Privacy Policy

Last updated: March 2026

This Privacy Policy explains how CitationIQ Pro ("we", "us"), operated by Morris Richter (Amsterdam, Netherlands), collects, uses, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Dutch and EU data protection laws.

1. Data Controller

Morris Richter
Amsterdam, the Netherlands
Email: hello@citationiq.pro

2. Data We Collect

Data	Purpose	Legal Basis
Name, email, company	Account creation	Contract performance
Password (hashed)	Authentication	Contract performance
Scanned website URLs	AEO analysis	Contract performance
Payment info (via Stripe)	Billing	Contract performance
IP address (anonymized)	Security, rate limiting	Legitimate interest
Usage data (pages, features)	Service improvement	Legitimate interest

3. How We Use Your Data

We use your data to: provide and maintain the Service, process payments, send transactional emails (welcome, password reset, billing), improve the Service based on usage patterns, prevent fraud and abuse, and comply with legal obligations.

4. Third-Party Processors

Service	Purpose	Location
Stripe	Payment processing	US (EU-US DPF)
Anthropic (Claude API)	Blueprint generation	US (EU-US DPF)
Google (OAuth)	Authentication	US (EU-US DPF)
Namecheap	Hosting	US
Email provider (Brevo/Postmark)	Transactional email	EU/US

All third-party processors are bound by data processing agreements and comply with GDPR requirements for international transfers.

5. Data Storage & Security

Your data is stored on secured servers. We implement: password hashing (bcrypt), HTTPS encryption in transit, rate limiting and IP-based abuse prevention, file-level access controls, and CSRF protection on all forms. We do not sell or share your personal data with third parties for marketing purposes.

6. Data Retention

Account data: retained while your account is active, plus 30 days after deletion. Scan results: retained for 12 months. Payment records: retained for 7 years (Dutch tax law). Security logs: retained for 90 days.

7. Your Rights (GDPR)

You have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a structured format
• Restriction — limit how we process your data
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent

To exercise these rights, email hello@citationiq.pro. We will respond within 30 days.

8. Cookies

We use only essential cookies required for authentication (session cookies). We do not use advertising, tracking, or analytics cookies. No cookie consent is required for essential cookies under GDPR, but we display an informational notice.

9. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

10. Changes

We will notify you of material changes to this policy via email at least 14 days before they take effect.

11. Supervisory Authority

If you believe we have violated your data protection rights, you may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl

12. Contact

For privacy questions: hello@citationiq.pro