Privacy Policy
TEMPLATE — not yet legal advice. Review by qualified counsel (and a DPO where required) and complete the bracketed details before launch. CiteLyra is operated by an EU entity, so this draft is written around the GDPR.
Controller: SCAILE Technologies GmbH, [REGISTERED ADDRESS] Data protection contact: [DPO / PRIVACY EMAIL] Version: 2026-06-25 · Effective: [EFFECTIVE DATE]
1. Scope
This policy explains what personal data we process when you use CiteLyra, why, on what legal basis, who we share it with, and your rights.
2. Data we collect
- Account data: email address, hashed password, email-verification status, account timestamps.
- Generation data: the topics, research questions, and metadata you submit; generated drafts and intermediate artifacts; discovered sources and citation verification results.
- Billing data: credit balance and ledger. Card/payment details are handled by Lemon Squeezy, not by us — we receive purchase/credit events, not card numbers.
- Operational data: request and job logs with correlation IDs, error reports, and basic usage/cost metrics. We avoid placing draft content in analytics or error-monitoring payloads and redact secrets.
3. Why we process it (purposes and legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the service (accounts, generation, downloads) | Contract (6(1)(b)) |
| Billing and credit accounting | Contract (6(1)(b)) |
| Security, abuse prevention, cost control | Legitimate interests (6(1)(f)) |
| Service emails (verification, password reset, transactional) | Contract (6(1)(b)) |
| Legal/accounting obligations | Legal obligation (6(1)(c)) |
4. AI and search providers (what content leaves us)
To generate a draft, your topic and related content are sent to the configured AI provider and to search/citation providers, and artifacts are stored with our object-storage provider. The current providers, what they receive, and whether they may retain content are listed in Subprocessors. You should not submit sensitive personal data of others in your topics.
5. Sharing
We share data only with the subprocessors needed to run the service (AI, search, hosting, storage, email, payments, error monitoring) and where required by law. We do not sell personal data.
6. International transfers
Some providers process data outside the EEA. Where they do, transfers rely on appropriate safeguards (e.g. EU Standard Contractual Clauses). See Subprocessors.
7. Retention
- Account data: kept while your account exists.
- Generations and artifacts: retained per the configured retention schedule and deleted on request or on account deletion.
- Logs/metrics: kept for a limited operational period, then deleted or aggregated. [Specify exact retention periods before launch.]
8. Your rights
Subject to applicable law, you can request access, rectification, erasure, restriction, portability, and object to certain processing. You can delete your account and its generations from within the app (Account → Delete), and contact [DPO / PRIVACY EMAIL] for other requests. You may lodge a complaint with your supervisory authority.
9. Security
Passwords are hashed (PBKDF2). Sessions use secure, HTTP-only cookies. Transport is encrypted (TLS). Provider keys are server-side secrets, never exposed to the browser. See our Security Policy and report issues to [SECURITY EMAIL].
10. Children
CiteLyra is not directed to children under 16, and we do not knowingly process their data.
11. Changes
We will update the version above and notify you of material changes.
12. Contact
[DPO / PRIVACY EMAIL] · SCAILE Technologies GmbH, [REGISTERED ADDRESS].