Five rules we hold ourselves to before any clause in this page.
- 01Minimisation. We collect what we need to operate the product, and nothing else. If a field doesn’t serve a stated purpose, we don’t ask for it.
- 02Purpose limitation. Data collected for one stated purpose is not silently repurposed. New purposes require a new disclosure.
- 03Transparency over comfort. We’d rather publish an awkward truth than a comforting summary. Where the answer is "it depends," we say so and tell you on what.
- 04No model training on your content. Customer recordings, transcripts, frames, and extracted artifacts are never used to train, fine-tune, or evaluate models — ours or any third party’s.
- 05Erasure means erasure. When you ask us to delete an account, we delete it end-to-end across primary stores, derived stores, search indices, and backups (on the rotation cycle), and we hand you a signed receipt.
Three buckets. That’s the whole list.
1. Account data
What. Name, work email, password hash (when SSO is not used), workspace and team membership, role, billing contact and address, payment method token (held by our PCI-DSS Level 1 payments processor — we never see card numbers).
Why. To authenticate you, scope your access correctly, bill the workspace, and contact you about service-affecting events.
Retention. Held for the life of the account. On account deletion, removed within 30 days from primary stores and on the next backup rotation cycle (≤30 days further).
2. Usage data
What. Sign-in events, IP address, user-agent, feature interactions (e.g. "exported PDF," "pushed to Jira"), error and crash diagnostics, audit-log events scoped to the workspace.
Why. Operating, securing, and debugging the product. Audit logs are a customer-facing feature — they belong to the workspace, not to us.
Retention. Diagnostic logs retained 30–90 days. Audit-log entries retained per workspace policy (default 12 months; configurable on Team+).
3. Customer content
What. The recordings you upload (audio and/or video), transcripts derived from them, frame and OCR indices, embeddings, extracted artifacts (bugs, requirements, decisions, action items, etc.), comments your team adds, and exports your team generates.
Why. To deliver the product. This is the workload you hired us to do.
Retention. Raw media is deleted by default after processing completes — only the structured evidence layer persists. Structured artifacts persist for the life of the project unless your workspace retention policy ages them out. Account deletion purges everything end-to-end with a signed receipt.
Six purposes. Anything outside this list is out of scope.
| Purpose | What it covers | Lawful basis (UK/EU GDPR) |
|---|---|---|
| Service delivery | Ingesting recordings, generating the evidence layer, running Q&A, executing integration pushes | Contract |
| Account & billing | Authentication, workspace administration, invoicing | Contract |
| Security & abuse prevention | Anomaly detection, rate limiting, fraud and account-takeover defence | Legitimate interests |
| Service communications | Incident notices, security advisories, breaking-change notifications, billing alerts | Contract / Legitimate interests |
| Product communications (opt-in) | Newsletters, release notes, occasional research interviews | Consent — opt out anytime |
| Legal & compliance | Responding to lawful requests, defending claims, regulatory cooperation | Legal obligation / Legitimate interests |
Two circles: the people inside Citesvue, and the vendors that help us run it.
Internal access
- Default-deny. Production access is denied by default and granted on a least-privilege, just-in-time basis with peer approval and time-bounded expiry.
- Customer-content access. Engineers cannot read the contents of recordings or transcripts in normal duties. Targeted access (e.g. investigating a support ticket you’ve raised) requires a documented business reason, customer consent where applicable, and is recorded in the internal audit log.
- Background checks. Required for all employees and contractors with potential access to production systems.
- Onboarding & offboarding. Provisioned through SSO with role mapping; deprovisioning runs automatically within one business hour of role change.
Sub-processors (categories)
We publish the live list of named sub-processors in the customer trust portal — request access via security@citesvue.com. The categories below describe what they do, not who they are.
| Category | Purpose | Region(s) |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, networking, KMS | US / EU |
| Speech transcription provider | Speaker-aware transcription of customer recordings | US / EU (regional pinning honoured) |
| Visual / OCR analysis provider | Frame analysis and on-screen text extraction | US / EU |
| Large-language-model provider(s) | Artifact extraction and Q&A — zero-retention API mode where available; no training on inputs | US / EU |
| Email & transactional messaging | Service emails, magic links, notifications | US / EU |
| Error & performance monitoring | Application observability, incident diagnostics | US / EU |
| Customer support tooling | Ticketing and customer communications | US / EU |
| Payments processor | Card processing — we do not store PAN data | US / EU |
We notify customers of new sub-processors with at least 30 days’ notice via the trust portal and email distribution. Enterprise customers may object during the notice window per the DPA.
EU and US processing regions. Pin to one on Enterprise.
- Default region. Determined by account origin at sign-up.
- Region selection. Single-region pinning (EU-only or US-only) is available on Enterprise, including for sub-processor invocations where the provider supports regional routing.
- Cross-border transfers. Where data crosses jurisdictions, we rely on the EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, supplemented by the technical and organisational measures described in our DPA.
- Backups. Stored encrypted in the same region as the primary data set unless you’ve explicitly approved otherwise.
Defaults that are short. Controls that are yours.
| Data class | Default retention | Customer control |
|---|---|---|
| Raw media (audio/video) | Deleted after processing completes | Configurable hold window on Team+ for review workflows |
| Transcripts & evidence layer | Life of the project | Per-project age-out rules; manual deletion |
| Embeddings & search indices | Life of the project | Purged on artifact deletion |
| Extracted artifacts | Life of the project | Manual deletion; bulk export before delete |
| Audit log | 12 months default | Configurable on Team+; longer custom retention on Enterprise; export anytime |
| Backups | 30 days, encrypted, point-in-time recovery on Team+ | N/A — restoration via support |
| Account & billing records | Life of the account, plus statutory tax/finance retention (typically 6–7 years for invoices) | N/A — statutory obligation |
| Service email & support tickets | 24 months | Deletion on request |
Six rights under GDPR. One inbox.
Send any of the below to privacy@citesvue.com. We respond within 30 days (with one 60-day extension where the request is complex). For workspace members, we will route requests through the workspace controller where appropriate.
| Right | What it means here | How to exercise |
|---|---|---|
| Access | A copy of the personal data we hold about you | Email request — verified via account login |
| Rectification | Correction of inaccurate personal data | In-product for most fields; otherwise email |
| Erasure | Deletion of your personal data ("right to be forgotten") | In-product account deletion or email — signed deletion receipt issued |
| Portability | Machine-readable export of data you provided | In-product export (JSON, CSV, DOCX, PDF); bulk via API |
| Restriction | Pause processing while a dispute is resolved | Email request |
| Objection | Object to processing based on legitimate interests | Email request |
You also have the right to lodge a complaint with a supervisory authority (e.g. the UK ICO, the Irish DPC, or your local EU/EEA authority).
Not intended for users under 16.
Citesvue is a B2B product for workplace use. We do not knowingly collect personal data from children under 16. If we learn we have, we will delete it.
Three routes, depending on what you need.
- Privacy questions & rights requests: privacy@citesvue.com
- Data Protection Officer: dpo@citesvue.com
- Security disclosures: security@citesvue.com (PGP key on /security)
- EU representative: [Name + Address]
- UK representative: [Name + Address]
- Supervisory authority complaints: You may complain directly to your local supervisory authority. We’d appreciate the chance to resolve the issue first.
When this changes, we tell you.
Material changes are notified at least 30 days in advance via email to workspace owners and via an in-product banner. Non-material changes (typo fixes, link updates) are versioned at the top of this page. Past versions are available on request.