CiteCrawlCiteCrawl

Privacy Policy

Last updated: 20 March 2026

1. Introduction

CiteCrawl Ltd ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, store, and protect your personal data when you use the CiteCrawl service ("the Service") at www.citecrawl.com.

We are the data controller for the personal data we process. If you have questions about this policy, contact us at Team@CiteCrawl.com.

2. Lawful Basis for Processing

Under the GDPR and UK GDPR, we process your personal data on the following lawful bases:

  • Contract — Processing necessary to deliver the Service you have purchased (account creation, audit delivery, payment processing, email delivery of reports).
  • Legitimate Interests — Processing necessary for our legitimate business interests, including service improvement, fraud prevention, error monitoring, and security (where these do not override your rights).
  • Legal Obligation — Processing required to comply with legal requirements, such as retaining payment records for tax and accounting purposes.
  • Consent — Where we rely on your consent (e.g. marketing communications), you may withdraw consent at any time by contacting us or using the unsubscribe link in any marketing email.

3. Data We Collect

Account Data

When you create an account, we collect your email address and password (stored as a secure hash). If you provide it during signup, we also collect your full name and company name.

Audit Data

When you submit a website URL for audit, we collect the URL, the audit results (scores, check data, evidence), and the generated PDF report. We access only publicly available content on your website — we do not require or use any login credentials for your site.

Payment Data

Payment processing is handled by Stripe. We do not store your credit card number, CVV, or full card details. Stripe may share with us your card type, last four digits, and billing address for record-keeping purposes.

Usage Data

We collect standard web analytics data including IP address, browser type, pages visited, and timestamps. This data is used to improve the Service and diagnose technical issues.

Error and Performance Data

We use Sentry for error monitoring. When an error occurs, Sentry may collect technical data such as browser type, operating system, error stack traces, and the page URL where the error occurred. This data is used solely to identify and fix technical issues. Personal identifiers (emails, IP addresses) are scrubbed before transmission.

4. How We Use Your Data

We use your data to:

  • Create and manage your account
  • Process payments and deliver audit reports
  • Send you audit results and report download links via email
  • Send transactional emails (account confirmation, password reset, payment receipts, support ticket updates)
  • Improve the audit methodology and Service quality
  • Respond to support requests and contact form submissions
  • Detect and prevent fraud or abuse
  • Monitor and resolve technical errors (via Sentry)

We do not sell your personal data to third parties. We do not use your data for advertising purposes. We will only send promotional emails with your prior opt-in consent. You can unsubscribe at any time via the unsubscribe link in any marketing email.

5. Third-Party Services and Data Processors

We use the following third-party data processors to operate the Service. We have Data Processing Agreements (DPAs) in place with each processor as required under GDPR Article 28:

  • Stripe — Payment processing. Stripe processes your payment information under their own Privacy Policy.
  • Supabase — Database hosting and authentication. Your account and audit data is stored in a PostgreSQL database hosted by Supabase in the EU. Privacy Policy.
  • Amazon Web Services (AWS) — Infrastructure. We use AWS Lambda for audit processing, S3 for report storage, SES for email delivery, and SQS for job queuing. Data is processed in the EU. Privacy Policy.
  • Sentry — Error monitoring and performance tracking. Sentry receives technical error data (stack traces, browser type, page URLs) with personal identifiers scrubbed. Data is stored in the EU. Privacy Policy.
  • Google PageSpeed Insights API — We use this API to measure your website's performance metrics (TTFB, LCP, INP, page weight). Google processes the URL you submit under their own Privacy Policy.
  • Cloudflare — DNS and CDN. Cloudflare processes traffic metadata under their own Privacy Policy.

A full list of sub-processors is available on request by emailing Team@CiteCrawl.com.

6. Cookies

We use essential cookies to maintain your authenticated session. The session cookie is set by Supabase Auth and is strictly necessary for the Service to function. No consent is required for essential cookies under GDPR.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. If we introduce non-essential cookies in the future, we will obtain your consent before setting them.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using authenticated features of the Service.

7. Data Retention

We retain your account data for as long as your account is active. Audit results and reports are retained for 12 months from the date of generation. Payment records are retained for 7 years as required by accounting regulations.

When you delete your account, we will delete your personal data within 30 days, except where retention is required by law.

8. Your Rights

Under applicable data protection law (including GDPR, UK GDPR, and CCPA), you have the right to:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your personal data ("right to be forgotten")
  • Portability — Request your data in a structured, machine-readable format
  • Restriction — Request that we limit processing of your data
  • Objection — Object to processing of your data for certain purposes
  • Withdraw Consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email us at Team@CiteCrawl.com. We will respond within 30 days (or 45 days for complex requests, as permitted by law).

Right to Lodge a Complaint: You have the right to lodge a complaint with your relevant data protection supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

9. California Residents (CCPA)

If you are a California resident, in addition to the rights above:

  • We do not sell your personal information as defined under the CCPA.
  • We do not share your personal information for cross-context behavioural advertising.
  • You have the right to request disclosure of the categories and specific pieces of personal information we have collected.
  • You will not face discrimination for exercising your CCPA rights (e.g. we will not charge different prices or provide a different level of service).

10. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • All data is transmitted over HTTPS with TLS 1.2+
  • Passwords are hashed using bcrypt before storage
  • Database access is restricted by row-level security policies
  • AWS infrastructure is configured with least-privilege IAM policies
  • Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified)
  • Error monitoring data is scrubbed of personal identifiers before transmission to Sentry

11. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

Breach notifications will include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

12. International Data Transfers

Your data is primarily processed and stored in the European Union. Where data is transferred outside the EU (e.g. to Stripe in the US), it is protected by Standard Contractual Clauses or equivalent safeguards as required by GDPR Chapter V.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

CiteCrawl Ltd
Email: Team@CiteCrawl.com