Privacy Policy

1. Who we are

Clear Cited ("Clear Cited", "we", "us", "our") is a sole proprietorship based in Ontario, Canada, providing AI-search-visibility services — answer-engine optimization (AEO), audits, and monitoring — to business clients in the United States, Canada, and worldwide. For the personal data described in this policy, Clear Cited is the data controller (and, where it processes a client's own end-user data on the client's behalf, a data processor — see Section 6).

Contact / data requests: hello@clearcited.com
Mailing address: 570 Hood Road, Unit 14, #1584, Markham, ON L3R 4G7, Canada.

This policy explains what personal data we collect, why, the legal bases we rely on, who we share it with, how long we keep it, your rights, and how to exercise them. It is written to be aware of the EU/EEA General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and Canada's Anti-Spam Legislation (CASL).

2. What personal data we collect, and why

We practise data minimization — we collect only what we need to operate a B2B service. Specifically:

(a) Leads & free-teardown requests. When you request a free AI-visibility teardown or otherwise contact us, we collect your name, work email address, your company's website domain, and the competitor names you provide. We use this to research and deliver the teardown you asked for and to reply to you.

(b) Newsletter subscribers. If you opt in, we collect your email address (and any name you provide) to send our newsletter and updates. You can unsubscribe at any time (see Section 11).

(c) Clients. When you engage us for a paid audit or monitoring retainer, we collect your name, business email, company details, the website/domains and competitive context relevant to the work, onboarding inputs, and our correspondence with you. We use this to scope, perform, and support the engagement.

(d) Payment information. Paid services are billed through Stripe. Stripe collects and processes your card or payment details and billing information directly; we do not store full card numbers on our systems. We receive limited billing metadata from Stripe (for example, name, billing email, the last four digits and card brand, country, and the status and amount of a charge) to manage invoicing, taxes, and our financial records.

(e) Communications. Emails and messages you send us, and our replies, including any attachments and the metadata needed to route and answer them.

(f) Website usage / analytics. We use Plausible Analytics, which is privacy-friendly and cookieless. It produces only aggregated, anonymized statistics (such as page views, referrers, country, and device/browser type) and does not set cookies, does not collect IP addresses in a way that identifies you, and does not build cross-site profiles. See Section 9.

We do not knowingly collect special-category (sensitive) personal data, and we ask that you not send it to us. Our services are directed at businesses, not consumers, and not at children (see Section 10).

3. Legal bases for processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Consent (Art. 6(1)(a)). For sending our newsletter and other marketing email, and for any optional processing we ask you to opt into. You can withdraw consent at any time (Section 8), without affecting processing done beforehand.

Contract (Art. 6(1)(b)). To take steps at your request before entering a contract (for example, preparing a quote or a requested teardown) and to perform our agreement with you — delivering audits and retainers, billing, and support.

Legitimate interests (Art. 6(1)(f)). To operate, secure, and improve our website and services, to respond to inquiries, to carry out limited B2B outreach to business contacts where permitted, to prevent fraud and abuse, and to keep records of our dealings. We balance these interests against your rights and only rely on this basis where it does not override them.

Legal obligation (Art. 6(1)(c)). To keep financial, tax, and accounting records and to comply with applicable law (see Section 7).

Under PIPEDA (Canada), we collect, use, and disclose personal information for purposes a reasonable person would consider appropriate in the circumstances, with your consent (express or implied) except where the law permits otherwise.

4. How we use personal data

We use personal data to: deliver the free teardown or paid service you requested; communicate with you and answer questions; send our newsletter where you opted in; process payments and manage invoicing and taxes; operate, secure, debug, and improve our website and services; carry out limited, permitted B2B outreach; comply with legal obligations; and establish, exercise, or defend legal claims. We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. We do not use it for automated decision-making that produces legal or similarly significant effects about you.

5. Sub-processors and service providers we share data with

We share personal data only with the service providers ("sub-processors") that help us run the business, each bound by their own terms to protect it and to process it only on our instructions. Our current sub-processors are:

Stripe — payment processing and billing (card and payment data, billing details). Stripe acts as an independent payment processor and its own controller for certain payment data.

MailerLite — email/newsletter delivery and subscriber management (name, email, engagement data).

Resend — sending transactional and operational emails (recipient email and message content).

Cloudflare — website hosting, DNS, CDN, and security/DDoS protection. Cloudflare processes connection data (such as IP addresses) to serve and protect the site.

Google Workspace (Google LLC) — our business email and document/file storage (your correspondence and any files exchanged).

Plausible Analytics — cookieless, aggregated, anonymized website analytics; no personal identifiers (see Section 9).

AI answer engines used to produce audits — to research and build teardowns and audits, we query third-party AI/answer-engine and search-data APIs, which currently include OpenAI, Anthropic, Google (Gemini), Perplexity, xAI (Grok), and DataForSEO. We query these engines with prompts about brands, products, domains, and public market topics. We do not submit your confidential business information or end-user personal data into these engines, and we use business/API tiers that are not used to train their public consumer models where such terms are available. Any limited personal data that appears (for example, a publicly known company or domain name) is handled solely to produce your deliverable.

We may also disclose personal data to professional advisers (such as our accountant or lawyer), to a successor in the event of a business sale or reorganization, or where required to comply with law, enforce our terms, or protect rights, property, or safety.

6. International data transfers

We are based in Canada and several of our sub-processors are based in, or process data in, the United States and other countries. As a result, your personal data may be transferred to, stored in, and processed in countries outside your own, including Canada and the United States, whose data-protection laws may differ from those where you live. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum / IDTA), or other lawful transfer mechanisms offered by our sub-processors. You can contact us for more information about the safeguards in place.

7. How long we keep it (retention)

We keep personal data only as long as needed for the purposes in this policy, then delete or anonymize it. In practice:

Leads, prospects, and teardown inputs: kept while the inquiry/relationship is active and for a limited period afterward, then deleted or anonymized; deleted sooner on a verified request.

Newsletter data: kept until you unsubscribe or ask us to delete it, after which your subscriber record is removed and your email is added to a suppression list so we do not re-add you.

Client engagement records: kept for the duration of the engagement and a reasonable period afterward to support follow-up, warranty/accuracy obligations, and potential legal claims.

Financial & tax records (legal hold): invoices and ledger entries for completed paid work are kept for approximately six to seven years to meet bookkeeping, tax-filing, and audit requirements (the Canada Revenue Agency generally requires business records be kept for about six years). This is a recognized exemption from erasure (GDPR Art. 17(3)(b); CCPA §1798.105(d)). These records are frozen, are never used for marketing, and are kept only for as long as the law requires.

Consent records & opt-out suppression (legal hold): the record that you gave (or withdrew) consent to receive commercial email, and your entry on our permanent do-not-contact suppression list, are retained even after a deletion request. Anti-spam law (Canada's CASL and PIPEDA, and equivalents such as CAN-SPAM and the GDPR/PECR) requires us to be able to demonstrate that we had consent to contact you or that you opted out — and the suppression entry is what lets us honour your opt-out and avoid re-adding you. Deleting these would destroy the very proof the law requires, so we keep only the minimum needed for that purpose. They are frozen, used only to honour your opt-out and to answer a compliance challenge, and never used for marketing.

Backups: deleted personal data may persist in routine encrypted backups until they are overwritten on our normal rotation cycle (typically within 90 days), after which no copies remain.

8. Your privacy rights

Depending on where you live, you have some or all of the following rights over your personal data:

Access — to know whether we hold personal data about you and to receive a copy.
Rectification — to have inaccurate or incomplete data corrected.
Erasure ("right to be forgotten") — to have your personal data deleted, subject to legal exceptions such as the financial-records and consent/suppression legal holds described above.
Data portability — to receive certain data in a portable, machine-readable format, or have it transmitted to another controller where technically feasible.
Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time.
Restriction — to ask us to limit how we use your data in certain circumstances.
Withdraw consent — to withdraw any consent you gave (such as newsletter consent) at any time, without affecting prior processing.

California (CCPA/CPRA): you also have the right to know the categories and specific pieces of personal information we collect, the right to delete, the right to correct, the right to opt out of "sale"/"sharing" (we do not sell or share personal information as defined), the right to limit use of sensitive personal information (we do not use it for those purposes), and the right not to be discriminated or retaliated against for exercising your rights. You may use an authorized agent to submit a request.

How to exercise your rights. Email hello@clearcited.com from the address on file, describing your request. For deletion specifically, follow our Data Deletion Instructions. We verify requests (usually by confirming you control the email on file) and respond within about 30 days — extendable where the law allows for complex requests, in which case we will tell you. Exercising your rights is free unless a request is manifestly unfounded or excessive. If we cannot fully act on a request (for example, where a legal hold applies), we will explain why. You also have the right to lodge a complaint with a supervisory authority — in Canada, the Office of the Privacy Commissioner of Canada; in the EEA/UK, your local data-protection authority.

9. Cookies and analytics

Our website is intentionally lightweight. We use Plausible Analytics, which is cookieless — it does not store cookies on your device, does not collect personal data or persistent identifiers, and produces only aggregated, anonymized statistics. Because no cookies or tracking identifiers are set and no personal data is processed for analytics, no cookie-consent banner is required to use this site. Any strictly necessary cookies that may be set by our host/CDN (Cloudflare) for security or to deliver the site are exempt from consent requirements. We do not run third-party advertising or cross-site tracking.

10. Children

Our website and services are directed to businesses and professionals, not to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

11. Marketing email & CASL

We send commercial electronic messages only with your consent (express or, where permitted, implied — for example to an existing business relationship) or where otherwise allowed by law. Consistent with Canada's Anti-Spam Legislation (CASL) and similar rules (CAN-SPAM, GDPR/PECR), every commercial email identifies us, includes our mailing address, and provides a working one-click unsubscribe that we honour promptly (within 10 business days). You can withdraw consent at any time by using the unsubscribe link or emailing us; we will add you to a suppression list so we do not contact you again.

12. How we protect your data

We take reasonable technical and organizational measures appropriate to the risk — including encryption in transit (HTTPS/TLS), access controls and least-privilege handling, reputable processors with their own safeguards, atomic and audited handling of our data files, and limiting who can access personal data. No method of transmission or storage is perfectly secure, but we work to protect your information and to address incidents promptly. Where required by law, we will notify affected individuals and the relevant authority of a qualifying data breach.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, sub-processors, or the law. When we do, we will revise the "Last updated" date above and, for material changes, take reasonable steps to notify you. Your continued use of the site or services after an update means you accept the revised policy.

14. Contact & representatives

Questions or privacy requests: hello@clearcited.com. Clear Cited, 570 Hood Road, Unit 14, #1584, Markham, ON L3R 4G7, Canada.

EU/UK representative: if and where an Article 27 (GDPR) or UK GDPR representative is required, one will be appointed and named here; until then, please direct all requests to hello@clearcited.com. See also our Data Deletion Instructions and Terms of Service.