Privacy Policy

Template — finalise with counsel.

Last updated: 2 May 2026.

Citera ("we", "us") provides a B2B AI content engine. This policy describes the personal data we collect, how we use it, and the rights you have under the GDPR.

What we collect

• Account information — email, name, organization affiliation (via our authentication provider, Clerk).
• Usage data — pages visited, features used, run identifiers (via PostHog).
• Error reports — exception stack traces and request metadata (via Sentry).
• Customer-uploaded content — documents you choose to upload as first-party sources. May contain personal data depending on what you upload.

We do not collect financial information directly. Stripe processes payments and holds card data subject to its own privacy notice.

How we use it

• Operate, secure, and improve the service.
• Generate articles and citation tracking on your behalf.
• Send transactional email (article ready, weekly digest).
• Comply with legal obligations.

We do not use Customer Content to train any AI model. Documents you upload are embedded for retrieval at generation time and stored encrypted; they are never sent to OpenAI as training data.

Where we host it

Customer data lives exclusively in EU regions. See the Data Processing Addendum for the full sub-processor list and region table. The agent runtime asserts EU residency at boot and refuses to start if any service resolves outside the EU.

How long we keep it

• Account data: lifetime of your account. Deleting your account triggers a 30-day soft-delete grace period, after which the purge job permanently removes all rows and R2 blobs.
• Usage analytics: 13 months rolling.
• Error reports: 90 days.
• Customer-uploaded content: lifetime of your account; deleted on the same schedule.

Your rights

You have the right to: access, rectify, erase, restrict processing, port, and object. Email dpo@citera.eu or use the in-app data-export and delete-account controls under Settings → Data export & deletion.

Cookies

We set strictly necessary cookies for authentication (Clerk) and a single analytics cookie (PostHog, EU host). No third-party advertising cookies.

Contact

Citera, [registered address TBD]. dpo@citera.eu.

For complaints you have the right to lodge with your local data protection authority.