Privacy Policy
Last updated: April 23, 2026
This Privacy Policy describes how CiteRelay ("we", "us", or "our") collects, uses, and shares information when you use our website and software service (the "Service").
If you have questions, contact us at citerelay@gmail.com.
1. What the Service does
CiteRelay helps you create marketing and answer-engine-oriented content for products you promote. In practice, the Service may: (a) retrieve public information from URLs you submit using our scraping integration (Firecrawl); (b) run AI-assisted workflows to analyze that material and produce structured outputs such as keyword targets and draft pages; and (c) let you export generated content (for example as Markdown archives). Features and limits depend on your plan.
2. Information we collect
2.1 Account and authentication
When you sign up or sign in, we collect the profile and authentication details needed to operate accounts—for example your name, email address, email verification status, and optional profile image. We use Better Auth for authentication. Sign-in flows may use email-based verification codes sent through Resend.
We also maintain session records (including session identifiers and expiry). Where supported by our stack, session metadata such as IP address and browser user agent may be stored to protect accounts and investigate abuse.
2.2 Campaign and product data you provide
To run campaigns, you submit URLs and related inputs (for example "activation" or AEO-style questions). We store the normalized URL, scraped page content and related scrape metadata returned by our scraping provider, your prompts, model-derived "AEO context" outputs, and generated page drafts (including fields such as keyword, intent label, optional quality score, and Markdown content). This data is associated with your user account in our application database.
2.3 Billing
If you purchase a paid plan, Stripe processes payments and subscription lifecycle events. We store Stripe identifiers and subscription status in our systems so we can enforce plan limits and show billing state in the product. Stripe receives billing and payment data directly according to its own privacy policy when you check out or manage billing in the Stripe customer portal.
2.4 Usage, reliability, and security
- Redis may be used for rate limiting, caching, and related operational data tied to keeping the Service fast and fair.
- Arcjet helps us detect automated abuse and protect sensitive routes; this can involve processing request metadata (such as IP-derived signals) at the edge.
- Inngest runs background jobs (for example long-running content generation) and processes the event payloads needed to complete those jobs.
2.5 AI model providers
Generation features call OpenRouter, which routes requests to underlying model providers. Today our configuration uses Google Gemini-class models via that integration. Prompts and retrieved context needed to fulfill your requests are transmitted to OpenRouter and its providers so the Service can return results. We do not use your scraped website content, campaigns, or generated pages to train any AI models. Furthermore, our API agreements with providers like OpenRouter restrict them from using your data to train their foundational models.
3. How we use information
We use the information above to:
- Provide, operate, and improve the Service;
- Authenticate users and prevent fraud or abuse;
- Enforce plan limits (campaigns, pages, scrapes, credits);
- Process payments and communicate about billing where applicable;
- Provide support when you contact us;
- Comply with law and respond to lawful requests.
4. Legal bases (EEA/UK users)
Where the GDPR or UK GDPR applies, we rely on appropriate bases such as: performance of a contract (providing the Service you request); legitimate interests (security, abuse prevention, product improvement, and internal analytics that do not override your rights); and consent where we expressly ask for it.
5. How we share information
We share information with service providers that process it on our instructions, including those referenced in this policy (for example Firecrawl, OpenRouter, Stripe, Resend, Arcjet, Inngest, Redis hosting, and our PostgreSQL database host). We do not sell your personal information. We may disclose information if required by law or to protect the rights, safety, and integrity of users and the public.
6. Data retention
We retain information for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. You may request deletion of your account data by contacting citerelay@gmail.com; some records may persist where law requires or where necessary for legitimate business purposes (for example limited billing audit trails).
7. Security
We use administrative, technical, and organizational measures designed to protect information. No method of transmission or storage is completely secure.
8. International transfers
We may process information in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards for cross-border transfers.
9. Your choices and rights
Depending on your location, you may have rights to access, correct, delete, export, or restrict certain processing of your personal information, and to object to some processing. To exercise these rights, email citerelay@gmail.com. You may also have the right to lodge a complaint with a supervisory authority.
10. Children
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from them.
11. Changes
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date.