Privacy Policy

Last updated: May 2026

1. Who we are

AutoProv Ltd (company number 16724369), a company registered in England and Wales with registered office at 241a Selbourne Road, Unit 5, Luton, Bedfordshire LU4 8NP, trading as CiteFlow, is the data controller responsible for your personal data when you use the CiteFlow platform. Contact us at privacy@citeflow.co.uk for any data protection enquiries.

2. Personal data we collect

• Account information: name, email address, company name, hashed password.
• Billing information: processed by Stripe once payments are enabled. We do not store card numbers.
• Site details you provide: your website URL, target keywords, knowledge-base content.
• Publicly accessible site content fetched by our audit crawler, subject to your site's robots.txt.
• CMS publishing credentials you choose to connect. Stored encrypted at rest.
• Generated content, audits, citation results, and ranking history produced by the Service.
• Usage data: logs of requests, IP addresses, and basic telemetry to operate and secure the Service.
• Correspondence: emails and messages you send us.

3. Legal bases

• Performance of a contract: to provide the Service you have signed up for.
• Legitimate interests: to secure, debug, and improve the Service, and to communicate operational updates.
• Legal obligation: to retain billing records and respond to lawful requests.
• Consent: where required (for example, optional marketing emails).

4. Retention

• Account data: for the lifetime of your account, plus up to 6 years for tax and accounting records as required by HMRC.
• Audit data and generated content: for the lifetime of your account; deleted within 30 days of account closure.
• System logs: 12 months rolling.
• Email correspondence: 2 years.
• Free audit request rows: 12 months. Email captures: until account deletion or 36 months, whichever is sooner. Aggregate analytics (counts, trends, no personal data): retained indefinitely.

4a. Free audit tracking

When you use our free audit tool at /audit:

• We log the URL you audited, the time of the audit, UTM parameters from the audit URL, the page you came from (referrer), your browser type (user agent), and your approximate country (derived from your IP address by Cloudflare).
• We store a hashed (irreversible) version of your IP address for rate-limiting and abuse prevention. We never store your raw IP address.
• We use a first-party session cookie called cf_audit_session to recognise repeat visits to the audit page. This is an essential cookie and does not require consent.
• If you submit your email to receive the full audit report, we link your audit history to your account if you later sign up at CiteFlow.
• This data helps us understand how the audit tool is used and improve it. It is never sold or shared with third parties for marketing.

You can request deletion of your free audit data by contacting privacy@citeflow.co.uk.

5. Sub-processors

We use the following sub-processors to deliver the Service. Each is bound by contractual data protection obligations.

• Anthropic, AI content generation and audit synthesis
• OpenAI, AI content generation and citation tracking
• Perplexity, AI citation tracking
• Google (Gemini API), AI citation tracking
• SerpAPI, Rank tracking and AI Overview detection
• Resend, Transactional email delivery
• Supabase, Database, authentication, file storage
• Cloudflare, Workers, CDN, infrastructure
• Stripe, Payment processing (reserved, not yet integrated)

6. International transfers

Some sub-processors are based outside the UK and EEA, primarily in the United States. Transfers are made on the basis of the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum, supplemented by appropriate technical and organisational measures.

7. Your UK GDPR rights

• Right of access, download your data from your dashboard.
• Right to rectification, edit your profile in your dashboard.
• Right to erasure, request account deletion from your dashboard.
• Right to data portability, your export is machine-readable JSON.
• Right to object and to restrict processing.
• Right to lodge a complaint with the Information Commissioner's Office (ico.org.uk).

8. Security

We protect your data with HTTPS in transit, encryption at rest for sensitive credentials (via pgcrypto), database row-level security, access controls, and routine security reviews. No system is completely secure; please report any vulnerability to privacy@citeflow.co.uk.

9. Breach notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay as required by UK GDPR Article 33.

10. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal data from children.

11. Changes to this policy

We will post any updates here and update the "Last updated" date. Material changes will also be notified to account holders.

12. Contact

Data protection enquiries: privacy@citeflow.co.uk. Postal address: AutoProv Ltd, 241a Selbourne Road, Unit 5, Luton, Bedfordshire LU4 8NP.