Privacy Policy
How CiteGEO collects, uses, and protects your personal data. GDPR and CCPA compliant.
1. Introduction
CiteGEO ("CiteGEO," "we," "us," or "our") is an AI Visibility Intelligence platform that helps brands measure and improve how AI answer engines describe them.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have. It applies to all users of https://citegeo.ai and our related services.
By using CiteGEO, you agree to the practices described in this policy. If you have any questions, contact us at [email protected].
2. What Data We Collect
Data You Provide Directly
- Full name — provided during registration
- Email address — provided during registration, waitlist signup, or RAG grader email capture
- Password — hashed using bcrypt; never stored in plain text
- Brand name and keywords — entered as audit inputs
- Company name and role — optionally provided during onboarding
Data We Collect Automatically
- IP address — used for rate limiting and security
- Browser type and version — collected via analytics
- Device type — collected via analytics
- Pages visited and time spent — tracked through Google Analytics (GA4)
- Referral source — how you found CiteGEO
- Audit results and scores — generated by our system based on your inputs
Data from Third Parties
- Google OAuth — if you sign in with Google, we receive your name, email, and profile picture from Google
- LemonSqueezy — we receive your subscription status and payment history (not your credit card number — LemonSqueezy handles that directly)
3. How We Use Your Data
We use your data for the following purposes:
- To provide the CiteGEO service — running audits, generating scores, creating content briefs and optimization recommendations
- To process payments — via LemonSqueezy, our Merchant of Record
- To send transactional emails — account verification, password resets, payment receipts
- To improve our platform — using analytics data to fix bugs, identify issues, and enhance the user experience
- To enforce our Terms of Service — preventing abuse, fraud, and unauthorized access
- To respond to support requests — when you contact us for help
- To send marketing emails — only with your explicit consent, and you can unsubscribe at any time
4. Legal Basis for Processing (GDPR)
If you are in the EU/EEA, the GDPR requires us to have a legal basis for processing your data. Here are the bases we rely on:
- Contract — processing necessary to provide the service you signed up for (running audits, managing your account)
- Legitimate interest — analytics, security monitoring, fraud prevention, and platform improvement
- Consent — marketing emails and optional analytics cookies. You can withdraw consent at any time
- Legal obligation — retaining tax records, complying with fraud reporting requirements
5. Data Sharing
We share data with the following third-party service providers — and only these providers:
| Service | Purpose | Data Shared |
|---|---|---|
| LemonSqueezy (Stripe) | Payment processing | Email, name, subscription plan |
| Google Analytics (GA4) | Website analytics | Anonymous usage data |
| Google OAuth | Authentication | Email, name (with your consent) |
| OpenAI | AI audit queries | Brand name, keywords (no PII) |
| Anthropic | AI audit queries | Brand name, keywords (no PII) |
| Google Gemini | AI audit queries | Brand name, keywords (no PII) |
| Perplexity (OpenRouter) | AI audit queries | Brand name, keywords (no PII) |
| Groq | AI audit queries | Brand name, keywords (no PII) |
| Tavily | Web search (RAG grader) | URLs submitted for scanning |
| Railway | Cloud hosting | All data (encrypted in transit + at rest) |
| Cloudflare | DNS + CDN | IP addresses, request metadata |
We do NOT sell your personal data. Ever.
7. Data Retention
We retain your data for the following periods:
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | While account is active + 30 days after deletion |
| Audit results and scores | While your account is active |
| Payment records | 7 years (tax/legal requirement) |
| Analytics data | Anonymized and retained indefinitely |
| Waitlist/email captures | Until you unsubscribe |
| Server logs | 90 days |
8. Your Rights (GDPR)
If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation (GDPR):
- Right to Access — request a copy of all personal data we hold about you
- Right to Rectification — correct any inaccurate or incomplete data
- Right to Erasure — request deletion of your personal data ("right to be forgotten")
- Right to Restriction — restrict how we process your data in certain circumstances
- Right to Data Portability — receive your data in a structured, machine-readable format
- Right to Object — object to processing based on legitimate interest
- Right to Withdraw Consent — withdraw consent at any time for consent-based processing (e.g., marketing emails)
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
9. Your Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know — you can request details about what personal information we collect and how we use it
- Right to Delete — you can request deletion of your personal information
- Right to Opt Out of Sale — we do not sell your personal information, so this right does not apply in practice
- Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights
To exercise any of these rights, email us at [email protected].
10. Data Security
We take the security of your data seriously and implement the following measures:
- Encryption in transit — all data is transmitted over TLS/HTTPS
- Password hashing — passwords are hashed using bcrypt and never stored in plain text
- Database access controls — database access is restricted to authorized services only
- Token expiration — JWT authentication tokens expire after a set period to limit exposure
- Rate limiting — protects against brute-force attacks on authentication endpoints
- Regular security audits — we periodically review our security practices and address vulnerabilities
While we implement industry-standard protections, no system is 100% secure. If you discover a security vulnerability, please report it to [email protected].
11. International Data Transfers
CiteGEO operates as a globally distributed service. Your data may be transferred to and processed by sub-processors located in various jurisdictions:
- Railway (US-based) — hosts our application and database
- LemonSqueezy (US-based) — processes payments as Merchant of Record
- AI model providers (US-based) — OpenAI, Anthropic, Google, Perplexity, and Groq process audit queries
- Cloudflare (global) — provides DNS and CDN services
For international transfers, we rely on standard contractual clauses and each service provider's own compliance frameworks (including SOC 2 certifications and Data Processing Agreements where available).
12. Children's Privacy
CiteGEO is not intended for children under 16 years of age. We do not knowingly collect personal data from children.
If we discover that we have inadvertently collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.
When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you via email or a prominent notice on the CiteGEO platform
Your continued use of CiteGEO after any changes constitutes acceptance of the updated Privacy Policy.
14. Contact Us
For any privacy-related questions, data requests, or to exercise your rights, contact us:
- Email: [email protected]
- Website: https://citegeo.ai
We aim to respond to all privacy inquiries within 30 days.