Privacy Policy

Privacy Policy - CiteSpark

Effective Date: October 12, 2025
Last Updated: October 12, 2025

1. Introduction

CiteSpark ("we", "our", "us", or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at citespark.com (the "Service").

By creating an account, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide to Us

Account Information:
- Email address (for authentication and communication)
- Display name (from Google OAuth, if you sign in with Google)
- Profile picture (from Google OAuth, if applicable)

Content You Create:
- Pages, articles, and content you publish
- Project names and organizational structures
- Settings and preferences

2.2 Information Automatically Collected

Authentication Data:
- Login timestamps
- Authentication method (Google OAuth or Magic Link)
- Session tokens (securely encrypted)

Service Usage (For Authenticated Users Only):
- Pages created, edited, and deleted
- Actions performed (logged for security and troubleshooting)
- Feature usage patterns

Public Page Analytics (Privacy-First):
- For bots/crawlers: Bot name, visit timestamp, user agent
- For human visitors: Aggregated statistics only (browser type, OS, device type)
- Google Analytics 4 (GA4) on public pages only; loaded conditionally and honoring the browser "Do Not Track" (DNT) setting.
- We do NOT collect: IP addresses stored by us; GA4 is used only for aggregate reporting with advertising features disabled.

2.3 Information We Do NOT Collect

• ❌ IP addresses
• ❌ Precise geolocation data
• ❌ Browsing history outside our Service
• ❌ Information from third-party sites
• ❌ Payment information (we don't process payments yet)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Provide, operate, and maintain our Service
• Authenticate your identity and secure your account
• Enable content creation and publishing features
• Provide customer support

3.2 Service Improvement

• Analyze usage patterns to improve features
• Understand how content is discovered by search engines and AI
• Debug and troubleshoot technical issues
• Develop new features and services

3.3 Communication

• Send you service-related notifications
• Respond to your inquiries and support requests
• Send administrative information (policy updates, security alerts)
• Marketing communications (only with your consent, easily unsubscribe)

3.4 Legal Compliance

• Comply with legal obligations
• Enforce our Terms and Conditions
• Protect against fraud and abuse
• Respond to law enforcement requests

4. Legal Basis for Processing (GDPR)

If you are in the European Union, European Economic Area, or United Kingdom, we process your personal data under the following legal bases:

Purpose	Legal Basis
Account creation and service delivery	Contract performance (GDPR Art. 6(1)(b))
Email communications about service	Contract performance & Legitimate interest
Service improvement and analytics	Legitimate interest (GDPR Art. 6(1)(f))
Bot/crawler tracking	Legitimate interest (no personal data)
Marketing emails	Consent (GDPR Art. 6(1)(a)) - easily withdraw
Legal compliance	Legal obligation (GDPR Art. 6(1)(c))

5. How We Share Your Information

We do NOT sell, rent, or trade your personal information.

5.1 Service Providers

We may share your information with trusted third-party service providers who assist us in operating the Service:

Provider	Purpose	Data Shared	Privacy Policy
Google Cloud Platform	Infrastructure & hosting	All service data	Google Privacy Policy
Firebase (Google)	Authentication & database	Email, user ID, name	Firebase Privacy
Google OAuth	Authentication (if you choose)	Email, name, profile picture	Google Privacy Policy
Google Analytics 4	Public page analytics (aggregate)	Page path/title, device/browser metadata	Google Privacy & Terms

All service providers are contractually obligated to protect your data and comply with GDPR/CCPA requirements.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

5.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.4 Public Content

Content you publish as public pages is visible to anyone on the internet. Published pages are indexed by search engines and may be accessed by AI systems.

6. Your Rights and Choices

6.1 GDPR Rights (EU/EEA/UK Residents)

You have the following rights:

Right to Access - Request a copy of your personal data
Right to Rectification - Correct inaccurate or incomplete data
Right to Erasure - Request deletion of your data ("right to be forgotten")
Right to Restrict Processing - Limit how we use your data
Right to Data Portability - Receive your data in a portable format
Right to Object - Object to processing based on legitimate interests
Right to Withdraw Consent - Withdraw consent at any time (doesn't affect prior processing)
Right to Lodge a Complaint - File a complaint with your data protection authority

How to Exercise Your Rights:
Email us at: [Your Privacy Email]
We will respond within 30 days (or as required by applicable law)

6.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights:

Right to Know - Know what personal information we collect, use, disclose, and sell
Right to Delete - Request deletion of your personal information
Right to Opt-Out - Opt-out of the "sale" of personal information (we don't sell data)
Right to Non-Discrimination - Not be discriminated against for exercising your rights

How to Exercise Your Rights:
Email us at: [Your Privacy Email]
We will respond within 45 days as required by CCPA

6.3 Account Management

Access Your Data: View and download your data from your account settings
Update Your Information: Edit your profile and settings at any time
Delete Your Account: Contact us to permanently delete your account and data
Export Your Data: Request a machine-readable copy of your data

6.4 Communication Preferences

Marketing Emails: Unsubscribe via the link in any marketing email
Service Emails: Cannot opt-out of critical service notifications
Do Not Track: We respect the DNT browser header; when enabled, GA4 is not loaded on public pages

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Data Type	Retention Period
Account information	Until account deletion + 30 days
Published content	Until you delete it + backup cycles (30 days)
Audit logs	90 days
Public page analytics	90 days (auto-deleted)
Support communications	3 years
Legal/compliance records	As required by law

After deletion, your data may remain in backups for up to 30 days before permanent removal.

8. Data Security

We implement industry-standard security measures to protect your data:

Technical Measures:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest (Google Cloud encryption)
- Secure authentication (OAuth 2.0, magic links)
- Regular security audits
- Access controls and authentication

Organizational Measures:
- Limited employee access (need-to-know basis)
- Security training for team members
- Incident response procedures
- Regular security assessments

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. International Data Transfers

Our Service is hosted on Google Cloud Platform, which may process data outside your country of residence. For data transfers from the EU/EEA/UK to the United States, we rely on:

• EU-US Data Privacy Framework
• UK Extension to the EU-US Data Privacy Framework
• Swiss-US Data Privacy Framework
• Standard Contractual Clauses (SCCs) approved by the European Commission

Google Cloud Platform is certified under these frameworks and complies with GDPR requirements.

10. Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information from our systems.

11. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies. See our Cookie Policy for detailed information.

Summary:
- Essential cookies only for authentication and security
- No advertising or tracking cookies
- You can manage cookies through your browser settings

12. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Sending you an email notification (for material changes)

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: contact@intelldynamic.ro

Mailing Address:
IntellDynamic S.R.L.
Libertatii nr. 7
Targoviste
Romania

15. Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

EU/EEA: Your local Data Protection Authority (List of DPAs)
UK: Information Commissioner's Office (ICO) - https://ico.org.uk
California: California Attorney General - https://oag.ca.gov

16. Summary

What We Collect:
- Email, name (for your account)
- Content you create
- Aggregated usage statistics

What We DON'T Collect:
- IP addresses
- Tracking cookies
- Personal data from public page visitors (humans)

Your Rights:
- Access, correct, delete your data
- Export your data
- Opt-out of marketing
- File complaints with authorities

Our Commitment:
- Privacy by design
- GDPR & CCPA compliant
- No data selling
- Transparent practices

---

By creating an account, you confirm that you have read, understood, and agree to this Privacy Policy.

Our Privacy-First Approach

We believe in Privacy by Design. We collect minimal data and only track what's necessary for legitimate business purposes.

What We DO Track

For Search Engine Crawlers & Bots

We track visits from automated systems (search engines, AI crawlers, social media bots) including:
- Bot name/type (e.g., "Googlebot", "GPTBot")
- Visit timestamp
- User agent string
- Referring domain (anonymized)

Why: This is essential for understanding how our content is discovered and indexed. Bot tracking does not constitute personal data under GDPR.

For Human Visitors (Aggregated Only)

We collect anonymized, aggregated statistics including:
- Total visit count
- Browser type (e.g., "Chrome", "Firefox")
- Operating system (e.g., "Windows", "macOS")
- Device type (e.g., "Desktop", "Mobile")
- Referring domain (anonymized, no query parameters)

Why: To understand how people access our content. We use this data to improve user experience.

What We DON'T Track

❌ IP Addresses - We never store IP addresses
❌ Personal Information - No names, emails, or identifiers
❌ Cross-Site Tracking - No third-party cookies
❌ Detailed User Agents - Aggregated browser/OS only for humans
❌ Location Data - No geolocation tracking
❌ Behavioral Tracking - No tracking across pages or sessions

Your Rights

GDPR Rights (EU/EEA/UK)

If you are in the European Union, European Economic Area, or United Kingdom, you have the right to:

1. Access - Request what data we have about you (likely none for human visitors)
2. Rectification - Request correction of inaccurate data
3. Erasure - Request deletion of your data (see "Do Not Track" below)
4. Restrict Processing - Limit how we use your data
5. Data Portability - Receive your data in a portable format
6. Object - Object to processing of your data
7. Withdraw Consent - Withdraw consent at any time

CCPA Rights (California)

If you are a California resident, you have the right to:

1. Know - Know what personal information is collected
2. Delete - Request deletion of personal information
3. Opt-Out - Opt-out of the "sale" of personal information (we don't sell data)
4. Non-Discrimination - Not be discriminated against for exercising your rights

Do Not Track (DNT)

We fully respect the Do Not Track (DNT) browser setting.

How to enable DNT:
- Chrome/Edge: Settings → Privacy and security → Cookies → Send a "Do Not Track" request
- Firefox: Settings → Privacy & Security → Enable "Tell websites not to sell or share my data"
- Safari: Settings → Privacy → Enable "Ask websites not to track me"

When DNT is enabled, we will not track your visits (only bot visits for business purposes).

Legal Basis for Processing (GDPR)

We process data under the following legal bases:

1. Legitimate Interest (Art. 6(1)(f) GDPR)
   - Bot/crawler tracking for understanding content indexing
   - Aggregated human visitor statistics for service improvement

2. Consent (Art. 6(1)(a) GDPR)
   - You can withdraw consent via DNT header or by not visiting our pages

Data Retention

• Bot Visits: Stored for analysis, no personal data
• Human Visits: Aggregated counts only, no individual tracking
• Auto-Deletion: All views older than 90 days are automatically deleted

Data Security

We implement industry-standard security measures:
- Data stored in Google Cloud Firestore (SOC 2, ISO 27001 certified)
- Encrypted connections (HTTPS/TLS)
- No sensitive data stored
- Access controls and authentication

Cookies

We do not use cookies for behavioral tracking. Essential cookies are used for authentication. Google Analytics 4 may set first-party cookies solely to measure aggregate usage on public pages; advertising features are disabled.

Third-Party Services

We use:
- Google Cloud Firestore - Data storage (covered by Google's privacy policy)
- Firebase Authentication - For page creators only (not visitors)

These services have their own privacy policies and are GDPR/CCPA compliant.

Children's Privacy

Our service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children.

International Data Transfers

Data is processed in Google Cloud servers which may be located outside your country. Google Cloud complies with:
- EU-US Data Privacy Framework
- UK Extension to the EU-US Data Privacy Framework
- Swiss-US Data Privacy Framework
- Standard Contractual Clauses (SCCs)

Changes to This Policy

We may update this policy occasionally. Changes will be posted on this page with an updated "Last Updated" date.

Contact Us

To exercise your rights or ask questions about privacy:

Email: contact@intelldynamic.ro
Address: Libertatii nr.7, Targoviste, Romania

Regulatory Authorities

If you believe we have not handled your data properly, you have the right to lodge a complaint with:

EU/EEA: Your local Data Protection Authority
UK: Information Commissioner's Office (ICO) - https://ico.org.uk
California: California Attorney General - https://oag.ca.gov

Summary

✅ Privacy-First: We collect minimal data
✅ No Personal Data: No IP addresses or identifiers for humans
✅ Respects DNT: Full Do Not Track support
✅ Transparent: Clear about what we track and why
✅ Your Rights: Full GDPR and CCPA rights respected
✅ Secure: Industry-standard security measures

We believe analytics should respect your privacy. That's why we built our system with privacy by design.