Legal
Privacy Policy
This Privacy Policy describes how Cited (“Cited,” “we,” “us,” or “our”) collects, uses, discloses, and retains information in connection with cited.cc and the Cited product (the “Service”). By using the Service, you acknowledge the practices described here. This Policy should be read together with our Terms of Service and Cookie Policy.
1. Introduction and scope
Cited provides AI citation monitoring software. We preserve Evidence from the AI answers you choose to monitor.
This Policy covers account holders, Authorized Users, free-scan visitors, and visitors to public pages.
Depending on the context, Cited may act as a controller of account and website data, and as a processor of Customer Content and Evidence processed on behalf of a customer organization. Where a Data Processing Addendum is executed, that DPA controls for the processing it covers.
2. Information we collect
We collect information customers provide, information generated by monitoring and product use, and limited automatically collected technical information needed to operate, secure, bill, and support the Service.
We do not require you to provide more personal information than is reasonably needed for the purposes described in this Policy.
3. Information customers provide
Account data may include name, email, and authentication identifiers from Clerk where available.
Workspace data may include workspace name, members, roles, settings, plan, and billing state.
Domain data may include verified domains, DNS verification status, and brand aliases.
Notification preferences, Slack connection status, Notebook notes, annotations, and support requests are also customer-provided or customer-configured.
4. Workspace and monitoring data
Monitoring data may include prompts, AI surfaces, locations, schedules, scan runs, citation sources, Evidence, and occurrences.
Cited monitors only the prompts, surfaces, schedules, locations, and verified domains you configure.
5. AI response and citation evidence data
Cited stores monitored response snapshots and Evidence so customers can review historical citation records.
Evidence may include prompt text, response excerpts or snapshots, source URLs, classification labels, and first-seen history from configured monitoring runs.
Evidence is customer workspace data. It is not used to train public foundation models operated by Cited, because Cited does not operate such models.
6. Notebook and annotation data
Notebook entries, revisions, visibility settings, and annotations are stored so teams can keep working context alongside citation Evidence.
You control who you invite into a workspace. Cited is not responsible for member access you grant.
7. Billing data
Billing data includes Stripe customer and subscription references, plan, billing status, and invoice or payment records handled by Stripe.
Cited does not store payment card numbers. Stripe processes card and payment-method data under Stripe’s terms and privacy policy.
8. Authentication data
Clerk manages authentication sessions and related account identifiers. Cited stores the workspace membership and role mappings needed to authorize access.
9. Free scan data
Free scan requests may include domain, brand context, prompts, submitted email, terms or consent status, and a tokenized result link.
Free scan submissions are rate-limited and stored as needed to deliver results, prevent abuse, communicate about the request, and improve Service reliability.
10. Automatically collected information
We may collect feature usage signals, system events, error logs, security logs, device or browser metadata, IP address, and redacted diagnostics.
Logs are designed to avoid storing secrets, full prompt or response bodies, note bodies, annotation bodies, or raw provider payloads in normal operation.
12. How we use information
We use information to:
- Provide, operate, maintain, and secure the Service
- Run configured monitoring and store Evidence
- Deliver alerts, digests, and support communications
- Process billing, prevent fraud, and enforce plan limits
- Investigate abuse, security incidents, and Terms violations
- Improve reliability, performance, and product quality
- Comply with law and respond to lawful requests
13. Legal bases (where required)
Where data-protection law requires a legal basis, we rely on one or more of the following, as applicable: performance of a contract with you; legitimate interests in operating, securing, and improving the Service (balanced against your rights); compliance with legal obligations; and consent where we request it (including certain marketing or optional cookies, if applicable).
15. No sale of personal information
We do not sell personal information. We do not sell personal contact information.
We do not knowingly “share” personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA, in the ordinary operation of the Service.
If our practices change in a way that requires additional notices or opt-outs, we will update this Policy and provide required mechanisms.
16. Third-party service providers
Current subprocessors and categories are listed at /subprocessors and may include Clerk, Supabase, Stripe, Resend, DataForSEO, Vercel, DataFast, optional Slack destinations, and analytics or observability providers when configured.
Those providers process information only as needed to provide their services to Cited, subject to their own terms and our agreements with them.
17. Data retention
We retain data for as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and maintain security. Specific retention periods may vary by data type.
Account and workspace data are generally retained while the account is active. Evidence is retained while the subscription or workspace exists, subject to plan access and history windows.
Billing records may be retained as needed for legal and accounting purposes. Logs are retained for a limited operational and security period. Unsubscribe records are retained to honor opt-out requests.
Deleted or canceled accounts may be retained in backups or for legal, security, and business purposes for a reasonable period, after which data is deleted or anonymized in the ordinary course of operations.
18. Data export and deletion requests
Authorized users can export certain Evidence from the product subject to role and plan limits.
You may request access, correction, export, or deletion by contacting privacy or support channels listed at /contact.
Deletion requests are handled after identity and workspace verification. Some billing, security, and legal records may be retained where required. Cited does not currently offer one-click irreversible workspace destruction from the public product UI.
If you are an Authorized User of a customer organization, we may redirect your request to the workspace owner or admin, who controls Customer Content for that workspace.
19. U.S. state privacy rights
Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, and others with similar laws) may have rights to request access, correction, deletion, portability, and information about our processing practices, subject to verification and legal exceptions.
California residents may also have the right to know categories of personal information collected, sources, purposes, and disclosures, and to not be discriminated against for exercising privacy rights.
To exercise applicable rights, contact the privacy email listed in this Policy. We will verify your request using information associated with your account or submission and respond within the time required by law.
Authorized agents may submit requests where permitted by law, subject to verification of authority.
20. International data transfers
Cited and its providers may process information in the United States and other countries where they operate.
If you access the Service from another country, your information may be transferred to and processed in those locations, which may have different data-protection laws than your jurisdiction.
Where required, we use appropriate transfer mechanisms available under applicable law (such as contractual safeguards with providers).
21. Security
Cited uses workspace-scoped authorization, server-side secret handling, signed webhook verification, encrypted Slack webhook storage, hashed unsubscribe tokens, and related controls described at /security.
No method of transmission or storage is perfectly secure. You are responsible for using strong account protections and for promptly reporting suspected issues.
This Policy does not create a warranty of absolute security beyond the commitments in our Terms.
22. Your choices
You can update notification preferences, disconnect Slack, unsubscribe from applicable emails, export Evidence where permitted, and contact support for privacy requests.
Cookie and analytics behavior is described in the Cookie Policy.
You may close your account by canceling through the billing portal and requesting deletion under this Policy.
23. Children’s privacy
Cited is not directed to children under 16, and we do not knowingly collect personal information from children under 16.
If we learn that we have collected personal information from a child under 16, we will delete it promptly. Contact the privacy email below if you believe a child has provided information.
24. Do Not Track
Some browsers offer a “Do Not Track” signal. The Service does not currently respond to Do Not Track signals in a differentiated way because there is no consistent industry standard. See the Cookie Policy for analytics practices.
25. Changes to this policy
We may update this Privacy Policy as the product or legal requirements change. The effective and last-updated dates appear on this page.
Material changes will be posted on this page and, where required by law, communicated by additional notice. Continued use after the effective date constitutes acknowledgment of the updated Policy where permitted by law.
26. Contact
Privacy requests: hello@cited.cc.
General support: hello@cited.cc.
See /contact for additional channels.