Privacy Policy

We take the protection of your personal data seriously and treat it confidentially in accordance with applicable data protection regulations and this privacy policy. This policy explains the type, scope, and purpose of personal data we process when you use citevolt.com, audit.citevolt.com, or our content service.

The use of our website is generally possible without providing personal data. If personal data (such as name, email address, or store URL) is collected on our pages, this is, as far as possible, always done on a voluntary basis. This data will not be passed on to third parties without your express consent, except as set out in this policy.

We point out that data transmission over the internet (for example, communication by email) can have security gaps. Complete protection of data against access by third parties is not possible.

1. Controller and contact

The responsible entity within the meaning of data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:

For all questions concerning data protection, contact us at hello@citevolt.com.

2. General information on data processing

Data processed during the use of our website and services will be deleted or restricted as soon as the storage purpose no longer applies, provided that no legal retention obligations prevent deletion and unless otherwise specified in the processing procedures below.

We process personal data only where there is a legal basis under Art. 6 GDPR. The relevant legal bases are:

• Art. 6(1)(a) GDPR — your consent
• Art. 6(1)(b) GDPR — performance of a contract with you, or to take steps prior to entering into a contract
• Art. 6(1)(c) GDPR — compliance with a legal obligation
• Art. 6(1)(f) GDPR — our legitimate interests, where these are not overridden by your interests or fundamental rights

3. Purposes of data processing by us and third parties

We process your personal data only for the purposes stated in this privacy policy. Your personal data will not be transferred to third parties for purposes other than those stated. We will only share your personal data with third parties if:

• You have given your explicit consent
• Processing is necessary for the execution of a contract with you
• Processing is necessary to fulfil a legal obligation
• Processing is necessary to protect legitimate interests, and there is no reason to believe that you have an overriding interest in not disclosing your data

4. Collection of general information when visiting our website

When you access our website, general information is automatically collected. This information (server log files) includes the type of web browser, the operating system used, the domain name of your Internet service provider, the referring URL, the pages visited, and the date and time of access. This information does not allow any conclusions to be drawn about your identity.

This information is technically necessary to correctly deliver the content of websites you request and is mandatory when using the internet. Specifically, it is processed for the following purposes:

• Ensuring a smooth connection to the website
• Ensuring the proper use of our website
• Evaluating system security and stability
• Administrative purposes

The processing of your personal data is based on our legitimate interest in data collection for the aforementioned purposes (Art. 6(1)(f) GDPR). We do not use this data to identify you personally. The only recipients of the data are the responsible entity and, if applicable, contracted processors. Anonymous information of this kind may be statistically analysed to optimise our website and the technology behind it. Server log files are deleted after no later than 30 days.

5. Free citation audit

When you submit your store URL and email address to run a free citation audit at audit.citevolt.com, you provide voluntary consent for the purpose of generating and delivering the audit report. A valid email address is required to send you the report. The provision of additional data is optional. The information you provide is stored for processing the request and any follow-up communication relating to Citevolt.

Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time by emailing hello@citevolt.com or by clicking the unsubscribe link in any email we send.

Retention: 12 months from submission, or until you request deletion or unsubscribe.

6. Subscription, onboarding, and content delivery

When you subscribe to a Citevolt plan, we process the personal data necessary to perform the contract with you. This includes:

• Name, email address, and Shopify store URL
• Billing information (processed directly by Stripe; we do not see or store your card number)
• Information you submit in the onboarding questionnaire: brand voice, top products, competitors, topics to avoid, and similar context required to produce content for your store
• Publicly accessible content from your Shopify store (product pages, collection descriptions) which we read in order to write content tailored to your brand
• Login credentials for a limited-permission Shopify staff account, used solely to publish blog posts on your behalf

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Retention: for the duration of your subscription. After cancellation, billing records are retained for 10 years pursuant to § 147 AO (German Tax Code). All other personal data is deleted within 90 days of cancellation, unless we are subject to a legal retention obligation.

7. Email communications

We send you emails for two purposes. Transactional emails (onboarding confirmation, content calendar approval requests, monthly citation reports, billing receipts, account notices) are sent under Art. 6(1)(b) GDPR as they are necessary to perform the contract.

Marketing emails (product updates, new features, promotional content) are only sent if you have given explicit consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by clicking the unsubscribe link at the bottom of any marketing email or by emailing hello@citevolt.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8. Contact form and email enquiries

If you contact us by email or via a contact form for any inquiries, you provide your voluntary consent for the purpose of contacting you. A valid email address is required for this, allowing us to attribute the request and respond to it. The provision of additional data is optional. The information you provide is stored for processing the request and possible follow-up questions. Once your inquiry has been processed, the personal data will be deleted, unless a contractual relationship has been established and a longer retention period applies.

Legal basis: Art. 6(1)(a) GDPR (consent) or, where the inquiry concerns the conclusion or performance of a contract, Art. 6(1)(b) GDPR.

9. Cookies

We use only technically necessary cookies on citevolt.com. These cookies are required for the operation of the website (for example, to maintain your Stripe Checkout session) and do not require consent under § 25(2)(2) TTDSG. We do not use marketing, advertising, profiling, or third-party analytics cookies that would require prior consent.

You can configure your browser to inform you about the setting of cookies and decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or generally. If cookies are deactivated, the functionality of our website may be limited.

Vercel Analytics: we use Vercel's privacy-friendly analytics, which collects anonymised, aggregate usage data (page views, referrers, country) without setting cookies and without cross-site tracking. No personal data is transmitted.

10. Third-party processors and international data transfers

We engage carefully selected third-party processors to operate our service. Each processor is bound by a Data Processing Agreement under Art. 28 GDPR. Where processors are located outside the European Economic Area (primarily in the United States), transfers are made under the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented where appropriate by additional safeguards (encryption in transit, data minimisation, contractual confidentiality).

We do not sell personal data to any third party. We do not disclose personal data for the marketing purposes of third parties.

11. Data security

We use appropriate technical and organisational security measures (TOMs) to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorised third-party access. Our security measures are continuously improved in line with technological developments. Specifically, the following measures are implemented:

• SSL/TLS encryption (TLS 1.2 or higher) for all data transmitted between your browser and our servers
• Strict access controls: only personnel with a need-to-know basis can access customer data
• Payment card data is handled exclusively by Stripe under PCI-DSS Level 1 certification; we never see, store, or process full card numbers
• Shopify access is restricted to a limited-permission staff account with blog publishing rights only
• Regular review of third-party processor security posture and Data Processing Agreements
• Logical separation of customer environments and data within our internal systems

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours pursuant to Art. 33 GDPR and, where required, affected individuals without undue delay pursuant to Art. 34 GDPR.

12. Automated decision-making and profiling

We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22 GDPR. The free citation audit generates a report based on publicly available data about your store domain; it does not produce decisions affecting your legal rights.

13. Your rights as a data subject

In accordance with applicable data protection law, you have the following rights:

• Confirmation of whether your data is being processed
• Access to processed data, additional information about data processing, and copies of the data (Art. 15 GDPR)
• Correction or completion of incorrect or incomplete data (Art. 16 GDPR)
• Immediate deletion of your data (Art. 17 GDPR) or, if further processing is required under Art. 17(3) GDPR, restriction of processing according to Art. 18 GDPR
• Receipt of your provided data and transmission of this data to other controllers (Art. 20 GDPR — data portability)
• Objection to the processing of your data by us, in particular for direct marketing purposes (Art. 21 GDPR)
• Withdrawal of consent at any time, with effect for the future, where processing is based on consent (Art. 7(3) GDPR)
• File a complaint with the supervisory authority if you believe that your data is being processed in violation of data protection regulations (Art. 77 GDPR)

You can exercise these rights at any time by contacting us at hello@citevolt.com. We will respond within one calendar month, extendable by two further months for complex requests, with notice.

Where we have rectified, deleted, or restricted processing of your data under Art. 16, 17(1), or 18 GDPR, we will notify all recipients of your data of these changes, unless this notification is impossible or involves disproportionate effort. You also have the right to be informed about these recipients.

14. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority at any time (Art. 77 GDPR). The supervisory authority responsible for our place of business is:

You may also contact the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at bfdi.bund.de.

15. Right to object to direct marketing

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6(1)(f) GDPR (legitimate interests). If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes. The objection can be made informally and should preferably be addressed to hello@citevolt.com.

16. Links to third-party websites

Our website may contain links to external third-party websites. We have no control over the content or data practices of these websites and accept no liability for them. The respective providers of the linked websites are responsible for their content and data processing. This privacy policy applies only to citevolt.com and audit.citevolt.com.

17. Changes to this privacy policy

We reserve the right to update this privacy policy to reflect legal changes or modifications to our services. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active subscribers by email at least 14 days before they take effect. Your continued use of our website and services after any changes constitutes your acceptance of the updated privacy policy.

18. Governing law

This privacy policy is governed by the EU General Data Protection Regulation (GDPR) and the applicable laws of the Federal Republic of Germany, in particular the Federal Data Protection Act (BDSG) and the Telecommunications and Telemedia Data Protection Act (TTDSG).

19. Questions about data protection

If you have any questions about data protection that this policy does not answer, or if you wish to exercise any of your rights, please contact us by email at hello@citevolt.com. We will respond as quickly as possible and within the time limits set by the GDPR.