you were named and prove the work.
Automatically: normal server logs (IP, user agent, timestamps) for security + debugging. No advertising cookies. No cross-site tracking.
What we do with it
We use your data to run the product you’re paying for: audit your AI visibility, draft fixes, publish them when you’ve connected an integration, and email you weekly reports. We do not sell your data, ever. We do not share your prompts, brand kit, or audit results with anyone outside citeca except the AI engines we have to query on your behalf.
When you connect an integration (WordPress, Webflow, Google Business Profile, etc.), the access tokens are AES-256-GCM encrypted at rest and only decrypted in-process at publish time. They never leave our servers.
Who we share with (subprocessors)
To run the product we use a small set of trusted infrastructure providers. Each one only sees the data they need:
- Stripe: payment processing. Sees your billing email + card details only.
- Supabase: auth + database hosting. Holds your account record and all dashboard data, encrypted at rest.
- Google Cloud Run + Vercel: application hosting. Sees request data in transit.
- Resend: transactional email (sign-in links, weekly reports). Sees your email address.
- OpenAI, Anthropic, Google Gemini, Perplexity, SerpAPI: AI engine queries. Each sees the individual prompt we test on your behalf. They do not see your account or brand kit.
- Firecrawl: used as a fallback site scraper when sites block standard requests. Sees only the URL we ask it to fetch.
Your rights
You can edit or delete anything you’ve put into the dashboard from Settings. To delete your entire account and all associated data, email contact@citeca.ai from your account address. We delete within 1 working day. We retain zero data after deletion, including no “just in case” backups beyond 30 days.
If you’re in the EU, UK, or California you have additional rights (access, portability, objection). Same email address, same SLA.
Cookies
We use first-party cookies strictly for auth (your sign-in session). No analytics cookies, no advertising cookies, no third- party trackers. If we ever add product analytics, this page will be updated and you’ll be told upfront.
Children
citeca is a B2B service. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we’ll delete the account immediately.
Changes
When we change this policy in a way that affects you, we’ll email every active customer at least 14 days before the change takes effect. The full history of changes is tracked in our public git repository.
Contact
Email contact@citeca.ai or read our Terms of Service.
