Privacy Policy

We take the protection of your personal data seriously and treat it confidentially in accordance with applicable data protection regulations and this privacy policy. This policy explains the type, scope, and purpose of personal data we process when you use citevolt.com, audit.citevolt.com, or our content service.

The use of our website is generally possible without providing personal data. If personal data (such as name, email address, or store URL) is collected on our pages, this is, as far as possible, always done on a voluntary basis. This data will not be passed on to third parties without your express consent, except as set out in this policy.

We point out that data transmission over the internet (for example, communication by email) can have security gaps. Complete protection of data against access by third parties is not possible.

1. Controller and contact

The responsible entity within the meaning of data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:

For all questions concerning data protection, contact us at hello@citevolt.com.

2. General information on data processing

Data processed during the use of our website and services will be deleted or restricted as soon as the storage purpose no longer applies, provided that no legal retention obligations prevent deletion and unless otherwise specified in the processing procedures below.

We process personal data only where there is a legal basis under Art. 6 GDPR. The relevant legal bases are:

• Art. 6(1)(a) GDPR - your consent
• Art. 6(1)(b) GDPR - performance of a contract with you, or to take steps prior to entering into a contract
• Art. 6(1)(c) GDPR - compliance with a legal obligation
• Art. 6(1)(f) GDPR - our legitimate interests, where these are not overridden by your interests or fundamental rights

3. Free citation audit

When you submit your store URL and email address to run a free citation audit at audit.citevolt.com, you provide voluntary consent for the purpose of generating and delivering the audit report. A valid email address is required to send you the report.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time by emailing hello@citevolt.com.

Retention: 12 months from submission, or until you request deletion.

4. Subscription, onboarding, and content delivery

When you subscribe to a Citevolt plan, we process the personal data necessary to perform the contract with you. This includes name, email, Shopify store URL, billing information (processed directly by Stripe), onboarding answers, publicly accessible store content, and limited-permission Shopify staff credentials.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Retention: for the duration of your subscription. After cancellation, billing records are retained for 10 years pursuant to § 147 AO. Other personal data is deleted within 90 days of cancellation.

5. Cookies

We use only technically necessary cookies on citevolt.com. These cookies are required for the operation of the website (for example, to maintain your Stripe Checkout session) and do not require consent under § 25(2)(2) TTDSG. We do not use marketing, advertising, profiling, or third-party analytics cookies that would require prior consent.

Vercel Analytics: we use Vercel's privacy-friendly analytics, which collects anonymised, aggregate usage data without setting cookies and without cross-site tracking.

6. Third-party processors

We engage carefully selected third-party processors under Art. 28 GDPR. Where processors are located outside the EEA, transfers are made under the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR.

• Stripe, Inc. (USA) - billing and payment processing.
• Resend, Inc. (USA) - transactional email delivery.
• Vercel, Inc. (USA) - hosting and privacy-friendly analytics.
• Anthropic PBC (USA) - content production assistance. Under Anthropic's API terms, your data is not used to train their models.
• Perplexity AI, Inc. (USA) - citation query processing for the free audit.
• Shopify Inc. (Canada - adequacy decision) - to publish blog posts via the Shopify Blog API and, where you connect it, to read order metadata (order totals, landing-page URLs, timestamps) via the Shopify Orders API solely to attribute revenue to the content we publish. We do not access your customers' names, addresses, or payment details.

We do not sell personal data to any third party.

7. Your rights as a data subject

In accordance with applicable data protection law, you have the right to:

• Access processed data and obtain copies (Art. 15 GDPR)
• Correct or complete incorrect data (Art. 16 GDPR)
• Have your data deleted (Art. 17 GDPR), or restrict processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Withdraw consent at any time (Art. 7(3) GDPR)
• File a complaint with a supervisory authority (Art. 77 GDPR)

Exercise these rights by emailing hello@citevolt.com. We respond within one calendar month per Art. 12(3) GDPR.

8. Supervisory authority

The supervisory authority responsible for our place of business is:

9. Data security and breach notification

We apply TLS 1.2+ encryption for all data in transit, strict access controls, and PCI-DSS Level 1 handling of payment data via Stripe (we never see or store full card numbers). In the event of a personal data breach likely to result in risk to your rights, we notify the supervisory authority within 72 hours per Art. 33 GDPR and, where required, affected individuals per Art. 34 GDPR.

10. Changes to this policy

We update this policy to reflect legal changes or service modifications. Material changes are communicated to active subscribers by email at least 14 days before they take effect.