Privacy Policy — Citefy

Scope & Who This Policy Covers

This Privacy Policy explains how Citefy collects, uses, shares, and protects personal information when you:

• Visit our websites, apps, or dashboards,
• Create or use a Citefy account,
• Interact with our services that analyze brand visibility and citations across AI/LLM platforms, and
• Communicate with us (support, sales, marketing).

If you use Citefy on behalf of a company, you represent you have authority to accept this Policy for that company.

Key Definitions

Data We Collect

How We Use Data

We process Personal Data to:

• Provide and secure the service, authenticate users, prevent fraud/abuse.
• Operate product features, including collecting and analyzing citations/mentions, computing scores/insights, and rendering dashboards.
• Measure performance and improve reliability, quality, and user experience.
• Bill and collect payments, manage subscriptions and trials.
• Support & communicate, including service announcements, updates, and responding to requests.
• Comply with law, enforce terms, and protect our rights, users, and the public.
• (With consent or as permitted by law) Marketing: send product news, tips, and offers. You can unsubscribe anytime.

Legal Bases

Where applicable, we rely on: Contract performance, Legitimate interests (e.g., service security, product improvement, non-intrusive analytics), Consent (where required, e.g., marketing cookies), and Legal obligations.

Sharing & Disclosures

We share Personal Data only as needed and with safeguards:

• Service Providers/Sub-processors: cloud hosting, storage, security, analytics, email, support, payment processing. They act under contract and process data per our instructions.
• Integrations You Enable: If you connect external tools, data flows to those tools under their privacy terms.
• Legal/Compliance: To comply with law, enforce terms, or protect rights and safety.
• Business Transfers: In mergers, acquisitions, or financing, subject to confidentiality and continued protection.

We do not sell Personal Data. For CPRA (California), we do not "sell" or "share" Personal Information for cross-context behavioral advertising.

International Data Transfers

We operate globally and may transfer data to countries that may have different data-protection laws. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses, UK IDTA/Addendum).

Retention

We retain Personal Data for as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce agreements.

• Customer Content: retained per your workspace settings and contract; deleted or anonymized within a reasonable period after account closure or upon verified request, subject to backups and legal holds.
• Logs/Backups: kept for limited periods for security and continuity.

Security

We employ administrative, technical, and physical safeguards, including encryption in transit and at rest, access controls with least privilege, secret management, audit logging, and regular vulnerability handling. No system is 100% secure; please use strong passwords/SSO and protect your credentials.

Your Rights & Choices

Depending on your location, you may have rights to:

• Access, correct, update your Personal Data
• Delete your Personal Data (subject to legal/contractual limits)
• Export/portability
• Object/restrict certain processing (e.g., direct marketing)
• Withdraw consent (where processing is based on consent)
• Appeal an adverse decision, where required by law

To exercise rights, email support@citefy.ai from your account email. We may verify your identity. For California residents, you may also request: "Do Not Sell or Share" and know categories of data collected/disclosed.

Email preferences: You can unsubscribe via email footer or in-app settings (transactional emails will still be sent).

Children's Privacy

Citefy is not directed to children, and we do not knowingly collect Personal Data from children under applicable age thresholds. If you believe a child provided Personal Data, contact us to delete it.

India (DPDPA) & Local Disclosures

For users in India, we process Personal Data as a Data Fiduciary under the Digital Personal Data Protection Act, 2023, adhering to lawful purposes, consent/legitimate uses, data minimization, accuracy, security safeguards, and grievance redressal.

Cookies & Tracking

We use necessary cookies to run the service and, with consent where required, analytics/functional/marketing cookies. See our Cookie Policy for categories, purposes, and retention. You can manage preferences in our cookie banner or your browser.

Automated Decision-Making

Citefy computes analytics scores and flags potential issues automatically. These outputs do not make legal or similarly significant decisions about individuals. You can contact support for clarification or to contest a result related to your account.

Third-Party Links

Our services may link to third-party sites. Their privacy practices are governed by their own policies.

Enterprise, DPA & Sub-processors

We offer a Data Processing Addendum (including SCCs/UK addendum where applicable) for enterprise customers. We maintain a current list of sub-processors and will provide reasonable notice of changes as required by contract.

Changes to This Policy

We may update this Policy to reflect changes to our practices or legal requirements. We'll post the updated version with a new effective date and, where required, provide notice.

Controller & Roles

For most processing, Citefy AI Labs Private Limited is the Data Controller. For Customer Content where we process on behalf of a customer organization, we act as Data Processor/Service Provider under the applicable data-protection laws and our DPA.