Privacy Policy.

Who we are

Cited is operated by [Cited Ltd / Manuel Saramago — insert legal entity name before launch]. Our registered address is [insert address]. We are the data controller for all personal data processed through cited.io.

Contact for data matters: hello@cited.io

What data we collect

Data you provide directly

• Account data: Name, email address, company or brand name, website URL or social handle
• Brand data: Category, stage, description of your company or personal brand
• Social handles (optional): YouTube, Instagram, TikTok, X — if you choose to provide them
• Payment data: Billing details processed by Stripe. We never store card numbers — Stripe handles all payment data under their own privacy policy.
• Communications: Any emails you send to hello@cited.io

Data we generate about you

• Cited Score™: Your AI visibility score, generated monthly by our agent
• Score history: Your score over time for trend analysis
• Audit outputs: GEO reports, content pieces, llms.txt files, schema recommendations generated for your brand
• Usage data: Pages visited, features used, email opens and clicks

Data collected automatically

• IP address, browser type, device type
• Referring URL and on-site behaviour (via privacy-respecting analytics)
• Consent records: timestamp, IP, and checkbox state for each consent at signup

How we use your data

To provide the service (contract performance)

• Running the Cited agent on your brand monthly
• Calculating and tracking your Cited Score™
• Generating and delivering citation content, llms.txt, schema fixes, and reports
• Processing payments and managing your subscription

To communicate with you (legitimate interest / contract)

• Onboarding emails and monthly delivery notifications
• Score change alerts and competitor movement notifications
• Product updates and feature announcements
• Responses to your support enquiries

To improve Cited (legitimate interest)

• Aggregated, anonymised analysis of score patterns across our subscriber base
• Improving agent prompt quality using anonymised audit outputs
• Bug fixing and service reliability

Legal basis summary

• Contract performance: Providing the subscription service you signed up for
• Legitimate interest: Service improvement, security, fraud prevention, direct marketing to existing customers
• Consent: Group data sharing (optional checkbox at signup — see Section 6)
• Legal obligation: Tax records, VAT compliance

AI processing & Cited Score™

Cited uses artificial intelligence (Claude by Anthropic) to analyse your brand, generate content, and calculate your Cited Score™. This means your brand data — name, URL, category, description, and social handle — is processed by the Claude API.

Anthropic processes this data under their own terms and privacy policy. They do not use API inputs to train their models by default. You can review Anthropic's privacy policy at anthropic.com/privacy.

Social media data

If you provide social media handles at signup (YouTube, Instagram, TikTok, X), we use this data to:

• Contextualise agent recommendations for your platform presence
• Monitor public citation signals across those platforms
• Tailor content strategy to your primary audience platform

In Phase 2, if you choose to connect a social account via OAuth (e.g. YouTube), we store a read-only access token in our secure database. We only access publicly available data about your channel: subscriber count, video titles, and engagement metrics. We never post, delete, or modify anything on your behalf.

You can disconnect any connected account at any time by contacting hello@cited.io.

Group data sharing

At signup, you are given the option (not required) to consent to sharing your data with other companies within the Cited group. Currently, this includes Meetlo — a platform where creators and professionals sell their time via virtual meetings.

If you tick this optional consent box, we may share the following with Meetlo:

• Your name and email address
• Your Cited Score™ and category — to assess fit for Meetlo's marketplace
• Your platform type (company or personal brand)

We will never share payment data, full audit outputs, or content generated for your brand with any third party.

Data retention

• Active subscribers: Data retained for the duration of your subscription
• Cancelled subscriptions: Account data retained for 12 months after cancellation, then anonymised or deleted
• Cited Score™ history: Retained for 24 months so you can track progress over time
• Payment records: Retained for 7 years for tax and legal compliance
• Consent records: Retained for 7 years (GDPR audit trail)
• Free audit data: Email and audit result retained for 90 days, then deleted unless you subscribe

Your rights

Under GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of all data we hold about you
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a machine-readable format
• Restriction: Ask us to pause processing while a dispute is resolved
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Withdraw any consent you've given at any time
• Automated decisions: Request human review of any automated decision that affects you

To exercise any of these rights, email hello@cited.io. We will respond within 30 days.

Cookies

Cited uses only essential cookies required to operate the site (session management, Stripe checkout). We do not use advertising cookies or cross-site tracking cookies.

We may use a privacy-respecting analytics tool (such as Plausible or Fathom) that does not use cookies and does not collect personal data. No cookie banner is required for these tools.

International data transfers

Cited uses the following service providers who may process data outside the EU/EEA:

• Anthropic (Claude API): US-based. Processing under EU Standard Contractual Clauses.
• Stripe: US-based. Processing under EU Standard Contractual Clauses.
• Resend: US-based. Processing under EU Standard Contractual Clauses.
• Netlify: US-based. Processing under EU Standard Contractual Clauses.
• Supabase: EU region available and used for subscriber data.

All transfers are covered by appropriate safeguards. You may request a copy of the relevant Standard Contractual Clauses by emailing hello@cited.io.

Children

Cited is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at hello@cited.io and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify subscribers by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

Continued use of Cited after the effective date of any changes constitutes acceptance of the updated policy.

Contact & complaints

For any privacy-related questions or to exercise your rights:

• Email: hello@cited.io
• Response time: Within 5 business days for general queries, within 30 days for formal GDPR requests

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority. In Portugal: CNPD (Comissão Nacional de Proteção de Dados). In the EU, contact your national supervisory authority.