Last updated: April 2026
This policy explains how BrandCited.ai collects, uses, and protects your data. We keep it plain so you can actually read it.
BrandCited.ai ("we," "us," "our") operates an AI brand visibility platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding your data.
We take privacy seriously. We collect only what we need to operate the service, don't sell your data to third parties, and give you control over your information.
If you have questions, email hello@brandcited.ai.
We collect the following categories of data:
Account information: When you register, we collect your email address, name, and company name. If you sign in via Google OAuth, we receive your Google account email and display name.
Brand and scan data: When you run a scan, we store the website URLs and brand names you submit, along with the scan results, AI engine responses, and visibility scores we generate for you.
Payment information: Billing is handled by Stripe. We store a reference to your Stripe customer ID but never handle or store raw card numbers. Stripe processes all payment data under their own privacy policy.
Usage data: We collect standard analytics data through PostHog, including pages visited, features used, session duration, browser type, operating system, and IP address. This data is used to improve the platform.
Communications: If you contact us via email or a support form, we retain that correspondence.
Cookies: We use cookies for session management (authentication) and analytics. See Section 6 for details.
We use your data to:
Deliver the service: Run scans, generate reports, track your brand's AI visibility over time, and display results in your dashboard.
Process payments: Manage your subscription, handle billing, and send invoices via Stripe and Resend.
Send account communications: Transactional emails such as scan completion notifications, account alerts, and billing receipts are sent via Resend. We also send product updates and visibility tips — you can unsubscribe at any time.
Improve the platform: Aggregated, anonymized usage data helps us understand which features are useful, fix bugs, and build new functionality. We don't use your brand-specific data or scan results to train AI models.
Security and fraud prevention: We monitor usage patterns to detect abuse, unauthorized access attempts, and violations of our Terms of Service.
Legal compliance: We may process or retain data as required by applicable law.
BrandCited queries third-party AI platforms on your behalf: OpenAI (ChatGPT), Anthropic (Claude), Google (Gemini), Perplexity, xAI (Grok), DeepSeek, and Meta (Llama). To run a citation check, we send queries to these platforms that include your brand name, domain, and industry keywords.
These queries are processed according to each platform's own privacy policy and terms of service. We don't send personal user data (like your email or account details) to AI platforms. Only the brand and industry information you provide for scanning is used in queries.
AI platform responses are stored in our database linked to your account and the specific scan, so you can review them in your dashboard. You can delete individual scans or your entire account at any time.
We share data with the following services to operate BrandCited:
Supabase: Database and authentication. Your account data, scan results, and reports are stored on Supabase, which uses AWS infrastructure with encryption at rest and in transit. Supabase enforces Row Level Security so each user's data is isolated.
Stripe: Payment processing. Stripe handles all billing and stores your payment method details under their PCI-compliant systems.
Resend: Transactional email. We use Resend to send account notifications, scan results, and billing emails.
Vercel: Hosting and edge infrastructure. BrandCited runs on Vercel, which processes request data for hosting purposes.
PostHog: Product analytics. We use PostHog to understand how users navigate the platform. PostHog data is anonymized where possible. You can opt out of PostHog tracking through your browser's Do Not Track settings.
AI platforms (OpenAI, Anthropic, Google, Perplexity, xAI, DeepSeek, Meta): We send queries to these platforms as part of the scanning service. See Section 4 for details.
We don't sell your data to data brokers, advertisers, or any third parties for their own use.
Your data is stored on Supabase (AWS infrastructure) in the EU region by default. All data is encrypted in transit via TLS and at rest using AES-256 encryption.
We use Row Level Security (RLS) policies at the database level to ensure users can only read and write their own data. Our API endpoints validate authentication on every request.
Access to production data is restricted to authorized personnel. We follow a least-privilege model.
While we take security seriously, no system is 100% immune. If we become aware of a data breach that affects your personal data, we'll notify you within 72 hours as required by GDPR.
We keep your account data and scan history for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we're required to retain it for legal or financial compliance purposes (such as billing records, which we retain for 7 years as required by tax law).
Individual scans can be deleted from your dashboard at any time. Deleted scans are removed from our database within 7 days.
Free-plan accounts that have been inactive for 12 months may have their scan history automatically pruned to the most recent 3 scans, with a 30-day notice email.
Depending on where you're based, you may have the following rights:
Access: Request a copy of the personal data we hold about you.
Correction: Ask us to fix inaccurate or incomplete data.
Deletion: Request deletion of your account and all associated personal data.
Portability: Receive your data in a machine-readable format (available via the Export feature in Settings).
Objection: Object to processing of your data for direct marketing at any time.
Restriction: In some circumstances, ask us to limit how we use your data while a dispute is resolved.
For GDPR requests (EU/EEA users), email hello@brandcited.ai. We respond within 30 days. For CCPA requests (California residents), you can request disclosure of data categories we collect, ask us not to sell your data (we don't), or request deletion.
To exercise any of these rights, email hello@brandcited.ai with your request and we'll confirm your identity before proceeding.
BrandCited is operated from Germany. Our infrastructure (Supabase on AWS, Vercel) primarily processes data within the EU. Some third-party services (Stripe, PostHog, Resend) may process data in the United States.
For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or the service provider's certification under applicable frameworks (such as the EU-US Data Privacy Framework).
BrandCited is not intended for users under 18 years of age. We don't knowingly collect personal data from children. If you believe we've inadvertently collected data from a minor, contact us at hello@brandcited.ai and we'll delete it promptly.
We may update this Privacy Policy to reflect changes in the law, our practices, or the services we use. We'll post the updated policy here with a new "Last updated" date.
For significant changes — such as collecting new categories of data or changing how we use existing data — we'll notify you via email at least 14 days before the changes take effect. Your continued use of BrandCited after that date constitutes acceptance.
For privacy questions, data requests, or general support, email hello@brandcited.ai.
BrandCited is operated by Xpand Enterprises FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.
If you're in the EU and believe we haven't handled a privacy concern adequately, you have the right to lodge a complaint with your local data protection authority.
