Privacy Policy
What we keep, and why.
Citebound builds visibility inside AI search. To do that well, we handle a small amount of data about you, your company, and the conversations our models are watching. This page explains exactly what — in plain language, then in the legal one.
Citebound LLC ("Citebound", "we", "us") helps companies become the answer their buyers find inside AI search. This page explains what personal data we handle in the course of that work, why we handle it, and the rights you have over it — in plain language.
1. Who we are
Citebound LLC is a Delaware company with operating offices at 54 Greene Street, Floor 3, New York, NY 10013. For anything in this policy, write to privacy@citebound.com or reach our EU representative at eu-rep@citebound.com. A human reads everything that comes in.
We act as the data controller for the data described here. When we operate the measurement pipeline on behalf of a client, we act as a processor — that relationship is governed by the client's Data Processing Addendum.
2. What we collect
We hold a small amount of data, organized into three buckets:
Site visitors. IP address, browser type, pages visited, and referrer — collected through cookieless analytics (Plausible) and edge logs. We use it to understand which pages are working.
Inquiries and clients. Name, work email, company, role, and whatever you write in a contact form, audit request, or onboarding brief.
Client telemetry. The prompts we run against AI search engines on your behalf, the answers those models return, and the visibility scores we compute. This is the data behind our quarterly reports.
We do not collect special categories of data, government IDs, payment card numbers (Stripe handles those), or precise location.
3. How we use it
We use each bucket only for the job it was collected for. Site data drives aggregate reporting and security. Inquiry data lets us reply and deliver the work you asked for. Telemetry runs the engagement and produces the reports we deliver to you.
We rely on contract for client work, consent for marketing emails, and legitimate interest for site analytics and security. You can withdraw consent or object to legitimate-interest processing at any time.
4. Who we share it with
We use a short list of vendors, each under a signed data processing agreement. We do not sell personal data, share it with advertising networks, or exchange it with data brokers.
Vendor | Role | Region |
|---|---|---|
Vercel | Website hosting and edge logs | US / EU |
Plausible | Cookieless analytics | EU (DE) |
Postmark | Transactional and broadcast email | US |
AWS | Storage and compute for the measurement pipeline | US / EU |
Anthropic, OpenAI, Google, Perplexity | Model APIs for measurement (training opt-out enabled) | US |
Stripe | Invoicing and payment processing | US |
We will disclose data to authorities if we receive a valid legal order, and we will tell you unless legally prohibited from doing so.
5. AI training and model use
Our work depends on the integrity of AI search, so we are deliberate about it:
We do not use your data to train or fine-tune foundation models — ours or anyone else's.
For every model provider that offers it, we send prompts with training opt-out and zero-data-retention enabled.
We do not use one client's telemetry to improve scoring for another client.
Aggregated, anonymized industry benchmarks may appear in our public Field Notes; identifying brand or buyer data never does.
6. How long we keep it
We hold what we need, for as long as it is useful, then we delete it. Edge logs roll off after 30 days. Aggregate analytics last 24 months. Inbound inquiries with no engagement are deleted after 12 months. Active client records are kept for the duration of the engagement plus 24 months. Invoicing records are kept for seven years to meet US accounting obligations. When a window closes, data is purged from primary stores within seven days and from backups within thirty.
7. Your rights
Wherever you live, you can ask us to:
Show you the data we hold about you.
Correct anything inaccurate.
Delete what we hold, subject to legal retention.
Send your data to another provider in a portable format.
Stop processing on the basis of legitimate interest, including marketing.
Withdraw a consent you previously gave.
To exercise any of these, write to privacy@citebound.com from the email address tied to the data. We respond within five business days. If you are not satisfied, you may lodge a complaint with your local data protection authority — though we would prefer you raised it with us first.
8. Changes and contact
We will update this policy as our services and the law evolve. Material changes are posted here at least 30 days before they take effect, and we email active clients during the notice window. For any privacy question, write to privacy@citebound.com or post to the address above.
© 2026 Citebound LLC. All rights reserved.