C CiterLabs
Privacy

Privacy Policy.

Last updated: April 29, 2026. We collect the minimum necessary, store it for the shortest necessary time, and never sell or share your data with third parties for marketing.

1. What we collect

Application form (citerlabs.com/apply): name, work email, role, company website, approximate revenue band, the priority query you want to be cited for, and your reason for considering GEO. We also auto-capture: UTM parameters, referrer, time-on-site before submission, and IP-derived country (no full IP storage).

Free GEO Score tool: the domain you submit and the email address you provide. We then score that domain's citation share across 4 AI engines.

Email correspondence: any messages you send us via founder@, refund@, or [email protected].

Sprint engagement (paying clients only): the data you provide via the onboarding form (priority prompts, competitor list, content URLs, CMS access tokens, brand assets) and any operational data exchanged during the engagement.

Anonymous analytics: Cloudflare Web Analytics (privacy-respecting, no cookies, no cross-site tracking).

2. What we do NOT collect

  • No third-party tracking cookies. No cross-site tracking pixels.
  • No payment card data — Cashfree handles all payment processing; we never see card numbers.
  • No precise location data, browser fingerprints, or behavioral profiles for advertising.
  • No social media login data (we don't use OAuth via social platforms).

3. Why we collect what we do

  • Application data — to qualify Sprint applications and to understand fit before accepting payment.
  • Email captures — to send the requested GEO Score report, and (with your application context) follow-up about your application.
  • Sprint engagement data — to deliver the contracted service.
  • Analytics — to understand which content is being read and improve it.

4. How we store and protect your data

Application data, GEO Score requests, and Sprint engagement data are stored in Supabase (Postgres) with Row-Level Security enabled. Server-only access via service-role keys. Database is hosted in Singapore (ap-southeast-1).

Email correspondence is stored in Gmail (forwarded via Cloudflare Email Routing) and in Resend's send log. Marketing email lists are not maintained — we only email people who actively initiated contact (applied, requested GEO Score, or are active clients).

Encryption in transit: TLS 1.3 across all surfaces (Cloudflare, Supabase, Resend, Cashfree). At rest: AES-256 (Supabase default).

5. Third-party services we use

We use carefully selected third-party services to operate the business. Each is bound by their own privacy policy:

  • Cloudflare (CDN, hosting, DNS, edge functions, analytics) — policy
  • Supabase (Postgres database) — policy
  • Resend (transactional email) — policy
  • Cashfree (payment processing) — policy
  • OpenRouter (LLM API gateway for ChatGPT, Claude, Gemini) — policy
  • Perplexity (Perplexity Sonar API) — policy
  • Anthropic, OpenAI, Google (underlying LLM providers — none receive personally identifiable client data; only category-level prompts about brands) — Anthropic, OpenAI, Google

6. Your rights

Under the Indian DPDP Act 2023 and GDPR (for EU residents), you have the right to:

  • Access any personal data we hold about you
  • Correct inaccurate personal data
  • Delete your personal data (subject to legal retention requirements)
  • Object to processing for any specific purpose
  • Port your data to another service
  • Withdraw consent for any processing based on consent

To exercise any of these rights, email [email protected]. We respond within 30 days (typically same week).

7. Data retention

Application data: retained for 2 years from submission. Deleted on request.
GEO Score email captures: retained for 1 year unless you become a client, opt-in to ongoing updates, or request deletion.
Active client engagement data: retained for the duration of the engagement plus 2 years for billing and support records.
Email correspondence: retained per Gmail's retention.
Anonymous analytics: retained for 6 months.

8. Children's privacy

CiterLabs is a B2B service. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected such data, contact [email protected] for immediate deletion.

9. International data transfers

Some service providers (Resend, Cloudflare, OpenRouter) host data in the United States and other regions. Transfers are made under appropriate safeguards including Standard Contractual Clauses where applicable.

10. Changes to this policy

We may update this policy. Material changes are communicated to active clients via email. The "last updated" date at the top reflects the most recent change.

11. Contact

For any privacy questions or to exercise your rights, email [email protected].