[c][citaition]
This document is provided for transparency. For legal questions, contact contact@citaition.io.

Privacy Policy

This privacy policy was last updated on 1 March 2026. This document sets out how Citaition Ltd collects, uses, and protects your personal information when you use our website and platform.

Introduction

Citaition Ltd ("we", "us", "our") is a company registered in England and Wales. We operate the website citaition.io and the platform at app.citaition.io (together, the "Service").

This privacy policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding your data. It applies to all users of our website and platform.

Information We Collect

Account information

When you create an account, we collect your email address, company name, and job title. A work email address is required for registration.

Brand data

You provide brand names, website URLs, and competitor names when setting up brands for monitoring. This data is used solely to run AI visibility queries on your behalf.

Usage data

We collect information about how you use the platform, including pages visited, features used, and analysis runs initiated. This helps us improve the Service.

Payment data

Payments are processed by Stripe. We do not store your credit card details. Stripe provides us with a transaction reference, billing email, and subscription status. For details on how Stripe handles your payment data, please see Stripe's privacy policy.

AI response data

When we run queries on your behalf, we collect responses from ChatGPT, Gemini, and Perplexity about your brands. These responses are stored to provide your visibility reports, diagnostics, and recommendations.

How We Use Your Information

  • Providing the Service: Monitoring AI visibility for your brands, generating reports, diagnostics, and recommendations.
  • Improving accuracy: Improving our benchmark dataset and diagnostic accuracy using aggregated, anonymised data from AI responses across all brands.
  • Transactional emails: Sending account-related emails such as welcome messages, report notifications, and billing confirmations via Resend.
  • Payment processing: Managing subscriptions and processing payments via Stripe.

Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following grounds:

  • Contract performance: Processing your data is necessary to provide the Service you signed up for, including running AI visibility queries, generating reports, and managing your account.
  • Legitimate interests: We have legitimate interests in improving our Service, maintaining security, preventing fraud, and developing our benchmark dataset using aggregated, anonymised data.
  • Consent: Where we send marketing communications, we do so with your consent. You can withdraw consent at any time.

Data Sharing

We share your data only with the following third-party processors, and only to the extent necessary to provide the Service:

  • Stripe — Payment processing.
  • Resend — Transactional email delivery.
  • Supabase — Database hosting (EU region).
  • Google Cloud — Compute infrastructure (europe-west2, London).
  • OpenAI, Google, and Perplexity — API queries for AI visibility monitoring. We send brand names and monitoring queries to these providers. We do not send your personal data (email, name, or payment information) to AI providers.

We do not sell your personal data to any third party. We do not share your data with advertisers or data brokers.

Data Retention

Account data is retained while your account is active and for 30 days after account deletion, to allow for account recovery and to fulfil any outstanding obligations.

AI response and analysis data is retained for benchmark improvement purposes in an aggregated, anonymised form. Once anonymised, this data cannot be linked back to your account or brands.

Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate personal data.
  • Erasure: Request deletion of your personal data.
  • Restriction: Request restriction of processing of your personal data.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at contact@citaition.io. We will respond within 30 days.

International Transfers

Some of our processors — including Stripe, OpenAI, and Perplexity — process data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by UK GDPR. Our primary database and compute infrastructure are located in the EU and UK respectively.

Cookies

We use a limited number of cookies to operate the Service. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

Security

We take the security of your data seriously. Measures we employ include:

  • Encryption in transit using TLS for all connections.
  • Encryption at rest for stored data.
  • Row Level Security (RLS) policies on our database ensuring users can only access their own data.
  • API key encryption for any credentials stored on the platform.

Children

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify registered users via email before the changes take effect. The "last updated" date at the top of this page will always reflect the most recent revision.

Contact

If you have any questions about this privacy policy or how we handle your data, contact us at:

contact@citaition.io

Citaition Ltd, registered in England and Wales.