Privacy Policy

Last updated: June 14, 2026

1. Data Controller

Enovate, registered in the United Kingdom, is the data controller for personal data processed through Cited Monitor.

2. What Data We Collect

Account Information

• Name and email address (provided at registration)
• Team name and membership
• Billing information (processed by Stripe, not stored by us)

Usage Data

• Prompts you create and their scheduling configuration
• LLM responses (retained per your plan's retention period, then deleted)
• Extracted entities and citations (retained for the duration of your account)
• Audit log entries (IP address, actions taken, retained for 1 year)

Analytics

• Google Analytics (anonymised page views and usage patterns)

3. How We Process Data

LLM responses are processed to extract brand mentions and citations using Claude Haiku (Anthropic) via our own API key. This is automated processing necessary for the core function of the Service.

4. Data Retention

• Raw LLM responses: 14–90 days depending on your plan
• Extracted data: Duration of your account
• Audit logs: 1 year
• Webhook delivery logs: 7 days
• Account data: Deleted within 30 days of account deletion

5. Third-Party Processors

• Stripe — payment processing
• Brevo — transactional email delivery
• AWS — infrastructure (SQS, Lambda, SSM Parameter Store)
• Google Analytics — anonymised usage analytics

6. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data (export from settings)
• Rectify inaccurate data (edit your profile)
• Erase your data (delete your account from settings)
• Port your data (export as JSON/CSV)
• Object to processing (contact us)

7. API Keys

Your LLM provider API keys are stored in AWS SSM Parameter Store with KMS encryption. Keys are written directly from your browser and never transit through our application servers. We cannot read your keys — only the Lambda function that executes prompts has read access.

8. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

• Contract performance — processing your account data, prompts, and LLM responses is necessary to provide the Service you have signed up for.
• Legitimate interest — audit logging, fraud prevention, and service improvement. We have assessed that these interests do not override your rights.
• Legal obligation — retaining billing records as required by tax and accounting law.
• Consent — Google Analytics tracking. You may withdraw consent at any time by disabling cookies in your browser.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including the United States (where AWS and Stripe operate). Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions as applicable. LLM provider API calls are made directly using your keys and are subject to each provider's own data processing terms.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

11. Cookies

We use essential cookies for session management and authentication. We use Google Analytics cookies for anonymised usage tracking. No advertising or tracking cookies are used.

12. Children's Data

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Your Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk/make-a-complaint or by phone on 0303 123 1113.

14. Contact

For privacy-related enquiries, contact us at [email protected].

We do not currently have a Data Protection Officer, as our processing activities do not meet the threshold requiring one. If this changes, we will update this policy accordingly.