Privacy Policy
Last updated: 24 April 2026
1. Introduction
citepath.io (ABN 48 595 594 995) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and manage your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
By using citepath.io, you agree to the collection and use of information as described in this policy.
2. Information We Collect
Account information
When you create an account, we collect your email address, a hashed password managed by our authentication provider, and optionally your first and last name.
Usage data
When you use citepath.io, we collect the URLs and search queries you submit, the results of citation checks (including per-engine cited status), any monitored query configurations you create, and saved queries in your query library.
Billing information
Payment processing is handled entirely by Stripe on their hosted checkout page. We do not collect or store your payment card details. We store only your subscription plan, Stripe customer ID, Stripe subscription ID (removed on cancellation), and subscription period dates (the start and end of your current billing period, derived from Stripe).
Support communications
If you contact us through the in-app support chat, we may retain your email address, plan tier, and the content of your conversation in order to respond to and resolve your enquiry.
Waitlist submissions
If you join a feature waitlist, we collect and store your email address until the relevant feature is launched.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the citepath.io service
- Run citation checks across AI engines on your behalf
- Generate fix recommendations based on your submitted page content
- Track and display your citation history and monitoring results
- Process payments and manage your subscription
- Respond to support requests
- Enforce usage limits and prevent quota abuse
- Meet our legal and regulatory obligations
4. Third-Party Service Providers
We use the following third-party service providers to operate citepath.io. Each provider receives only the information necessary to perform their function.
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database & authentication | Account details, usage data, simulation results. Primary database hosted in Sydney, Australia. |
| Vercel | Application hosting | IP address, request metadata. Server logs are retained for 1 day. |
| Stripe | Payment processing | Email address, payment card details, billing information. Collected directly by Stripe on their hosted checkout page. |
| Perplexity, OpenAI, Google, Anthropic | AI citation checks & fix recommendations | The URL and query you submit for a citation check. Page content from your submitted URL is also sent to generate fix recommendations. |
| Resend | Email delivery | Email address, plan tier, and support conversation content — only when you escalate a support conversation. |
| Upstash | Rate limiting | An anonymised user identifier used to count requests. No personal data beyond this. |
5. Overseas Disclosure
Some of your personal information is disclosed to third-party service providers located outside Australia, including providers based in the United States (Vercel, Stripe, Perplexity, OpenAI, Google, Anthropic, Resend, Upstash). Each provider operates under their own privacy policy and data protection commitments.
By using citepath.io, you consent to your personal information being disclosed to these overseas recipients.
6. PDF Report Generation
Citation and monitoring reports are generated entirely within your browser. No PDF files are uploaded to or stored on our servers.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until account deletion |
| Simulation history | Until account deletion. URLs and queries are anonymised on deletion — simulation count records are retained to prevent quota abuse. |
| Monitored and saved queries | Permanently deleted on account deletion |
| Email address | Retained indefinitely after account deletion. Your authentication record is preserved to prevent quota abuse via re-registration with the same email. All other personal data is removed on deletion. |
| Financial records | 5 years (tax and accounting obligations) |
| Payment card details | Not stored by citepath.io. Stripe retains payment data under its own obligations — see Stripe's Privacy Policy. |
| Server logs | 1 day (Vercel Pro plan) |
| Waitlist submissions | Until the relevant feature is launched |
8. Account Deletion
You may delete your account at any time via the account settings page. Deletion takes effect immediately and cannot be undone.
When you delete your account, the following happens:
- Immediately deleted: your monitored queries, monitoring history, saved query library, and any client portals you have created.
- Anonymised and retained: your simulation records — the URL and query fields are replaced with anonymous placeholders and the result data is removed. The anonymised records are retained solely to prevent quota abuse via re-registration with the same email address.
- Retained indefinitely: your email address in our authentication system, and your Stripe customer identifier. Your email is retained to prevent quota bypass via re-registration; your Stripe customer identifier is retained to enable seamless re-subscription if you return. All other personal data is removed on deletion.
- Stripe subscription: if you have an active paid subscription, it is cancelled immediately at the time of deletion.
If you re-register with the same email address, your account will reuse the same account identifier. All previously deleted data remains gone and is not recoverable.
9. Security
We implement industry-standard technical and organisational measures to protect your personal information, including encryption in transit and at rest, access controls, and authentication safeguards. While we take reasonable steps to protect your information, no system is completely secure and we cannot guarantee absolute security.
10. Cookies
citepath.io uses cookies solely for authentication session management. We do not use cookies for advertising or cross-site tracking. You can disable cookies in your browser settings, but doing so will prevent you from logging in.
11. Your Rights
Australian users
Under the Australian Privacy Principles, you have the right to:
- Request access to the personal information we hold about you
- Request correction of inaccurate or incomplete information
- Delete your account and associated data via the account settings page
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have not handled your information in accordance with the APPs
EU, EEA, and UK users
If you are located in the European Union, European Economic Area, or United Kingdom, you also have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:
- Right of access to your personal data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent where processing is based on consent
- Right to lodge a complaint with your local data protection supervisory authority
To exercise any of these rights, contact us at privacy@citepath.io. We will respond within 30 days.
12. Minimum Age
citepath.io is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the change takes effect. Continued use of citepath.io after that date constitutes acceptance of the updated policy.
For non-material changes (such as clarifications or corrections that do not affect how your data is handled), we may update the policy and date without prior notice.
14. Contact Us
For privacy-related enquiries or to exercise your rights, contact us at: