NEW14-day free trial — AI search monitoring from $24/month

Last updated: June 15, 2026

Privacy Policy

This Privacy Policy explains what information CiteHawk collects, why we collect it, who we share it with, and the choices and rights you have. We have written it to describe what our platform actually does, in plain terms wherever the law allows.

1. Who we are

CiteHawk (the "Service") is operated by RP & SE Technology Pty Ltd (ABN 62 663 458 106), an Australian proprietary limited company registered in Western Australia, Australia, trading as CiteHawk ("we", "us", or "our"). We are the data controller for the personal information described in this Policy, except where we act as a processor on behalf of our business customers (see Section 11). You can reach us about privacy at hello@citehawk.com.

2. The short version

  • We collect what we need to run the Service: your account details, your billing relationship through Stripe, the monitoring you configure, and the data we generate for you.
  • To monitor AI search platforms for you, we send the prompts you configure to third-party AI providers and store the responses.
  • We use a number of service providers ("subprocessors") to deliver the Service. Section 6 lists them all.
  • We do not sell your personal information. Optional analytics run only if you accept cookies.
  • You can access, correct, export, or delete your data. Deleting your account starts a 90-day countdown to permanent erasure.

3. Information we collect

3.1 Account and profile data

When you create an account we collect your name, email address, and authentication credentials (passwords are stored only as salted hashes by our authentication provider, never in plain text). You may also add a profile photo. We record team membership and roles within your workspaces.

3.2 Billing data

Payments are processed by Stripe. We do not receive or store your full card number. From Stripe we receive your subscription status, billing history, and limited payment-method details (such as the card brand and last four digits) for display. Your name, email, and billing address are held by Stripe as part of your customer record.

3.3 Monitoring you configure

We store the brands, domains, prompts, markets, and competitors you set up for monitoring, together with the settings of each workspace.

3.4 AI platform responses

To measure your visibility, we send the prompts you configure to AI search platforms through their APIs and store what they return: the full response text, cited sources, the model and version used, timestamps, and our analysis (mentions, sentiment, citation and visibility scores). Because prompts and AI responses are open-ended, they may occasionally contain personal information; please avoid entering personal data you do not need to monitor.

3.5 Website audit data

Our GEO audit feature fetches and analyses web pages at a domain you provide — including page content, headings, metadata, structured data, and files such as robots.txt, sitemap.xml, and llms.txt. You are responsible for ensuring you own, control, or have permission to audit any domain you submit (see our Terms of Service). We store the audit results in your workspace.

3.6 Competitive intelligence

When AI platforms mention other brands in response to your prompts, we automatically record those brands and domains and compute comparative metrics (such as share of voice). This information concerns companies and domains, not individuals, and is used to build your competitive leaderboards.

3.7 Data from our widget and beacon

If you install our embeddable widget or tracking beacon on your own website, we receive information about activity on your site: for the widget, the query text, the referring page URL, the AI platform clicked, and the visitor's user-agent string; for the beacon, the AI crawler name, the page path visited, and the user-agent string. This data is collected on your behalf and stored in your workspace. You are responsible for informing your own visitors about this collection in your site's privacy notice (see our Terms of Service).

3.8 Usage, device, and analytics data

We collect information about how the Service is used — pages viewed, features used, and timestamps — to operate, secure, and improve it. With your consent, our analytics provider also collects standard web analytics (including your approximate location and device or browser information). We do not store IP addresses in our application database; however, our hosting, security (rate-limiting), and analytics providers process IP addresses transiently to deliver and protect the Service.

3.9 Communications and support

If you contact us, complete a form, or receive our emails, we keep a record of that correspondence and your communication preferences.

4. How we use your information

We use the information we collect to:

  • provide, maintain, secure, and improve the Service;
  • process your subscription and payments;
  • run the monitoring you configure and generate reports, scores, and recommendations;
  • send transactional messages (confirmations, receipts, alerts, and service notices);
  • send product and marketing emails, where permitted — you can opt out at any time using the unsubscribe link in those emails;
  • respond to your requests and provide support;
  • detect, prevent, and address fraud, abuse, and security issues;
  • comply with our legal obligations and enforce our agreements.

Where the GDPR or UK GDPR applies, we rely on the following legal bases: performance of our contract with you (to provide the Service and billing); our legitimate interests (to secure and improve the Service and to send related marketing, balanced against your rights); your consent (for optional analytics cookies and, where required, marketing); and compliance with legal obligations.

5. Cookies and similar technologies

We use a small number of cookies and local-storage items. Strictly necessary items keep you signed in and remember preferences (for example, your authentication session, sidebar state, onboarding status, and theme). These are required for the Service to function.

Optional analytics cookies (Google Analytics) load only after you accept them in the consent banner shown on your first visit. If you reject them, we do not load analytics and we clear the related cookies. You can change your choice at any time by clearing the consent setting in your browser.

6. How we share information and our subprocessors

We do not sell your personal information. We share data only with service providers that help us run the Service, each bound to protect it and use it only on our instructions. Our subprocessors are:

  • Hosting and infrastructure — Vercel (application hosting and delivery), Supabase (database and authentication), and Upstash (background job queue and rate-limiting).
  • Payments — Stripe (subscription billing and payment processing).
  • Email — Resend (transactional and marketing email delivery).
  • AI and search platforms — OpenAI, Anthropic, Google, DeepSeek, xAI, and Perplexity (to generate monitoring data from your prompts), and SerpAPI (to retrieve Google AI Overviews and Bing Copilot results, where enabled).
  • SEO and web data — DataForSEO (search and ranking data) and Browserless (rendering pages for audit screenshots).
  • Analytics and monitoring — Google Analytics (optional, consent-gated), Sentry (error and performance monitoring), and Vercel Analytics and Speed Insights (performance metrics).
  • Productivity — Google (optional export of your data to a Google Sheet you control, and public entity lookups).

We also query public reference sources (such as Wikipedia and Wikidata) using only brand or domain names; no personal information is sent to them. We may disclose information if required by law, to enforce our terms, or in connection with a corporate transaction such as a merger or acquisition, in which case we will require the recipient to honour this Policy. A current list of subprocessors is available on request at hello@citehawk.com.

7. International data transfers

We and several of our subprocessors are located in, or process data in, the United States and other countries. Where we transfer personal information across borders — including from the EEA, the United Kingdom, or Australia — we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or equivalent mechanisms, to protect your information.

8. AI platforms

The core of the Service involves sending the prompts you configure to third-party AI providers and recording their responses. Each provider processes that data under its own terms and privacy practices, which we do not control. Do not submit personal or confidential information in prompts unless it is necessary for the monitoring you intend.

9. Data retention

We retain your account and monitoring data for as long as your account is active. When you delete your account, we deactivate it immediately, cancel any subscriptions you administer, and retain your data for a 90-day recovery window. After 90 days, your personal data is permanently and irreversibly deleted from our active systems and backups by an automated process. We may retain limited records for longer where required to comply with legal, tax, or accounting obligations, or to resolve disputes.

10. Your privacy rights

You can export your workspace data at any time from the Reports area in CSV or JSON. To request a copy of the personal information we hold about you, or to exercise any right below, email hello@citehawk.com. We will verify your identity and respond within 30 days (or as your local law requires). We will not discriminate against you for exercising these rights.

EEA and United Kingdom (GDPR / UK GDPR)

You have the rights to access, rectify, erase, restrict, and port your personal data; to object to processing (including direct marketing); and to withdraw consent at any time. You may also lodge a complaint with your local data protection authority.

California (CCPA / CPRA)

You have the rights to know what personal information we collect and how we use it, to access and delete it, to correct it, and to opt out of the sale or sharing of personal information. We do not sell your personal information, and we share data with analytics partners only with your consent.

Australia (Privacy Act / Australian Privacy Principles)

You have the rights to access and correct the personal information we hold about you. If you are concerned about how we have handled your information, you may contact us and, if unsatisfied, complain to the Office of the Australian Information Commissioner (OAIC).

11. Agency and client data

If you use CiteHawk to monitor brands on behalf of your own clients — for example, as a marketing agency — you act as the controller of that data and we act as your processor. You are responsible for having a lawful basis to provide that data to us and for your clients' rights. We process it only to provide the Service to you. A Data Processing Agreement is available on request.

12. Security

We use appropriate technical and organisational measures to protect personal information, including encryption in transit, access controls, and row-level data isolation between workspaces. No system is completely secure, and we cannot guarantee absolute security, but we work to protect your information and to notify you and any regulators of a breach where the law requires.

13. Children

The Service is intended for business use by adults. It is not directed to individuals under 18, and we do not knowingly collect their personal information. If we learn that we have, we will delete it promptly.

14. Changes to this Policy

We may update this Policy from time to time. We will revise the "Last updated" date above and, for material changes, take reasonable steps to notify you. Your continued use of the Service after a change takes effect constitutes acceptance of the updated Policy.

15. Contact us

For any question about this Policy or our handling of your information, contact us at hello@citehawk.com.