Privacy Policy
Last updated: February 26, 2026
1. Introduction
This Privacy Policy explains how Makeri ("we," "us," or "our"), operating as Citesurf, collects, uses, shares, and protects your personal information when you use our website and services at citesurf.com.
We are committed to protecting your privacy and handling your data transparently in accordance with the General Data Protection Regulation (GDPR), the Italian Data Protection Code (D.Lgs. 196/2003), and the Italian AI Law (Law No. 132/2025).
By using Citesurf, you agree to the collection and use of information as described in this policy. If you do not agree with our practices, please do not use our services.
This Privacy Policy is provided in English as the sole legally binding version. An Italian translation is available for convenience only. In the event of any conflict between the Italian translation and the English version, the English version shall prevail.
2. Definitions
For the purposes of this Privacy Policy:
- Personal Data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- User: The individual using Citesurf who is the subject of Personal Data.
- Data Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this Privacy Policy, the Data Controller is Makeri.
- Data Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
- Service: The Citesurf website at citesurf.com and the AI visibility analysis platform, including all related features and functionality.
- Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
3. Data Controller
The data controller responsible for your personal information is:
Name: Makeri VAT: IT13457560962 Email: legal@citesurf.com
For any privacy-related questions or to exercise your rights, please contact us at the email address above.
Data Protection Officer
As a small business that does not engage in large-scale processing of special categories of personal data or systematic monitoring of individuals, we are not legally required to appoint a Data Protection Officer under GDPR Article 37. All privacy inquiries and requests to exercise your data protection rights can be directed to legal@citesurf.com.
4. Information We Collect
4.1 Information You Provide
When you create an account and use Citesurf, you provide us with:
- Account Information: Email address, name (optional), and authentication credentials managed by our authentication provider
- Brand Information: Brand name, website URL, target language, and other details you submit for analysis
- AI Chat Messages: Messages you send through the in-app AI Chat Assistant, including questions and prompts about your brand's AI visibility
- Communication Data: Any messages or support requests you send to us
Mandatory vs. Optional Data
| Data Category | Requirement | Purpose |
|---|---|---|
| Email address | Mandatory | Required for account creation, authentication, and service communications |
| Brand name | Mandatory | Required to perform AI visibility analysis |
| Website URL | Mandatory | Required to identify your brand across AI platforms |
| Target language | Optional | Used to tailor AI queries to your target market; defaults to English if not provided |
Consequence of not providing mandatory data: Without the mandatory information listed above, we cannot create your account or provide our AI visibility analysis services.
4.2 Information Collected Automatically
When you access our services, we automatically collect:
- Usage Data: Scan results, visibility metrics, insights, and how you interact with our features
- Technical Data: IP address, browser type and version, device type, operating system, and general location (country/region) derived from your IP address
- Log Data: Access times, pages viewed, and referring URLs
4.3 Information from Third Parties
We may receive information from:
- Authentication Provider (Clerk): Account verification and authentication data
- Payment Processor (Polar.sh/Stripe): Transaction records and subscription status (we do not store your full payment card details)
5. How We Use Your Information
We use your personal information to:
- Provide Our Services: Analyze your brand's AI visibility, run scans across AI platforms, generate insights, and provide AI-powered chat assistance about your brand
- Process Payments: Handle subscription billing and manage your account status
- Communicate With You: Send service notifications, respond to inquiries, and provide customer support
- Improve Our Services: Analyze usage patterns, fix bugs, and develop new features
- Send Marketing Communications: Share product updates, tips, and promotional content (with your consent or based on legitimate interest for existing customers)
- Ensure Security: Detect and prevent fraud, abuse, and unauthorized access
- Comply With Legal Obligations: Meet regulatory requirements and respond to legal requests
6. Legal Basis for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the services you requested (account management, brand analysis, scan execution)
- Legitimate Interests: Processing for purposes like service improvement, analytics, security, and marketing to existing customers, where these interests are not overridden by your rights
- Consent: Where required, such as for certain marketing communications or optional features
- Legal Obligations: Processing required to comply with applicable laws
Summary of Processing Activities
| Processing Activity | Legal Basis | Data Categories |
|---|---|---|
| Account creation and management | Contract | Email, name |
| Brand visibility scanning | Contract | Brand name, website, competitors |
| AI insights generation | Contract | Brand data, scan results |
| AI Chat Assistant | Contract | Chat messages, brand data |
| Payment processing | Contract | Transaction data, billing info |
| Service notifications (scan complete, account alerts) | Contract | |
| Customer support | Contract | Email, communication data |
| Marketing emails to existing customers | Legitimate interest | |
| Service improvement and analytics | Legitimate interest | Usage data, technical data |
| Security and fraud prevention | Legitimate interest | Technical data, log data |
| Legal compliance | Legal obligation | As required by law |
7. Data Sharing and Third-Party Services
We share your information with the following categories of service providers who process data on our behalf:
Authentication
- Clerk — Manages user authentication and account security Privacy Policy
Payments
- Polar.sh — Handles subscription management and billing Privacy Policy
- Stripe — Processes payment transactions (via Polar.sh) Privacy Policy
Hosting and Infrastructure
- Vercel — Hosts our application and provides analytics Privacy Policy
- Upstash — Powers background job processing Privacy Policy
AI Platform Queries
For brand visibility scanning, we query the following AI platforms:
- OpenAI (ChatGPT) — Privacy Policy
- Anthropic (Claude) — Privacy Policy
- Google (Gemini) — Privacy Policy
- Perplexity — Privacy Policy
Important: When querying AI platforms for scanning, we only send your brand name, website, and related business information (competitors, category). We do not transmit your personal account information (email, name) to these providers.
AI Chat Assistant
The Service includes an AI Chat Assistant (available to all users, with usage limits varying by subscription plan) that allows you to ask questions about your brand's AI visibility. When you use the AI Chat Assistant:
- Data sent to Google (Gemini): Your chat messages are sent to Google's Gemini AI model along with contextual brand data (brand name, website, latest scan results, and site audit data) to generate relevant responses. Your personal account information (email, name) is not sent.
- Chat session data: Chat conversations exist only in your browser session and are not stored in our database. When you close the chat panel, navigate away, or end your session, your chat messages are permanently lost.
- Token usage tracking: We track the number of tokens (a measure of text length) consumed per chat session to enforce daily usage limits associated with your subscription plan. This tracking records only aggregate token counts per user, not the content of your messages.
- No chat data retention: We do not store, log, or retain the content of your chat conversations on our servers. Google processes your messages according to their Privacy Policy.
- Data processing agreement: We maintain a Data Processing Agreement (DPA) with Google in accordance with GDPR Article 28, ensuring that your chat data is processed with appropriate contractual safeguards.
We do not sell your personal information to third parties.
Data Not Used for AI Training
We do not use your personal data or brand information to train artificial intelligence or machine learning models. Your data is processed solely to provide the Service to you and is not used to benefit other customers or improve AI models.
Sub-processor Changes
We may update the list of service providers above as our business needs evolve. Material changes to our sub-processors will be reflected in updates to this Privacy Policy.
8. Cookies and Similar Technologies
We use a minimal set of cookies essential for service operation:
Cookie Details
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
__clerk_* | Clerk | Authentication session management and account security | Session | Essential |
locale | Citesurf | Stores your selected interface language preference | 1 year | Essential |
Analytics
- Vercel Analytics: We use Vercel's privacy-focused analytics which is cookieless and does not use personally identifiable information for tracking
What We Don't Use
- No advertising or retargeting cookies
- No third-party tracking pixels
- No social media tracking cookies
Cookie Consent
The cookies we use are strictly essential for the operation of our Service (authentication and language preference). Under GDPR and the ePrivacy Directive, essential cookies that are strictly necessary for the service requested by the user do not require consent. We do not use any cookies that require user consent.
9. International Data Transfers
Your information may be transferred to and processed in countries outside the European Economic Area (EEA), particularly the United States, where our service providers are located. This includes AI Chat Assistant messages, which are transmitted to Google's servers for processing by the Gemini AI model.
When we transfer data internationally, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework: Our US-based providers participate in the EU-US Data Privacy Framework where applicable
- Standard Contractual Clauses: We use EU-approved contractual terms with providers who process personal data outside the EEA
- Adequacy Decisions: Where available, we rely on European Commission adequacy decisions
10. Data Retention
We retain your personal information as follows:
- Active Accounts: Your data is retained for as long as your account remains active
- Account Deletion: When you delete your account, all your personal data and brand information is permanently deleted immediately (typically within minutes via our automated webhook system)
- Payment Records: Transaction records are retained by our payment processors (Polar.sh/Stripe) according to their retention policies and legal requirements
- AI Chat Messages: Not retained. Chat conversations exist only in your browser session and are permanently deleted when the session ends
- Legal Requirements: We may retain certain data longer if required by law or to protect our legal rights
11. Your Privacy Rights
Under GDPR, you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data (you can delete your account at any time in Settings)
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Restrict Processing: Request that we limit how we use your data
- Right to Object: Object to processing based on legitimate interests, including direct marketing
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
To exercise these rights, contact us at legal@citesurf.com. We will respond within 30 days.
Right to Lodge a Complaint
If you believe we have not handled your data properly, you have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la protezione dei dati personali Website: https://www.garanteprivacy.it
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
- Encryption at Rest: Database content is encrypted at rest
- Secure Authentication: User authentication is managed by Clerk with industry-standard security practices
- Access Controls: We limit access to personal data to authorized personnel only
- Regular Updates: We keep our systems and dependencies updated to address security vulnerabilities
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
13. Automated Decision-Making and Profiling
How We Use AI
Citesurf uses artificial intelligence to analyze how AI platforms (ChatGPT, Claude, Gemini, Perplexity) mention and recommend brands — not to make decisions about you as a user.
What Our AI Does
- Analyzes AI platform responses to determine if and how they mention your brand
- Generates visibility scores, sentiment analysis, and competitive insights about brands
- Creates actionable recommendations for improving brand visibility
- Provides conversational AI assistance about your brand's AI visibility through the AI Chat Assistant
What Our AI Does NOT Do
- No user profiling: We do not create profiles about you based on automated processing
- No automated decisions affecting you: We do not make automated decisions that produce legal effects or similarly significantly affect you as an individual
- No credit scoring or similar assessments: We do not use AI to assess your creditworthiness, reliability, behavior, or personal characteristics
- No marketing profiling: We do not use automated processing to predict your preferences or target you with personalized advertising
AI Transparency (EU AI Act)
In accordance with the EU AI Act (Regulation 2024/1689), we inform you that:
- All AI-generated content in Citesurf (including scan insights, recommendations, and AI Chat Assistant responses) is produced by automated AI systems, not by humans
- The AI Chat Assistant is an automated system powered by third-party AI models — no human reviews or approves individual responses before they are shown to you
- AI-generated outputs should be treated as machine-generated suggestions, not as verified facts or professional advice
Your Rights Under GDPR Article 22
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Since our AI processing focuses exclusively on brand analysis and not on individual user assessment, this right is not applicable to our core service. However, if you have any concerns about automated processing, please contact us at legal@citesurf.com.
14. Data Breach Notification
Our Commitment
In the event of a personal data breach, we are committed to:
- Notifying the Supervisory Authority: We will notify the Italian Data Protection Authority (Garante per la protezione dei dati personali) without undue delay and, where feasible, within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to your rights and freedoms
- Notifying Affected Users: If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, describing the nature of the breach and what steps you can take to protect yourself
What Constitutes a Notifiable Breach
A notifiable breach includes any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Examples include:
- Unauthorized access to user account data
- Accidental exposure of personal information
- Loss or theft of data storage devices containing personal data
- Malicious attacks resulting in data exfiltration
Breach Response
Our breach response procedures include:
- Immediate containment and assessment of the incident
- Documentation of the breach and its effects
- Notification to relevant authorities and affected users as required
- Implementation of measures to prevent recurrence
15. Children's Privacy
Citesurf is not intended for individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at legal@citesurf.com. If we discover we have collected data from someone under 18, we will delete it promptly.
16. Marketing Communications
Email Communications
- Transactional Emails: We send essential service emails (account confirmations, scan completions, billing notifications) regardless of marketing preferences
- Marketing Emails: We may send product updates, tips, and promotional content to existing customers based on legitimate interest
- Opt-Out: You can unsubscribe from marketing emails at any time using the unsubscribe link in any email or by updating your preferences in account settings
Your Choices
You have full control over marketing communications. Opting out of marketing will not affect transactional emails necessary for service delivery.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last updated" date at the top of this policy
- Continued use of Citesurf after changes become effective constitutes acceptance of the revised policy
We encourage you to review this policy periodically.
18. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
Email: legal@citesurf.com