Privacy Policy

Who is the controller

The data controller for CitedIndex is Matfy (sole trader, Mathijs Bronsdijk), registered in the Netherlands. For privacy questions or data-subject requests, email hello@citedindex.com.

Trader information (per Art. 3:15d BW): Matfy, KvK 76030482, VAT NL003040716B45, registered address Hollands Hoenlaan 47, 3772 PC Barneveld, Netherlands.

What we collect

There are four buckets of personal data:

• Account data — email, name, and Google account ID when you sign in with Google. Used to identify you and let you manage your listings.
• Submission data — anything you put into the submission form (tool name, URL, description, contact details, billing details for paid tiers).
• Newsletter data — your email address and (optionally) name if you opt in to the newsletter.
• Operational data — IP, user agent, request path, and the timestamps needed to keep the service running, prevent abuse, and meet our tax obligations on paid tiers.

We do not knowingly collect data from anyone under 16. The site is not directed to children.

Cookies and tracking

We use no advertising cookies and we do not track individuals across sites. We do use Google Analytics 4 with IP anonymisation for aggregate site analytics (pageviews, sessions, referrers). The cookies we set are limited to:

• Sign-in session — set on login, cleared on logout. Required to keep you signed in.
• CSRF token — protects form submissions against cross-site request forgery.
• Theme preference — stores your light/dark mode choice locally.

Google Analytics also sets cookies (typically _ga and _ga_*) for first-party analytics. These are not used for advertising and we do not share GA data with third parties.

Stripe sets its own cookies on its hosted checkout pages, governed by Stripe's privacy policy. Those apply only when you upgrade.

Who we share data with

Every third party that processes personal data on our behalf is listed below. We do not share personal data with anyone not on this list. We do not sell personal data.

• BetterAuth + Google OAuth

  Purpose:

  Account authentication and session management

  Data shared:

  Email, name, Google account ID, profile picture, session tokens

  Lawful basis:

  Contract (Art. 6(1)(b) GDPR) — required to provide the account

  Retention:

  Until you delete your account, then 30 days in backups

  International transfer:

  Google OAuth flow runs against Google servers (US). EU-US Data Privacy Framework + SCCs.

• EU-region Postgres host

  Purpose:

  Primary database for accounts, listings, submissions

  Data shared:

  All account, listing, and submission records

  Lawful basis:

  Contract (Art. 6(1)(b) GDPR)

  Retention:

  Lifetime of account; deleted on account deletion

  International transfer:

  EU region. No third-country transfer for this processor.

• Upstash Redis

  Purpose:

  Rate limiting, caching, ephemeral session state

  Data shared:

  IP address, anonymized request fingerprints, cached query keys

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR) — fraud and abuse prevention

  Retention:

  Up to 24 hours for rate-limit windows; cache TTLs measured in minutes

• Resend

  Purpose:

  Transactional email and newsletter delivery

  Data shared:

  Email address, name (if provided), open/click events for newsletter mail

  Lawful basis:

  Contract for transactional mail; consent (Art. 6(1)(a) GDPR) for newsletter

  Retention:

  Until you unsubscribe; suppression list kept indefinitely to honour opt-outs

  International transfer:

  US-based service. EU-US Data Privacy Framework + SCCs.

• Stripe

  Purpose:

  Payment processing for Verified and Featured tiers

  Data shared:

  Email, billing address, card metadata (Stripe holds card numbers, we never see them), country, VAT identifier

  Lawful basis:

  Contract (Art. 6(1)(b) GDPR) and legal obligation for tax records (Art. 6(1)(c) GDPR)

  Retention:

  7 years for financial records (NL tax retention obligation)

  International transfer:

  Stripe operates US and EU infrastructure. EU-US Data Privacy Framework + SCCs.

• S3-compatible object storage

  Purpose:

  Storage for uploaded images, screenshots, and listing assets

  Data shared:

  Uploaded files and the metadata you attach to them

  Lawful basis:

  Contract (Art. 6(1)(b) GDPR)

  Retention:

  Lifetime of listing; deleted when the listing is removed

  International transfer:

  EU region where available. Where cross-border transfer occurs, SCCs apply.

• ScreenshotOne

  Purpose:

  Automated screenshot capture of public pages you submit

  Data shared:

  Public URL of your tool

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR) — operating the directory

  Retention:

  Generated screenshots stored with the listing; raw API logs kept 30 days

  International transfer:

  US-based service. SCCs apply.

• Jina

  Purpose:

  Public-page content extraction for editorial review

  Data shared:

  Public URL of your tool and rendered page content

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR)

  Retention:

  Extracted text retained with the editorial draft; raw API logs kept 30 days

  International transfer:

  Cross-border transfer may occur. SCCs apply.

• OpenAI

  Purpose:

  LLM processing for the fit-check, editorial drafting, and classification

  Data shared:

  Public-page content and listing metadata sent as model input

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR)

  Retention:

  API requests are not used by OpenAI to train models. Operational logs retained per OpenAI's API policy (30 days).

  International transfer:

  US-based service. EU-US Data Privacy Framework + SCCs.

• Vercel (hosting and edge)

  Purpose:

  Application hosting, edge runtime, request routing

  Data shared:

  Request logs (IP, user agent, path, response status)

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR) — operating and securing the service

  Retention:

  Operational logs typically 30 days

  International transfer:

  Multi-region with US-based control plane. EU-US Data Privacy Framework + SCCs.

• Modal

  Purpose:

  Compute layer for the listing-generation pipeline (scrape, extract, write, audit, classify)

  Data shared:

  Public URL of the submitted tool, scraped public-page content, listing metadata

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR) — operating the directory

  Retention:

  Function logs retained per Modal's policy (30 days). No personal data stored at rest.

  International transfer:

  US-based service. SCCs apply.

• Google (Favicons API)

  Purpose:

  Rendering each listing's favicon image

  Data shared:

  The public domain of the submitted tool

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR)

  Retention:

  Not stored on our infrastructure; the favicon URL is constructed on the fly

  International transfer:

  Google operates US-based infrastructure. EU-US Data Privacy Framework + SCCs.

• Google Analytics 4

  Purpose:

  Aggregate site analytics (pageviews, sessions, referrers)

  Data shared:

  IP-anonymised analytics events, user agent, screen size, referrer

  Lawful basis:

  Legitimate interest (Art. 6(1)(f) GDPR) — understanding aggregate usage to improve the directory. We do not use GA for advertising or tracking individuals across sites.

  Retention:

  GA4 default retention (currently 14 months)

  International transfer:

  Google operates US-based infrastructure. EU-US Data Privacy Framework + SCCs.

International data transfers

Some processors above operate from the United States. Where US transfer occurs, we rely on a combination of the EU-US Data Privacy Framework (for DPF-certified processors) and Standard Contractual Clauses (SCCs) under Art. 46 GDPR. We do not claim EU-only data residency. If you require EU-only processing for a specific use case, email us before you submit.

How long we keep it

Per-processor retention is in the table above. The general rule: account data stays as long as your account exists. Financial records linked to paid tiers are kept for seven years to meet Dutch tax retention requirements. Operational logs are kept up to 30 days.

Your rights

Under GDPR you can:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your account and personal data ("right to be forgotten")
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — for newsletter and any other consent-based processing, at any time
• Lodge a complaint — with the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) or your local supervisory authority

To exercise any of these rights, email hello@citedindex.com. We respond within one month, as required by Art. 12(3) GDPR.

Security

Data in transit is encrypted with TLS. Data at rest is encrypted by our hosting and database providers. Access to admin tooling requires authenticated sessions and is restricted to the editorial team. We will notify affected users and the supervisory authority of any personal data breach within the 72-hour window required by Art. 33 GDPR.

Changes to this policy

When we update this policy we change the date below. Material changes (new processors, new data categories, new purposes) are flagged on the homepage and to logged-in users.

Last updated May 5, 2026.