Legal
Privacy Policy
Last updated: 2026-01-29
Summary
- ✓We collect only what's necessary to provide the service
- ✓Your citations and library data belong to you
- ✓We don't sell your personal data
- ✓You can export or delete your data at any time
- ✓LGPD (Brazil) and GDPR (EU) compliant
CiteMe ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, browser extension, and related services.
This policy complies with the Brazilian General Data Protection Law (LGPD - Lei 13.709/2018) and the European General Data Protection Regulation (GDPR).
1. Data Controller
CiteMe is the data controller responsible for your personal data.
Data Protection Contact: privacy@citeme.app
2. Data We Collect
2.1 Information You Provide
- Account Information: Email address, name (optional), profile picture (if using Google OAuth)
- Library Data: Citations you save, projects you create, formatting preferences
- Payment Information: Processed securely by Paddle; we do not store credit card numbers
- Communications: Support requests, feedback, and emails you send us
2.2 Information Collected Automatically
- Usage Data: Search queries, citation styles used, features accessed
- Device Information: Browser type, operating system, screen resolution
- Log Data: IP address (hashed for privacy), timestamps, error logs
- Cookies: Essential cookies for authentication and preferences (see Section 7)
2.3 Browser Extension Data
The CiteMe browser extension:
- Does NOT read or store your browsing history
- Does NOT access pages unless you explicitly click to cite
- Stores local data: recent searches, preferred style, quota usage
- Sends citation queries to our servers only when you initiate a search
3. How We Use Your Data
We process your data based on the following legal bases (LGPD Art. 7, GDPR Art. 6):
Contract Performance
- Providing the citation management service
- Processing payments and subscriptions
- Syncing your library across devices
Legitimate Interests
- Improving the service through analytics
- Preventing fraud and abuse
- Responding to support requests
Consent (when required)
- Marketing communications (opt-in)
- Non-essential cookies and analytics
4. Data Sharing
We do not sell your personal data. We share data only with:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication & Database | Account data, library data |
| Paddle | Payment processing | Email, payment details |
| Google (Gemini AI) | AI features | Search queries (anonymized) |
| Sentry | Error tracking | Error logs, device info |
| Railway | Hosting | All data (encrypted) |
All service providers are bound by data processing agreements and comply with applicable privacy laws.
5. International Data Transfers
Your data may be transferred to and processed in countries outside Brazil and the European Economic Area (EEA), including the United States, where our service providers operate.
We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by regulatory authorities
- Data Processing Agreements with all providers
- Encryption in transit and at rest
6. Data Retention
We retain your data for as long as necessary to provide the service:
- Account data: Until you delete your account
- Library data: Until you delete it or close your account
- Usage logs: 90 days (anonymized after)
- Payment records: 7 years (legal requirement)
- Backups: 30 days rolling
After account deletion, your data is removed from active systems within 30 days and from backups within 90 days.
7. Cookies and Tracking
We use cookies to provide and improve our service:
| Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, preferences | Session / 1 year |
| Functional | Remember citation style, theme | 1 year |
| Analytics | Usage statistics (anonymized) | 1 year |
You can control cookies through your browser settings. Disabling essential cookies may affect service functionality.
8. Your Rights
Under LGPD and GDPR, you have the following rights:
Access
Request a copy of your personal data
Rectification
Correct inaccurate or incomplete data
Erasure
Delete your account and data ("right to be forgotten")
Portability
Export your data in a machine-readable format
Restriction
Limit how we process your data
Objection
Object to processing based on legitimate interests
To exercise these rights, contact us at privacy@citeme.app. We will respond within 15 days (LGPD) or 30 days (GDPR).
Brazilian Users (LGPD): You may also file a complaint with the National Data Protection Authority (ANPD) at www.gov.br/anpd
EU Users (GDPR): You may file a complaint with your local Data Protection Authority.
9. Security Measures
We implement industry-standard security measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Secure authentication with OAuth 2.0
- Regular security audits and penetration testing
- IP address hashing for privacy
- Rate limiting to prevent abuse
- Row-level security (RLS) in database
10. Children's Privacy
Our Service is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.
For users between 13 and 18, we recommend parental guidance when using the Service.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
- Displaying a notice in the app
12. Contact Us
For privacy-related questions or to exercise your rights:
Data Protection Officer: privacy@citeme.app
General inquiries: hello@citeme.app