AI Citation MonitorCitation Monitor

Privacy Policy

Last updated: June 2026

Short version: we collect the minimum we need to run the product, we never sell your data, we never train models on it, and you can ask us to delete it any time. Here is the longer version, written so a normal person can read it.

Who we are

AI Citation Monitor is a product of Outline Technologies and the data controller for the information described here. For any privacy question, email [email protected] and a real person will answer, usually the same day.

What we collect

  • The domain you check or track. When you run a free check or add a brand, we store the domain, the buyer questions (prompts) we generate or you provide, and your competitor list, so we can run the measurement and show results.
  • Your email, when you give it to us to receive a full report or to create an account.
  • Account data, if you sign up: your login and session, handled through Supabase Auth. If you sign in with Google, we receive your email and basic profile from Google, nothing more.
  • Lead data on the free checker: the email and domain you submit, plus a hashed (not reversible) version of your IP for abuse protection.
  • Payment data, handled entirely by our merchant of record, Creem. We never see or store your full card number; we receive your plan and payment status.
  • Usage data: privacy-friendly, cookieless-style analytics (page views and product events) so we know what to improve. No cross-site ad tracking.
  • Support messages you send us.

Why we collect it, and our legal bases

We use your data to run your AI visibility checks, generate and send the report you asked for, keep your account and billing working, prevent abuse of the free tools, and improve the product. Under the GDPR our bases are: performing our contract with you (running the service you signed up for), our legitimate interests (security, abuse prevention, product improvement), your consent where required (for example marketing email), and legal obligations (tax and accounting records). That is the whole list.

Who we share it with

To measure your visibility we send your prompts and the domain you track to the AI engines and data sources we check: Perplexity, OpenAI, and Google (Gemini and AI Overviews, the latter via DataForSEO). We send the question and the domain, not your personal details. We also rely on a small set of trusted sub-processors to run the service:

  • Supabase for the database, authentication, and accounts.
  • Cloudflare R2 for storing the raw, immutable measurement results.
  • Resend for sending transactional email.
  • Creem as merchant of record for billing.
  • Plausible for privacy-friendly analytics.

We do not sell your data and we do not hand it to advertisers. We may disclose data if the law requires it, or to protect the service and our users from abuse.

International transfers

Our database and primary storage sit in the EU. Some sub-processors and the AI engines operate outside the EU; where data leaves the EU it is covered by appropriate safeguards such as Standard Contractual Clauses.

How long we keep it

We keep account and measurement data while your account is active, so your history and trends stay intact. Free-check leads are kept so we can send your report and follow up, then cleaned up over time. Raw captures are retained to let us recompute scores without re-querying the engines. Billing records are kept as long as tax law requires. Ask us to delete your data sooner and we will, subject to those legal retention duties.

Cookies

We use cookies for two things only: keeping you logged in, and basic analytics. No third-party advertising cookies and no cross-site tracking. Details are in our cookie policy.

How we protect it

The database is multi-tenant with row-level security, so one account cannot read another's data. Capture tables are append-only. Data is encrypted in transit, server writes use least-privilege access, and secrets are never committed to code.

Your rights

You can ask to see your data, correct it, export it, restrict or object to processing, or delete it. If you are in the EU or UK you have the full set of GDPR rights, including the right to withdraw consent and to complain to your local data protection authority. To exercise any of these, email us and we will sort it out, usually the same day.

Children

The product is for businesses and is not directed at children. We do not knowingly collect data from anyone under 16.

Changes

We may update this policy as the product changes. Material changes will be noted here and, where appropriate, sent by email.

Contact

Questions about any of this? Email [email protected]. A real person reads it.