Legal

Privacy Policy

Last updated:

1. Introduction

Citora ("we," "us," or "our") is operated by Nukes AI & Software Solution. We are committed to protecting your privacy and handling your data with transparency. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our GEO analytics platform.

By using Citora, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

2. What Data We Collect

We collect the following categories of data:

  • Account information: Name, email address, company name, and password (hashed) when you register.
  • Brand data: Your brand name, domain, product aliases, competitor names, and the prompts you choose to track.
  • Usage data: How you interact with the platform, including dashboard views, report downloads, and feature usage.
  • Analytics data: IP address, browser type, device information, and pages visited (via PostHog, Google Analytics, and server logs).
  • Billing data: Payment method tokens (processed by Razorpay; we do not store full card numbers), billing address, and transaction history.
  • AI scan data: The prompts you track, AI engine responses, citation results, and extracted source URLs.

3. How We Use Your Data

We use your data for the following purposes:

  • Service provision: To run daily scans, generate reports, and display your GEO analytics dashboard.
  • Communication: To send weekly digests, alerts, billing notifications, and product updates.
  • Product improvement: To analyze usage patterns, fix bugs, and develop new features.
  • Security: To detect fraud, prevent abuse, and protect our infrastructure.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we process your data based on the following legal grounds:

  • Contract: Processing necessary to provide the services you signed up for.
  • Legitimate interests: Fraud prevention, security, and product analytics.
  • Consent: Marketing communications and non-essential cookies.
  • Legal obligation: Tax reporting and regulatory compliance.

5. Data Retention

  • Workspace data: Retained while your account is active. You can export or delete your data at any time from your account settings. Deleted accounts enter a 30-day grace period before permanent deletion.
  • Billing data: Retained for 7 years to comply with tax regulations.
  • Analytics data: Retained for 12 months, then anonymized.

6. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure:Request deletion of your data ("right to be forgotten").
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Restriction: Request limited processing in certain circumstances.

To exercise any of these rights, email us at legal@citorahq.com. We respond within 30 days.

7. Cookies and Tracking

We use the following categories of cookies:

  • Essential: Required for the platform to function (authentication, security).
  • Analytics: Help us understand how visitors interact with Citora (PostHog and Google Analytics).
  • Functional: Remember your preferences (dark mode, dashboard layout).

For more details, see our Cookie Policy.

8. Third-Party Processors

We share data with the following subprocessors to operate our service:

ProcessorPurposeLocation
RazorpayPayment processing & billingIndia
better-authAuthentication (incl. Google / Microsoft OAuth)Self-hosted
PostgreSQL (managed)Primary databaseUSA/EU
Upstash RedisCaching & rate limitingUSA/EU
InngestBackground job processingUSA
VercelApplication hostingUSA/EU
Google Workspace (Gmail)Transactional emailUSA
PostHogProduct analyticsUSA/EU
Google AnalyticsWebsite traffic analyticsUSA
SentryError monitoringUSA
OpenAI, Anthropic, Google, Perplexity, xAI (via OpenRouter)AI scan & citation extractionUSA

9. International Transfers

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States. We ensure that all subprocessors maintain adequate data protection standards. Where required, we use Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

10. Data Security

We implement industry-standard security measures:

  • TLS encryption for all data in transit
  • Encryption at rest provided by our managed database and hosting providers
  • Row-level security and multi-tenant isolation
  • Regular automated backups with point-in-time recovery
  • Rate limiting and abuse protection

11. Children's Privacy

Citora is not intended for individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or in-app notification at least 30 days before they take effect.

13. Contact Us

For privacy-related questions, data requests, or DPA inquiries, contact our Data Protection Officer:

Nukes AI & Software Solution

Data Protection Officer

legal@citorahq.com