1. Introduction
Citora ("we," "us," or "our") is operated by Nukes AI & Software Solution. We are committed to protecting your privacy and handling your data with transparency. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our GEO analytics platform.
By using Citora, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
2. What Data We Collect
We collect the following categories of data:
- Account information: Name, email address, company name, and password (hashed) when you register.
- Brand data: Your brand name, domain, product aliases, competitor names, and the prompts you choose to track.
- Usage data: How you interact with the platform, including dashboard views, report downloads, and feature usage.
- Analytics data: IP address, browser type, device information, and pages visited (via PostHog, Google Analytics, and server logs).
- Billing data: Payment method tokens (processed by Razorpay; we do not store full card numbers), billing address, and transaction history.
- AI scan data: The prompts you track, AI engine responses, citation results, and extracted source URLs.
3. How We Use Your Data
We use your data for the following purposes:
- Service provision: To run daily scans, generate reports, and display your GEO analytics dashboard.
- Communication: To send weekly digests, alerts, billing notifications, and product updates.
- Product improvement: To analyze usage patterns, fix bugs, and develop new features.
- Security: To detect fraud, prevent abuse, and protect our infrastructure.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your data based on the following legal grounds:
- Contract: Processing necessary to provide the services you signed up for.
- Legitimate interests: Fraud prevention, security, and product analytics.
- Consent: Marketing communications and non-essential cookies.
- Legal obligation: Tax reporting and regulatory compliance.
5. Data Retention
- Workspace data: Retained while your account is active. You can export or delete your data at any time from your account settings. Deleted accounts enter a 30-day grace period before permanent deletion.
- Billing data: Retained for 7 years to comply with tax regulations.
- Analytics data: Retained for 12 months, then anonymized.
6. Your Rights
Depending on your jurisdiction, you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure:Request deletion of your data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Restriction: Request limited processing in certain circumstances.
To exercise any of these rights, email us at legal@citorahq.com. We respond within 30 days.
7. Cookies and Tracking
We use the following categories of cookies:
- Essential: Required for the platform to function (authentication, security).
- Analytics: Help us understand how visitors interact with Citora (PostHog and Google Analytics).
- Functional: Remember your preferences (dark mode, dashboard layout).
For more details, see our Cookie Policy.
8. Third-Party Processors
We share data with the following subprocessors to operate our service:
| Processor | Purpose | Location |
|---|---|---|
| Razorpay | Payment processing & billing | India |
| better-auth | Authentication (incl. Google / Microsoft OAuth) | Self-hosted |
| PostgreSQL (managed) | Primary database | USA/EU |
| Upstash Redis | Caching & rate limiting | USA/EU |
| Inngest | Background job processing | USA |
| Vercel | Application hosting | USA/EU |
| Google Workspace (Gmail) | Transactional email | USA |
| PostHog | Product analytics | USA/EU |
| Google Analytics | Website traffic analytics | USA |
| Sentry | Error monitoring | USA |
| OpenAI, Anthropic, Google, Perplexity, xAI (via OpenRouter) | AI scan & citation extraction | USA |
9. International Transfers
Your data may be transferred to and processed in countries outside your jurisdiction, including the United States. We ensure that all subprocessors maintain adequate data protection standards. Where required, we use Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
10. Data Security
We implement industry-standard security measures:
- TLS encryption for all data in transit
- Encryption at rest provided by our managed database and hosting providers
- Row-level security and multi-tenant isolation
- Regular automated backups with point-in-time recovery
- Rate limiting and abuse protection
11. Children's Privacy
Citora is not intended for individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes via email or in-app notification at least 30 days before they take effect.
13. Contact Us
For privacy-related questions, data requests, or DPA inquiries, contact our Data Protection Officer: