This policy explains what data Citely processes, why, on what legal basis, with whom it is shared and what your rights are. Our product principle — amplify what's real, never invent — also applies to your data: we don't collect more than necessary.
The “Citely” service (“Citely”, “we”) is operated by S&R LOGISTICS, established at 52 avenue de Stalingrad, 1000 Brussels (Belgium). For any question about this policy or your data, you can write to us at [privacy@trycitely.com](mailto:privacy@trycitely.com).
Depending on the context, Citely acts as a controller (for your account data and use of the service) or as a processor (for the catalog data you entrust to us as a merchant). The distinction is detailed below.
This policy applies to the Citely website, the Citely Shopify app and the associated services (collectively, the “Service”). It does not cover third-party sites or services we may link to, which have their own policies.
We process the following categories of data, depending on how you use the Service:
| Category | Examples | Source |
|---|---|---|
| Account | Name, email, store identifier, language, preferences. | You |
| Catalog | Product pages, attributes, price, stock, variants, identifiers (GTIN). | Your Shopify store |
| Usage & technical | Page views, in-app actions, logs, IP address, device/browser type. | Automatic |
| GEO measurement | Tracked queries, detected citations, share of answers per engine. | Generated by the Service |
| Communications | Messages you send us (support, contact). | You |
We do not seek to collect special categories of data (“sensitive” data under the GDPR). Please do not send us such data through free-text fields.
We process your data for the following purposes, each relying on a legal basis under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Provide the Service (connection, audit, optimization, measurement). | Performance of the contract |
| Billing and subscription management. | Performance of the contract / legal obligation |
| Security, abuse prevention, technical logs. | Legitimate interest |
| Service improvement and aggregated statistics. | Legitimate interest |
| Responding to your requests (support, contact). | Legitimate interest / pre-contractual steps |
| Marketing emails (where applicable). | Consent |
Where we rely on legitimate interest, we make sure it does not override your rights and freedoms. You may object to such processing (see “Your rights”).
For catalog data from your Shopify store, you remain the controller and Citely acts as a processor: we process this data only to provide the Service, following your instructions. The corresponding terms are set out in our Data Processing Agreement (DPA).
Citely mainly processes product data, not shoppers' personal data. We do not request, and do not need, access to your store's orders, customer profiles or payment information.
To generate the structured-data layer and factual content, Citely sends certain catalog information (page text, attributes) to an AI model provider, Anthropic (Claude API). This data is transmitted only to produce the requested output.
We select providers whose terms exclude training models on data sent via the API. Citely does not use your data to train its own models.
We rely on third-party providers to deliver the Service. Each is bound by confidentiality and data-protection commitments. The list below is indicative and kept up to date; some items depend on production rollout.
| Provider | Role | Status |
|---|---|---|
| Shopify | E-commerce platform, catalog source. | Active |
| Anthropic | AI models (structured-data generation). | Active |
| Application host (Vercel) | Hosting of the app and database. | Active |
| Payment provider (Stripe) | Subscription billing. | Active |
| Email service | Transactional and, where applicable, marketing emails. | In preparation |
For the up-to-date list of subprocessors and their location, write to us at privacy@trycitely.com.
Some providers may process data outside the European Economic Area. In that case, we rely on recognized transfer mechanisms (for example the European Commission's standard contractual clauses) to ensure an adequate level of protection. An option for hosting and processing in the EU is planned.
We keep your data for as long as necessary for the described purposes, then delete or anonymize it:
We protect your data with technical and organizational measures: encryption in transit (TLS), restricted access, logging. Details, and what remains on our roadmap, are on our Security page. We do not display certifications we don't have.
Under the GDPR, you have the following rights over your personal data:
To exercise these rights, write to us at privacy@trycitely.com. We respond within the legally required timeframes. You may also lodge a complaint with your data-protection authority (in France, the CNIL; in Belgium, the APD).
We use a limited number of cookies, mainly for sign-in and preferences. Details are on our Cookie Policy.
The Service is intended for professionals and is not directed at minors. We do not knowingly collect data about minors.
We may update this policy to reflect changes to the Service or to regulations. The last-updated date appears at the top of the page; for significant changes, we will notify you by an appropriate means.
For any question about this policy or to exercise your rights: privacy@trycitely.com.
Write to us at privacy@trycitely.com — we answer directly.