Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

2. Data We Collect

We collect and process the following categories of personal data:

• Account data: email address, password (stored as an irreversible Argon2 hash)
• Domain data: domain names you register for scanning, website content analyzed during scans
• Scan results: scores, recommendations, page findings, and diagnostics generated by our analysis engine
• Billing data: subscription status, plan information (payment card details are processed exclusively by Stripe and never stored on our servers)
• Usage data: session information, feature usage events for analytics and service improvement

3. Purpose of Processing

• Account management: creating and maintaining your user account, authenticating your identity
• Service delivery: performing website scans, generating scores, recommendations, and reports
• Billing: processing subscription payments, managing your billing lifecycle
• Service improvement: analyzing usage patterns to improve features and user experience
• Communication: sending transactional emails related to your account and service

4. Legal Basis for Processing (Art. 6 GDPR)

• Contract performance (Art. 6(1)(b)): processing necessary to provide the CitedRank service you signed up for, including account management, scanning, and billing
• Legitimate interest (Art. 6(1)(f)): analytics and service improvement, fraud prevention, and security measures
• Legal obligation (Art. 6(1)(c)): retention of billing records as required by tax and commercial law

5. Data Processors and Third Parties

We share your data with the following third-party processors, each bound by data processing agreements (DPAs):

• Hetzner Online GmbH (Gunzenhausen, Germany) -- server hosting and infrastructure. Data remains within the EU.
• Stripe, Inc. -- payment processing. Stripe processes payment card data as an independent controller under their own privacy policy. We only store your Stripe customer and subscription IDs.

We do not sell your personal data to third parties. We do not use tracking cookies or third-party analytics services.

6. Data Retention

• Account data: retained for as long as your account is active. Deleted upon account deletion request.
• Scan results and scores: retained while your account is active to provide historical trend data. Deleted upon account deletion.
• Billing records: retained for up to 10 years as required by German tax and commercial law (HGB, AO).
• Session data: automatically expires and is cleaned up periodically.

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of all personal data we hold about you. Use the "Export My Data" feature in your account settings.
• Right to rectification (Art. 16): request correction of inaccurate data.
• Right to erasure (Art. 17): request deletion of your personal data. Use the "Delete Account" feature in your account settings.
• Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON).
• Right to restriction (Art. 18): request that we restrict processing of your data in certain circumstances.
• Right to object (Art. 21): object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacy@citedrank.com or use the self-service options in your account settings. We will respond within 30 days.

8. Cookie Policy

CitedRank uses only essential cookies required for the service to function:

We do not use any tracking, analytics, or advertising cookies. No third-party cookies are set.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest for database storage
• Passwords stored using Argon2id hashing (industry best practice)
• CSRF protection on all state-changing API requests
• Rate limiting to prevent abuse
• Regular security reviews and dependency updates

10. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The competent supervisory authority for us is:

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of material changes by email and update the "Last updated" date at the top. We encourage you to review this policy periodically.