Privacy Policy | CiteFit

1. Who we are

CiteFit ("we", "us", "our") is the data controller for personal data processed through citefit.com. CiteFit is operated as an English general partnership formed under the Partnership Act 1890. The partners are jointly the data controllers and are jointly and severally responsible for compliance with this notice. We will update this page if we convert to a limited liability partnership (LLP) or limited company.

Trading name: CiteFit
Legal form: General partnership (Partnership Act 1890)
Partners (joint data controllers): Soham Jain and Oliver James Williams Lancaster — a current list of all partners is also available for inspection at our principal place of business
Principal place of business / address for service: 1 Mapperton Close, Milton Keynes, MK4 4FF, United Kingdom
ICO data protection registration: ZC138933

For data protection enquiries contact us at privacy@citefit.com. We do not currently appoint a Data Protection Officer because we are not required to under UK GDPR Article 37, but our privacy lead is reachable at the same address.

You can lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

2. Data we collect

We collect the following categories of personal data:

Account data: Name, email address, and account preferences you provide when signing up or updating your profile.

Brand and competitive data: Brand names, domains, competitor names, and the AI-generated responses we retrieve on your behalf. This data belongs to you.

Payment data: Billing details are handled directly by Stripe. We store only a Stripe customer ID and subscription status — never raw card details.

Usage and technical data: IP address, browser type, and log data collected automatically when you use the service. We use this for security and service reliability.

Communications: Any correspondence you send us (support emails, feedback).

3. Legal basis for processing

Contract (Article 6(1)(b)): Providing the CiteFit service, managing your account, and processing payments.

Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, improving the service, and sending product update emails to existing customers. Our interests are balanced against your rights — you can object at any time.

Legal obligation (Article 6(1)(c)): Retaining financial records as required by HMRC.

Consent (Article 6(1)(a)): Where we rely on consent (e.g. marketing to non-customers), you can withdraw it at any time by emailing us or clicking "unsubscribe".

4. Cookies and similar technologies

Under the Privacy and Electronic Communications Regulations (PECR) we may only store strictly-necessary cookies without your consent. All other cookies and similar storage (analytics, session replay) are off by default and require your opt-in via the cookie banner. You can change your choice at any time by clearing the cookie_consentcookie or by using the "Reject all" option when the banner is shown.

Strictly necessary (always on)

Cookie	Purpose	Duration
sb-* (Supabase auth)	Keeps you signed in across page loads.	Session / 1 week
csrf	Protects against cross-site request forgery attacks.	24 hours
cookie_consent	Remembers your consent choice for this banner.	1 year

Optional analytics (off until you accept)

Cookie	Purpose	Duration
ph_* (PostHog)	Product analytics — understanding which features are used so we can improve them. Hosted in the EU.	1 year
Sentry session replay	Records anonymised UI interactions when an error occurs to help us reproduce and fix bugs.	Session

We do not use advertising cookies or cross-site tracking pixels of any kind.

5. Sub-processors and third-party recipients

We share data with the following sub-processors to operate the service. Each is bound by a written contract and, for any transfer of personal data outside the UK, by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with a documented Transfer Risk Assessment.

Sub-processor	Purpose	Location / transfer mechanism
Supabase Inc.	Authentication, application database (PostgreSQL hosted in eu-west-2), file storage.	EU (UK / Ireland) and USA — IDTA
Vercel Inc.	Application hosting and edge delivery.	USA — IDTA
Cloudflare, Inc.	CDN, DDoS protection, Turnstile CAPTCHA, R2 object storage for differential database backups, Workers AI.	Global edge / USA — IDTA
Stripe Payments Europe Ltd / Stripe, Inc.	Payment processing and billing. Card data is sent directly to Stripe and never reaches our servers.	Ireland (EU) and USA — IDTA
Microsoft Corporation (Azure OpenAI, Azure AI Content Safety, Azure Blob Storage, Azure AI Search)	LLM inference for brand-visibility scans, prompt-injection screening, encrypted weekly database backups, hybrid semantic search.	EU regions where available, otherwise USA — IDTA
Google LLC (Gemini API, PageSpeed Insights)	Google AI Overview-style answers and SEO health metrics.	USA — IDTA
Perplexity AI, Inc.	Perplexity LLM responses for brand-visibility scans.	USA — IDTA
SerpApi, LLC	Optional Google search snippets used as web context for ChatGPT scans.	USA — IDTA
Inngest, Inc.	Background job orchestration for scans, digests and alerts.	USA — IDTA
Upstash, Inc.	Redis-based rate limiting.	EU / USA — IDTA
Resend, Inc.	Transactional and product-update emails.	USA — IDTA
PostHog Inc. (EU instance)	Product analytics. Loaded only after you opt in via the cookie banner.	EU (Frankfurt)
Functional Software, Inc. (Sentry)	Error monitoring. Session replay only loads after you opt in via the cookie banner.	USA — IDTA

We will notify customers of any material changes to this list at least 14 days in advance by email; you may object to a new sub-processor under the terms of our DPA.

6. Data retention

Account and brand data — retained for the life of your account, then deleted within 30 days of account closure.

Payment records — retained for 7 years as required by UK tax law.

Server logs — retained for 90 days.

Support correspondence — retained for 2 years.

7. Your rights under UK GDPR

You have the following rights. To exercise any of them contact privacy@citefit.com. We will respond within one calendar month.

Access: Request a copy of the personal data we hold about you. You can also export your data directly from your account settings.

Rectification: Correct inaccurate data.

Erasure ("right to be forgotten"): Delete your account and all associated data from your account settings, or email us.

Portability: Receive your data in a structured, machine-readable format (JSON). Use the "Download my data" option in account settings.

Restriction: Ask us to pause processing while a dispute is resolved.

Objection: Object to processing based on legitimate interests at any time.

Automated decision-making: We do not make solely automated decisions that have a legal or similarly significant effect on you.

8. Security

We implement appropriate technical and organisational measures including TLS encryption in transit, row-level security in our database, CSRF protection, and rate limiting. See our Security Policy for details on vulnerability disclosure.

9. Changes to this policy

We may update this policy. If we make material changes we will notify you by email at least 14 days before the changes take effect. The current version is always available at citefit.com/privacy.

Privacy Policy.