PLAIN ENGLISH SUMMARYWe collect only what we need to deliver our services, we never sell your data, and we delete it when you ask us to. UK GDPR compliant. Questions:
privacy@cited.agency.
1. Who we are
This privacy notice is issued by Cited. Ltd ("Cited.", "we", "us", "our"), a company registered in England and Wales. Our registered office is in London, United Kingdom.
For any privacy-related question, contact our data officer at privacy@cited.agency.
2. What data we collect
2.1 Data you give us
- Contact details: name, role, company, work email, company website — submitted through our website forms.
- Communication content: emails, Slack/Teams messages, meeting notes when you engage us for services.
- Audit inputs: the URL you submit via our Free AI Audit tool.
2.2 Data we collect automatically
- Standard server logs: IP address, user-agent, timestamp, page visited. Retained for 30 days for security purposes.
- Analytics: aggregated, privacy-preserving analytics only (we use Plausible or similar). We do not set behavioural tracking cookies.
2.3 Data we do not collect
We do not use advertising trackers, remarketing pixels, or behavioural analytics. We do not sell or share your personal data with advertising networks.
3. Why we process it
Legal bases under UK GDPR:
- Consent (Art. 6(1)(a)): newsletter subscription, non-essential cookies.
- Contract (Art. 6(1)(b)): to respond to your enquiry, deliver a Snapshot, run an engagement.
- Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, direct outreach to business prospects.
- Legal obligation (Art. 6(1)(c)): accounting and tax records.
4. Who we share it with
We share your data with a limited set of processors:
- Railway (infrastructure hosting) — US-based, GDPR-DPA signed.
- Google Workspace (email, calendar, docs) — EU + US, EU SCCs in place.
- Telegram Bot API (internal lead notifications to our team) — the bot receives only the fields you submit.
- Accounting and legal advisors — as required by contract and law.
We never sell your personal data. We never share it with advertisers.
5. International transfers
Some processors are located outside the UK/EEA. We rely on UK IDTA or EU Standard Contractual Clauses for these transfers, and we carry out transfer risk assessments before onboarding any new processor.
6. How long we keep it
- Enquiry and lead data: 24 months from last interaction.
- Customer records: for the duration of the engagement + 7 years (accounting retention).
- Server logs: 30 days.
- Newsletter subscribers: until you unsubscribe.
7. Your rights under UK GDPR
You have the right to:
- Access your data (Subject Access Request).
- Correct inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to processing.
- Receive a portable copy of your data.
- Withdraw consent at any time.
- Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, email privacy@cited.agency. We will respond within 30 days.
8. Security
We apply industry-standard safeguards: encryption in transit (TLS 1.3), encryption at rest, principle of least privilege, two-factor authentication across all team accounts, and documented incident response procedures. For enterprise engagements, we provide SOC 2 evidence and standard security questionnaires on request.
9. Cookies
See our separate Cookie Policy for details on cookies and similar technologies.
10. Changes
We may update this policy. Material changes will be announced on this page and emailed to active clients. Minor changes (typos, clarifications) will be reflected in the "last updated" date above.
11. Contact
Cited. Ltd
London, United Kingdom
Email: privacy@cited.agency