Privacy Policy
Last updated: January 21, 2025
1. Introduction
CiteRadar ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI visibility tracking service.
Our Privacy-First Principle: We only analyze public AI model outputs. We never access your customer data, CRM systems, or website visitors.
2. Data We Collect
Account Information
- Email address: Used for authentication, notifications, and account recovery.
- Name: Optional, used for personalization.
- Password: Securely hashed using bcrypt, never stored in plain text.
- Profile picture: Optional, stored in Cloudflare R2 (EU region).
Service Usage Data
- Domains you track: Public website domains you want to monitor in AI responses.
- Query prompts: The prompts you create to test AI visibility.
- Snapshot results: AI model responses to your queries (public AI outputs only).
- AI-generated insights: Automated analysis of your visibility data.
Billing Information
- Stripe Customer ID: Links your account to Stripe for payment processing.
- Subscription status: Your plan and billing cycle.
Note: We do NOT store credit card numbers, bank details, or CVV codes. All payment processing is handled securely by Stripe.
Technical Data
- IP Address: Hashed for security, never stored in plain text.
- User Agent: Browser/device info for session management.
- Audit logs: Actions performed in your account for security purposes.
3. How We Use Your Data
Service Delivery
- Authenticate and manage your account
- Run AI visibility queries on your behalf
- Calculate visibility scores and competitive analysis
- Generate insights and recommendations
Communication
- Send email verification and password reset emails
- Send daily digest reports (if enabled)
- Notify you of important account changes
- Respond to support requests
Billing
- Process subscription payments through Stripe
- Track usage against your plan limits
- Send billing notifications and receipts
Security & Compliance
- Maintain audit logs for security purposes
- Detect and prevent fraud or abuse
- Monitor system health and performance
4. Third-Party Service Providers
We work with the following third-party service providers to deliver our service:
| Provider | Purpose | Data Location | DPA |
|---|---|---|---|
| Stripe | Payment processing | EU (GDPR compliant) | Link |
| Resend | Transactional emails | EU region | Link |
| Railway | Application hosting & database | EU (Frankfurt) | Link |
| Cloudflare R2 | File storage (screenshots, exports) | EU (WEUR region) | Link |
| Upstash | Rate limiting & caching | EU (Frankfurt) | Link |
| Sentry | Error tracking & monitoring | EU (Frankfurt) | Link |
| OpenAI | AI model (GPT-4) | US (Zero retention) | Link |
| Google Vertex AI | AI model (Gemini) | EU (europe-west1) | Link |
| Anthropic | AI model (Claude) | US (Zero retention) | Link |
AI Model Providers
When you run queries, we send only the query prompt and domain names to AI providers. We NEVER send your email, name, organization data, or any personal information to AI models.
EU-Hosted Models:
- OpenAI: Zero data retention mode enabled
- Google Vertex AI: EU region (europe-west1) with GDPR compliance
- Anthropic: Zero data retention mode enabled
Important: AI providers only receive generic prompts like "What are the best project management tools?" along with the public domain names you're tracking.
All AI API calls are made with zero data retention configuration where available.
EU Data Residency
For users in the European Economic Area (EEA), we ensure your data remains within the EU:
- Region Detection: We detect your region during signup to determine data handling.
- Model Filtering: EU users only see AI models that support EU data processing.
- EU Infrastructure: All core data is stored in EU regions:
- Database: Railway Frankfurt (eu-west)
- File Storage: Cloudflare R2 (WEUR region)
- Cache: Upstash Redis (eu-frankfurt)
- Email: Resend (EU region)
- AI Processing: When using EU-hosted models (Google Vertex AI), all AI processing stays within EU.
5. Your GDPR Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
Right of Access
You can request a copy of all personal data we hold about you.
How to exercise: Go to Settings → Export Data, or contact us at [email protected]
Right to Rectification
You can correct any inaccurate personal data we hold.
How to exercise: Update your profile in Settings, or contact us for assistance.
Right to Erasure
You can request deletion of your account and all associated data.
How to exercise: Go to Settings → Delete Account, or email us at [email protected]. We will permanently delete your data within 30 days.
Right to Data Portability
You can export your data in a machine-readable format (CSV).
How to exercise: Use the Export Data feature in Settings to download all your organization data.
Right to Object
You can object to processing of your data for certain purposes.
How to exercise: Contact us at [email protected] to discuss your concerns.
6. Data Security
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest.
- IP Hashing: IP addresses are hashed using SHA-256 before storage.
- Access Control: Role-based access with organization-level isolation.
- Audit Logs: All account actions are logged for security review.
- Secure Communication: All connections use HTTPS with strict transport security.
7. Data Retention
- Account data: Retained while your account is active.
- Session data: Sessions expire after 7 days of inactivity.
- Audit logs: Retained for 90 days for security purposes.
- Soft-deleted accounts: Permanently purged after 30 days.
- Team invitations: Expire after 7 days.
8. Cookies & Tracking
We use minimal, essential cookies only:
- Authentication cookies: Required for login sessions (httpOnly, secure, SameSite=Lax).
- No tracking cookies: We do NOT use Google Analytics, Facebook Pixel, or any third-party tracking.
- No advertising cookies: We do NOT sell your data or show ads.
9. International Data Transfers
EU Data Residency: We store all personal data in EU regions by default.
For any services that process data outside the EU (e.g., OpenAI, Anthropic), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and zero data retention configurations.
10. Children's Privacy
CiteRadar is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by updating the "Last updated" date at the top of this policy.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us:
13. Data Processing Agreement (DPA)
If your organization requires a Data Processing Agreement for GDPR compliance, please contact us at [email protected] and we will provide one within 5 business days.
14. Consent
By using CiteRadar, you consent to the collection and use of your information as described in this Privacy Policy. You may withdraw your consent at any time by deleting your account.
Questions about your data?
We're here to help. Contact us at for any privacy-related questions or to exercise your GDPR rights. [email protected]