Privacy Policy

The data controller responsible for the processing of your personal data under the EU General Data Protection Regulation (GDPR) is:

Citeable
[Operated as a registered sole proprietorship — full legal name and registered address available on request via the contact email below while our imprint is being finalised.]
Contact: cedric@citeable.de

Citeable is operated as a Generative Engine Optimization (GEO) and earned-media platform for B2B brand operators. We are currently in a friendly-pilot phase and onboard a small number of testers under individually agreed terms.

This policy applies to the marketing website at citeable.de, the product application at app.citeable.de, and all integrations you connect to your Citeable workspace.

Under the GDPR you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object (Art. 21), and withdraw consent at any time. To exercise any of these rights, email cedric@citeable.de — we respond within 30 days.

You also have the right to lodge a complaint with the data protection authority of the EU member state of your residence.

We process the categories of data listed below.

Account data

Email, name, profile photo, authentication metadata. Provided by you via Clerk (our authentication provider). Legal basis: contract performance (Art. 6(1)(b) GDPR).

Brand data

Brand name, domain, voice profile, do/don't rules, target audience, and platform-specific voice overrides you enter into Citeable. Legal basis: contract performance.

Generated drafts

The content of drafts produced by our AI pipeline against your brand voice. Stored so you can revisit, edit, and publish. Legal basis: contract performance.

Publishing tokens

OAuth access and refresh tokens for any platform you choose to connect (LinkedIn, Reddit, WordPress). Encrypted at rest with AES-256, scoped to your brand. Legal basis: contract performance, with your explicit OAuth consent.

Third-party platform data

When you publish or browse engagement (e.g. comments on a LinkedIn Page post you authored via Citeable), we display the minimum personal data fields required for you to make publishing decisions — typically commenter name, headline, and profile photo. We do not enrich, resell, or use this data for any other purpose.

Usage data

Errors, performance metrics, and aggregated feature-usage events, used to operate and improve the service. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

Waitlist data

Email address and the page on which you signed up. Used solely to contact you about Citeable's availability. Legal basis: consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

We process the data above for the following purposes only:

• Operate the Citeable product (auth, brand workspace, draft generation, publishing).
• Respond to support requests and pilot-onboarding communication.
• Send transactional and (with consent) marketing email.
• Monitor reliability and security via error tracking.
• Comply with legal obligations.

We do not use any personal data, brand data, draft content, or third-party platform data to train any AI model — either our own or any sub-processor's. Drafts are generated by Anthropic's Claude Sonnet on a per-request basis without contributing to model training, per Anthropic's API terms.

We use the following processors to provide the service. Each is bound by a Data Processing Agreement appropriate to its role.

A current list is maintained here. We notify pilot testers in advance of any material change.

• Account & brand data: retained for as long as your account is active. Deleted within 30 days of account deletion, except where law requires longer retention.
• OAuth tokens: deleted immediately when you disconnect the platform from your Brand Settings page. Backups purged within 30 days.
• Drafts: retained while your account is active so you can revisit them. Deletable individually at any time.
• Third-party engagement cache: cached for at most 24 hours, then re-fetched from the source platform.
• Waitlist email: retained until you unsubscribe or we close the waitlist.
• Logs and error reports: retained for 90 days then aggregated or deleted.

Some sub-processors operate in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Primary user data is stored within the EU (Supabase Frankfurt).

We apply industry-standard security practices: TLS 1.2+ in transit, AES-256 at rest for sensitive credentials, scoped database access, and the principle of least privilege for all team members.

No system is perfectly secure. If you become aware of a vulnerability, please email cedric@citeable.de — we acknowledge security reports within 48 hours.

We use strictly necessary cookies only:

• Authentication and session cookies set by Clerk.
• Security cookies (CSRF protection).
• A preference cookie if you change theme or workspace.

We do not use third-party advertising or cross-site tracking cookies.

We may update this policy from time to time. Material changes will be communicated to active users by email before they take effect. The “last updated” date at the top of this page reflects the current version.

Questions, data-subject requests, or anything you'd like clarified: cedric@citeable.de.