Privacy Policy

This Privacy Policy explains how CiteOptify, operated by Mirnesa Čalaković (“we”, “us”, or “our”), collects, uses, shares, and protects personal data when you use our platform. It applies to all users of CiteOptify, including business customers and any individuals they authorise to access the platform.

If you are a business customer submitting content that contains personal data of third parties (for example, your own end-users or employees), please refer to Section 11 (Data Controller vs. Data Processor) for information on how that data is handled.

1. Personal Data We Collect

1.1 Account Information

When you create an account via Google OAuth or Microsoft OAuth, we receive your name, email address, and profile picture from the identity provider. We do not receive or store your OAuth password.

1.2 Customer Content

We collect and process the text and URLs you submit for auditing, including:

• Text content submitted for analysis
• URLs submitted for page audits
• Extracted page content fetched from submitted URLs (temporarily held during processing only)
• Generated audit results, scores, and recommendations

1.3 Billing Information

Payment processing is handled entirely by Paddle, our Merchant of Record. We do not receive or store your full payment card details. We receive and store only your Paddle customer ID, subscription status, and transaction references necessary to manage your account.

1.4 Usage and Technical Data

We automatically collect data about how you interact with the platform, including:

• IP address
• Browser type, version, and language
• Device type and operating system
• Pages visited, features used, and actions taken
• Timestamps of access and sessions
• Error logs and performance data

2. Lawful Basis for Processing

Where GDPR or equivalent data protection law applies, we rely on the following lawful bases:

• Performance of a contract (Article 6(1)(b) GDPR): Processing your account information, Customer Content, and billing references is necessary to provide the services you have contracted for.
• Legitimate interests (Article 6(1)(f) GDPR): We process usage and technical data to operate, secure, and improve the platform, detect fraud, and prevent abuse. These interests are not overridden by your fundamental rights.
• Legal obligation (Article 6(1)(c) GDPR): We retain financial and transaction records as required by applicable accounting and tax law.
• Consent (Article 6(1)(a) GDPR): Where we use non-essential cookies or analytics trackers, we rely on your consent, which you may withdraw at any time via our cookie preference centre.

3. How We Use Personal Data

We use the data we collect to:

• Provide, operate, and maintain the CiteOptify platform, including processing audits and generating reports
• Manage your account, credits, subscriptions, and billing
• Authenticate your identity and maintain session security
• Send transactional communications (account confirmations, invoices, renewal reminders, and service notices)
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Monitor platform performance and diagnose technical issues
• Improve and develop new features and services
• Comply with legal obligations

We do not use your personal data to train AI models, and we do not sell, rent, or share personal data with third parties for marketing purposes.

4. Sharing Personal Data with Third Parties

4.1 AI Service Providers

Content submitted for auditing is transmitted to AI model providers for analysis. We pass only the content required to generate the audit result — we do not include your name, email, or other account identifiers in these requests. Content is processed solely to produce audit Output and is not retained by our AI providers for model training under our applicable agreements.

4.2 Payment Processor

Paddle acts as our Merchant of Record and processes all payment transactions. Paddle independently controls payment data under its own privacy policy. Please review Paddle's Privacy Policy for details on how your payment information is handled.

4.3 Infrastructure and Service Providers

We use sub-processors to host and operate the platform. A current list of our key sub-processors is set out in Section 10. These parties may access data only to the extent necessary to perform their services and are contractually bound to keep it confidential.

4.4 Legal Disclosure

We may disclose personal data if required to do so by applicable law, regulation, court order, or governmental authority. Where legally permissible, we will notify the affected user before disclosure.

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of business assets, personal data may be transferred as part of that transaction. We will notify affected users prior to any such transfer and the acquiring entity will be required to honour this Privacy Policy.

5. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion, account data is removed within 30 days, except where retention is required by law.
• Audit results and reports: Stored in your account until you delete them or close your account.
• Extracted page content: Retained only for the duration of audit processing and rendering of results; not stored long-term.
• Financial and transaction records: Retained for a minimum of 5 years, or as required under applicable accounting and tax regulations.
• Usage and technical logs: Retained for up to 12 months for security and operational purposes, then deleted or anonymised.

6. Data Security

We implement appropriate technical and organisational security measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest
• Access controls limiting data access to authorised personnel
• Monitoring and logging for anomalous activity and security incidents
• Regular security reviews of our infrastructure and dependencies

No method of transmission or storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data. To exercise any of these rights, contact us at the email address in Section 12.

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations
• Restriction: Request that we limit processing of your data in certain circumstances
• Portability: Receive a copy of data you provided to us in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time without affecting prior processing

We will respond to rights requests within 30 days. Where a request is complex or voluminous, we may extend this by a further 60 days with notice. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

8. Account Deletion

You can request deletion of your account by contacting us. Upon receiving a verified deletion request, we will:

• Delete your account and profile data within 30 days
• Permanently remove all audit results and Customer Content
• Cancel any active subscription
• Retain financial and transaction records as required by law

9. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential: Authentication, session management, and security (always active)
• Functional: Theme preferences, language settings, and UI state
• Analytics: Aggregate usage data via Google Analytics and Microsoft Clarity (requires consent)
• Performance: Error tracking via Sentry and core web vitals monitoring (requires consent)

You can manage your cookie preferences at any time via the cookie preference centre accessible from the footer. Withdrawing consent for non-essential cookies will not affect your ability to use the platform.

10. Sub-Processors

We use the following key sub-processors to deliver the platform. Each is bound by data protection obligations consistent with this Privacy Policy:

• Vercel Inc. — Platform hosting and edge infrastructure (USA; Standard Contractual Clauses)
• Neon / Vercel Postgres — Database hosting (USA; Standard Contractual Clauses)
• Google LLC — OAuth authentication and Google Analytics (USA; Standard Contractual Clauses)
• Microsoft Corporation — OAuth authentication and Microsoft Clarity analytics (USA; Standard Contractual Clauses)
• xAI / AI model providers — AI content analysis (content submitted for auditing only; no personal identifiers transmitted)
• Paddle.com Market Ltd. — Payment processing and Merchant of Record (UK/USA; independent controller for payment data)
• Sentry — Error monitoring and performance tracking (USA; Standard Contractual Clauses)

We review our sub-processors periodically. Material changes will be communicated via an update to this Privacy Policy.

11. Data Controller vs. Data Processor

For personal data that relates to you as an account holder (name, email, billing references), Mirnesa Čalaković acts as the independent data controller.

Where you, as a business customer, submit Customer Content that contains personal data of third parties (for example, content from your website that includes personal information, or employee-related data), you act as the data controller for that personal data and we act as the data processor, processing it solely on your instructions to provide the audit service.

A Data Processing Addendum (DPA) is available on request for business customers that require one to meet their own compliance obligations (for example, under GDPR). Please contact us to obtain a copy.

12. International Data Transfers

CiteOptify is operated from Republic of Serbia. Our sub-processors are located in the United States and the United Kingdom. When we transfer personal data to countries not deemed adequate by the European Commission, we use one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs) where applicable
• Adequacy decisions where relevant (e.g., UK adequacy for transfers from EEA)

You may request a copy of the applicable transfer safeguards by contacting us.

13. Children's Privacy

CiteOptify is a professional B2B platform not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by prominent notice on the platform at least 14 days before the change takes effect. The revised policy will be identified by an updated effective date at the top of this page. Your continued use of the platform after the effective date constitutes acceptance of the revised policy.

15. Contact and Complaints

For questions about this Privacy Policy, to exercise your rights, or to raise a data protection concern, please contact:

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant national data protection authority in your EU member state).

Last updated: 19 February 2026