Privacy Policy
Last updated: January 21, 2025
1. Introduction
CiteRadar ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our AI visibility tracking service.
Our Privacy-First Principle: We only analyze public AI model outputs. We never access your customer data, CRM systems, or website visitors.
2. Data We Collect
2.1. Account Information
- Email address: For authentication and communication
- Name: Optional, for display in the UI
- Password: Securely hashed, never stored in plain text
- Profile picture: Optional, provided via OAuth providers
2.2. Usage Data
- Tracked domains: Domains and brand names you want to monitor
- Queries: Search prompts you create (e.g., "best project management tools")
- Snapshots: AI model responses to your queries (stored in Cloudflare R2)
- Insights: AI-generated analysis of your visibility trends
2.3. Billing Information
- Stripe Customer ID: For payment processing
- Subscription status: Your current plan and billing cycle
Note: Full payment details (credit card numbers, billing addresses) are stored exclusively by Stripe, not by CiteRadar. We only store subscription IDs.
2.4. Technical Data (Anonymized)
- IP addresses: Hashed with SHA-256 for security purposes
- User agent: Hashed, for device compatibility
- Audit logs: Actions taken in your account (retained for 30 days)
3. How We Use Your Data
3.1. Service Delivery
- Authenticate your account and maintain sessions
- Run AI queries and generate visibility reports
- Calculate visibility scores and competitor rankings
- Generate insights and recommendations
3.2. Communication
- Send email verification and welcome emails
- Deliver daily digest reports (if enabled)
- Notify you of important account changes or errors
- Respond to support requests
3.3. Billing
- Process subscription payments via Stripe
- Track usage limits for your plan
- Send payment receipts and invoices
3.4. Security & Fraud Prevention
- Maintain audit logs of account actions (30 days)
- Detect and prevent unauthorized access
- Monitor for abuse or policy violations
4. Third-Party Service Providers
We use the following sub-processors to deliver our service:
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| Stripe | Payment processing | πΊπΈ US (EU DPA available) | Link |
| Resend | Email delivery | πΊπΈ US | Link |
| Railway | Database hosting | πͺπΊ EU | Link |
| Cloudflare R2 | File storage | πͺπΊ EU | Link |
| Upstash | Cache & queue | πͺπΊ EU | Link |
| Sentry | Error tracking | πͺπΊ EU | Link |
4.1. AI Model Providers
We send only query prompts and domain names to AI providers (OpenAI, Anthropic, Google, Perplexity). We never send user emails, names, CRM data, or any personal information.
All AI providers have been configured with zero data retention mode, meaning they do not use our API data for training their models.
5. Your Rights (GDPR)
5.1. Right to Access
You can export all your organization data at any time by visiting your settings page or using our API endpoint: /api/export/org-data
5.2. Right to Deletion (Right to be Forgotten)
You can delete your account at any time from your settings page. Organization owners can also delete their entire organization, which includes a 30-day grace period before permanent deletion.
5.3. Right to Rectification
You can update your account information (name, email) at any time from your profile settings.
5.4. Right to Data Portability
All your data can be exported in CSV format for easy import into other systems.
5.5. Right to Object
You can opt out of non-essential emails (daily digests, threshold alerts) from your notification settings.
6. Data Security
- Encryption: All data encrypted at rest (database) and in transit (TLS 1.2+)
- IP Hashing: IP addresses are hashed with SHA-256 before storage
- Access Control: Role-based permissions (OWNER, ADMIN, MEMBER, VIEWER)
- Audit Logs: All sensitive actions logged for 30 days
- HTTPS Only: All connections secured via Cloudflare
7. Data Retention
- User accounts: Until you delete your account
- Sessions: 30 days or until logout
- Audit logs: 30 days (auto-deleted)
- Soft-deleted organizations: 30 days grace period before permanent deletion
- Expired invitations: 7 days after expiry
8. Cookies & Analytics
We do NOT use tracking cookies or invasive analytics.
- Authentication cookies: Essential httpOnly cookies for session management (required for service)
- No tracking: We don't track your browsing behavior or website visitors
- No third-party ads: We don't use advertising networks
9. International Data Transfers
EU Data Residency: All personal data (database, file storage, cache) is stored in the European Union via Railway, Cloudflare R2, and Upstash.
Some service providers (Stripe, Resend, AI model providers) may process data in the United States under appropriate safeguards such as Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs).
10. Children's Privacy
CiteRadar is not intended for users under 16 years of age. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email and by updating the "Last updated" date at the top of this policy.
12. Contact Us
If you have questions about this Privacy Policy or your data, please contact us:
13. Data Protection Authority
If you are located in the European Economic Area, you have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with applicable data protection laws.
14. Your Consent
By using CiteRadar, you consent to this Privacy Policy and our processing of your data as described herein.
Questions about your data?
We're here to help. Contact us at [email protected] for any privacy-related questions or to exercise your GDPR rights.