Privacy Policy

Draft, 2026

Draft template, pending legal review. This page is a starting point, not legal advice. Bracketed details and the governing terms must be completed and reviewed by a qualified lawyer before this is relied upon.

This policy explains what personal data Citanto collects, why, the legal bases we rely on, and the rights you have. Citanto is European, so this policy follows the GDPR.

1. Who is responsible for your data

The data controller is [Legal entity], [registered address]. For privacy questions, contact [contact email] (or our data protection contact, [DPO / privacy contact]).

2. What data we collect

Depending on how you use Citanto, we may collect:

  • account data: name, email, password (hashed), organisation;
  • billing data: handled by our payment processor; we do not store full card numbers;
  • service data: websites you ask us to audit, generated drafts, tracking results;
  • usage and technical data: device, IP, and basic analytics about how the site is used.

3. How and why we use your data

We use personal data to:

  • provide and operate the service (audits, content generation, tracking, reports);
  • process payments and manage subscriptions;
  • communicate with you about your account and the service;
  • secure, maintain and improve the service;
  • comply with legal obligations.

4. Legal bases (GDPR)

We rely on: performance of a contract (to provide the service you signed up for); legitimate interests (to secure and improve the service, balanced against your rights); consent (where required, for example certain cookies or marketing); and legal obligation (where the law requires processing). You can withdraw consent at any time where consent is the basis.

5. Who we share data with

We share data with processors that help us run the service, under appropriate agreements. These may include our payment processor (for example Stripe), hosting and infrastructure providers, analytics, and the AI providers we use to generate or measure content (for example OpenAI, Anthropic, Google, Perplexity). We do not sell your personal data.

6. International transfers

Some processors may be located outside the EEA. Where that is the case, we put appropriate safeguards in place (such as Standard Contractual Clauses) so your data remains protected.

7. How long we keep data

We keep personal data only as long as needed for the purposes above, or as required by law. When you close your account, we delete or anonymise your personal data within a reasonable period, except where we must retain it (for example for accounting).

8. Cookies

We use essential cookies needed to run the site, and, with your consent where required, analytics cookies to understand usage. You can control non-essential cookies through the cookie controls and your browser settings.

9. Your rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances;
  • restrict or object to certain processing;
  • data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your supervisory authority.

10. Security

We use technical and organisational measures appropriate to the risk to protect personal data. No method of transmission or storage is completely secure, but we work to protect your data and to respond to incidents.

11. Children

The service is not directed to children, and we do not knowingly collect personal data from anyone under the age at which they can consent under applicable law.

12. Changes and contact

We may update this policy and will note the update date. For any privacy question or to exercise a right, contact [contact email].

Bracketed details like [Legal entity], [registered address] and [contact email] must be completed by Citanto and reviewed by a qualified lawyer before this page is relied upon.