Legal

Privacy Policy

How we collect, use, and protect your data. We believe privacy is a right, not a feature.

Last updated: May 1, 2026
01

Information we collect

We collect only the information necessary to provide, maintain, and improve CitedSpy. We never sell your personal data to third parties.

Account data

  • Name and email address
  • Company name and website URL
  • Billing information (processed by Stripe)
  • Password (hashed, never stored in plain text)
  • Team member invitations and roles

Usage data

  • Pages visited and features used
  • Browser type and operating system
  • IP address (anonymized after 30 days)
  • Referral source and session duration
  • Error logs and performance metrics

Prompt data

  • Tracking prompts you configure
  • AI engine responses (text and citations)
  • Brand mention analysis results
  • Competitor comparison data
  • Aggregated visibility scores

Important: We do not store the contents of your customers' conversations with AI engines. We only store the prompts you configure for brand tracking and the resulting AI responses. All prompt data belongs to you and can be exported or deleted at any time.

02

How we use your information

We use the information we collect for the following purposes, each with a lawful basis under GDPR:

Service delivery

Contractual necessity

Running your configured prompts across AI engines, generating visibility scores, and delivering reports.

Account management

Contractual necessity

Processing payments, managing subscriptions, sending transactional emails (receipts, alerts).

Product improvement

Legitimate interest

Analyzing aggregated, anonymized usage patterns to improve features, performance, and reliability.

Customer support

Contractual necessity

Responding to your inquiries, troubleshooting issues, and providing onboarding assistance.

Security & fraud prevention

Legitimate interest

Detecting unauthorized access, preventing abuse, and maintaining platform integrity.

Marketing communications

Consent

Sending product updates and tips (only with your explicit opt-in consent, easily revocable).

03

Data storage & security

Your data is protected by industry-standard security measures.

Security measures

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • SOC 2 Type II compliant infrastructure
  • Regular penetration testing
  • Role-based access controls (RBAC)
  • Automated vulnerability scanning

Infrastructure

  • Cloud-hosted infrastructure with redundancy
  • Encrypted backups across multiple regions
  • Daily encrypted backups with 30-day retention
  • 99.9% uptime SLA
  • DDoS protection via Cloudflare
  • Database isolation per workspace
04

Third-party services

We share data with a limited number of third-party service providers, solely for the purposes described below. Each provider is contractually bound to protect your data.

ProviderPurposeData shared
StripePayment processingBilling email, payment method tokens, invoice history. We never store full card numbers.
OpenAIChatGPT engine queriesTracking prompts only. No personal data is sent to AI providers.
Google (Gemini)Gemini engine queriesTracking prompts only. No personal data is sent to AI providers.
AnthropicClaude engine queriesTracking prompts only. No personal data is sent to AI providers.
PerplexityPerplexity engine queriesTracking prompts only. No personal data is sent to AI providers.
xAIGrok engine queriesTracking prompts only. No personal data is sent to AI providers.
PostmarkTransactional emailEmail address and email content (reports, alerts, receipts).
CloudflareCDN & securityIP addresses (for DDoS protection). Cloudflare does not log request bodies.
05

Your rights

Depending on your location, you may have the following rights regarding your personal data. We honor all requests within 30 days.

GDPRInternational
  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restrict processing
  • Right to data portability (JSON/CSV export)
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with a supervisory authority
CCPACalifornia, United States
  • Right to know what personal data is collected
  • Right to know if data is sold or disclosed
  • Right to say no to the sale of personal data
  • Right to request deletion of personal data
  • Right to non-discrimination for exercising rights
  • Right to correct inaccurate personal data
  • Right to limit use of sensitive personal data

We do not sell your personal data. We have never sold personal data and have no plans to do so. To exercise any of these rights, email [email protected] or use the data management controls in your account settings.

06

Cookie policy

We use a minimal set of cookies to keep the service functional and improve your experience. No third-party advertising cookies are used.

CookieTypeDurationPurpose
cs_sessionEssentialSessionMaintains your login session. Strictly necessary for the app to function.
cs_csrfEssentialSessionCSRF protection token. Prevents cross-site request forgery attacks.
cs_prefsFunctional1 yearStores your display preferences (theme, timezone, dashboard layout).
cs_analyticsAnalytics90 daysFirst-party analytics. Tracks page views and feature usage in aggregate. No personal identifiers.

You can manage cookie preferences in your browser settings. Disabling essential cookies may prevent the application from functioning correctly.

07

Data retention

We retain your data only as long as necessary to provide our services and comply with legal obligations.

Account dataDuration of account + 30 daysDeleted within 30 days of account closure. You can request immediate deletion.
Prompt & response dataDuration of account + 30 daysExportable at any time via JSON or CSV. Permanently deleted after account closure.
Usage analytics12 months (rolling)Anonymized after 30 days. Aggregated data retained for product improvement.
Billing records7 yearsRequired by tax and financial regulations. Stored securely by Stripe.
Server logs90 daysIP addresses anonymized after 30 days. Logs used for security and debugging.
08

Children's privacy

CitedSpy is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will promptly delete the information.

09

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and post a prominent notice on our website at least 30 days before the changes take effect. We encourage you to review this page periodically. Your continued use of CitedSpy after the effective date constitutes acceptance of the updated policy.

10

Contact us

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, we're here to help.

Privacy inquiries

For data access requests, deletion requests, or any privacy-related questions:

[email protected]

We respond to all privacy inquiries within 5 business days.

Data Protection Officer

Our DPO oversees GDPR compliance and can be reached directly:

[email protected]

CitedSpy · India