Legal

Privacy policy

Last updated: 19 May 2026

Who runs CitationDesk

CitationDesk is operated by Paulo de Vries, a sole proprietor based in the Netherlands. Contact: [email protected]. For data-protection inquiries use the same address with the subject line "Privacy".

What we collect

• If you only visit the marketing site: we collect anonymous, aggregated visit data via Plausible Analytics — page URL, referrer, device class, country. No cookies, no fingerprinting, no cross-site tracking. Plausible is GDPR-compliant by design.
• If you submit a URL to the Free Citation Readiness Score tool: we record the URL you entered, the score result, and the timestamp. We do not associate that submission with a personal identifier unless you also provide an email.
• If you create an account (Pro / Team / Enterprise tiers, available post-launch): we store your email, your subscription tier, your Stripe customer ID (created when you start a paid subscription), and the sites + queries you choose to track. We never store your password — Clerk handles authentication via magic link / OAuth.
• Citation data: when you ask CitationDesk to poll LLMs about your sites, we record the model responses, citations captured, and timestamps. This data is associated with your account.

What we do NOT collect

• We do not use third-party tracking pixels (no Facebook Pixel, no Google Ads remarketing, no LinkedIn Insight Tag).
• We do not sell or rent your data. Ever.
• We do not store credit card numbers — Stripe handles all payment data, fully PCI-compliant.
• We do not store any data from third parties about you (no data brokers, no enrichment services).

How we use what we collect

• To run the polling engine that monitors LLM citations for your sites.
• To send you alerts when citation drift hits your tracked queries.
• To process subscription payments via Stripe (paid tiers only).
• To send transactional emails (confirmation, password-reset-equivalent, billing notifications).
• To aggregate anonymized usage statistics to improve the product (e.g., "the median Pro user tracks 12 sites").

Sub-processors

CitationDesk uses the following infrastructure providers, each of which is GDPR-compliant. By using CitationDesk you consent to your data being processed by these services on our behalf:

• Vercel (hosting) — EU + US data centers.
• Cloudflare (CDN + DNS) — global edge network.
• Supabase (database, post-launch) — EU region for EU customers.
• Clerk (authentication, post-launch) — US-based.
• Stripe (payments, post-launch) — global.
• Plausible Analytics (privacy-first web analytics) — EU-hosted.
• Resend (transactional email, post-launch) — US-based, EU sub-processor support.
• Perplexity / Anthropic / OpenAI / Google Vertex AI (LLM APIs used for polling) — only the queries you submit are sent, not your account identity.

Your rights (GDPR + CCPA)

You have the right to access, correct, delete, or export your data. Email [email protected] with subject line "Privacy" — we respond within 30 days. If you're in the EU, you also have the right to lodge a complaint with your local data-protection authority (in NL: Autoriteit Persoonsgegevens). If you're in California, you may opt out of any sale of personal information — there is nothing to opt out of because we don't sell data.

Cookies

The marketing site (citationdesk.com) does not set any tracking cookies. The (post-launch) authenticated dashboard sets a session cookie strictly necessary to keep you logged in. We will add a cookie banner if and when we add cookies that are not strictly necessary.

Data retention

• Free tool submissions: kept indefinitely in aggregated, anonymized form; the original URL/score row is deleted after 90 days.
• Free tier citation data: 12 months.
• Pro tier citation data: 24 months.
• Team / Enterprise citation data: retained for the life of the account, deletable on request.
• Account email + Stripe customer ID: retained for 7 years per Dutch tax-record obligations after account closure.

Changes to this policy

We will note any material change at the top of this page and email account holders if the change affects them. Continued use after a change constitutes acceptance.