Back to Citerex

Privacy Policy

Last updated: [SET TO DEPLOYMENT DATE — e.g., 2026-04-26]

1. Introduction

This Privacy Policy describes how Citerex ([COMPANY LEGAL NAME]), a company registered in [REGISTERED CITY, India], collects, uses, processes, and protects information about users of the Citerex platform and the citerex.com website (collectively, the “Service”).

We comply with the General Data Protection Regulation (EU 2016/679) for users in the European Economic Area, the California Consumer Privacy Act and CCPA amendments for California residents, and the Digital Personal Data Protection Act 2023 for users in India. [ATTORNEY REVIEW REQUIRED: confirm exact regulatory citations match your published documentation.]

2. Information We Collect

2.1 Information You Provide

When you create an account, we collect: email address, name, company name, payment details (processed by our payment partners — Razorpay for INR transactions, Stripe for USD transactions, NOWPayments for cryptocurrency), and any information you submit through the platform (brand details, target prompts, citation drafts, support communications).

2.2 Information Collected Automatically

When you use the Service, we automatically collect: IP address, browser type, device identifiers, pages visited, actions taken (clicks, scans run, dashboards viewed), session duration, and referrer information. This data is used to operate, secure, and improve the Service.

2.3 Information from Third Parties

If you sign in via Google OAuth, we receive your name, email, and profile photo from Google subject to your Google account permissions. We may receive aggregated analytics data from third-party services (e.g., Vercel analytics, Supabase logs).

3. How We Use Your Information

We use collected data to: (a) provide and operate the Citerex Service, including running AI visibility scans, seeding citations, and tracking results; (b) process payments via Razorpay, Stripe, and NOWPayments; (c) send transactional emails (account confirmations, billing receipts, citation reports) via Resend; (d) communicate with you about service updates, security issues, and (with consent) marketing; (e) detect and prevent fraud, abuse, and security incidents; (f) comply with legal obligations and enforce our Terms of Service.

4. Google User Data Policy

Citerex's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we only use calendar data to create events you request through the Citerex platform. We never read existing events, share calendar data with third parties, or use Google user data for advertising. You may revoke Google permissions at any time from your Citerex account settings or directly via your Google account.

5. Data Processors and Sub-Processors

We share data with the following processors strictly for service delivery:

  • Vercel (hosting + edge functions) — processes all platform traffic
  • Supabase (database + authentication) — stores account data and platform records
  • Razorpay (INR payments) — processes Indian payment transactions
  • Stripe (USD payments) — processes international payment transactions
  • NOWPayments (cryptocurrency) — processes crypto payment transactions
  • Resend (transactional email) — sends account-related emails
  • OpenRouter (AI model access) — processes AI visibility scan queries
  • Google OAuth (sign-in + calendar) — handles federated authentication and user-managed calendar events when used

[ATTORNEY REVIEW REQUIRED: verify each processor has a signed Data Processing Agreement (DPA). For GDPR compliance, you need DPAs with each. Most of the above provide standard DPAs accessible from their dashboards.]

6. International Data Transfers

Your data may be transferred to, processed in, and stored on servers located outside your country of residence — including the United States (Vercel, Stripe, Supabase regions), the European Union, and India. For EU users, transfers outside the EU rely on Standard Contractual Clauses (SCCs) approved by the European Commission. [ATTORNEY REVIEW REQUIRED: confirm SCC versions and supplementary measures per Schrems II requirements.]

7. Your Rights

7.1 Rights Under GDPR (EU/EEA Users)

You have the right to: access your personal data; rectify inaccurate data; erase your data (“right to be forgotten”); restrict processing; data portability; object to processing; and withdraw consent at any time. To exercise these rights, contact us at privacy@citerex.com. We will respond within 30 days.

7.2 Rights Under CCPA (California Residents)

California residents have the right to: know what personal information is collected; know whether personal information is sold or disclosed; opt out of the sale of personal information (we do not sell personal information); access personal information collected; and request deletion. We do not discriminate against users exercising CCPA rights. Contact privacy@citerex.com.

7.3 Rights Under DPDP Act 2023 (India)

Indian users have the right to: access personal data; correct, complete, update, or erase personal data; nominate another individual to exercise rights in case of death or incapacity; and grievance redressal. Our Data Protection Officer can be reached at dpo@citerex.com. [ATTORNEY REVIEW REQUIRED: confirm DPO designation requirements based on data fiduciary classification.]

8. Data Retention

We retain account data for the duration of your active subscription plus [RETENTION PERIOD — typically 90 days] after account closure, after which data is deleted or anonymized. Payment records are retained for [TAX RETENTION PERIOD — typically 7 years for India] to comply with tax and audit requirements. Automatic logs (server, security, abuse detection) are retained for [SHORT RETENTION — typically 90 days].

9. Security

We implement industry-standard security measures including: encryption in transit (TLS 1.2+), encryption at rest for sensitive data, access controls with two-factor authentication for staff, regular security audits, and incident response procedures. No system is perfectly secure — if we discover a data breach affecting your information, we will notify you within 72 hours of becoming aware (per GDPR Article 33) and the relevant supervisory authority as required by law. [ATTORNEY REVIEW REQUIRED: confirm exact breach notification timelines for each jurisdiction — DPDP Act has separate notification requirements.]

10. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from minors. If we learn that we have collected information from a child under 18, we will delete it. Parents or guardians who believe a minor has provided information should contact privacy@citerex.com.

11. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy. You can manage cookie preferences through your browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to active users by email at least 30 days before taking effect. The “Last updated” date at the top reflects the most recent revision.

13. Contact

Questions about this Privacy Policy or data practices: privacy@citerex.com.
Data Protection Officer: dpo@citerex.com.
Postal address: [REGISTERED COMPANY ADDRESS, INDIA].

This document requires legal review before publishing. Bracketed placeholders [LIKE THIS] must be replaced with your specific values. Sections marked [ATTORNEY REVIEW REQUIRED] involve jurisdiction-specific legal nuances that need verification by a qualified attorney familiar with India's DPDP Act 2023, EU GDPR, and US CCPA.