Privacy Policy

Last updated: 2026

Data Controller

The data controller for CiteGuardian is:

  • AI-Regenesis Ltd
  • 20 Wenlock Road, London, N1 7GU
  • Company No. 16376961 (England and Wales)
  • Email: bryan@ai-regenesis.com
  • Phone: 020 3642 0390

What We Collect

Data Purpose Lawful Basis
Email address Account creation, login, transactional emails Art 6(1)(b) — contract
Name (optional) Display in application UI Art 6(1)(b) — contract
Password (bcrypt hash) Authentication Art 6(1)(b) — contract
Stripe customer ID & subscription data Payment processing, subscription management Art 6(1)(b) — contract
API keys (SHA-256 hash only) API authentication Art 6(1)(b) — contract
Verification requests (answer text, sources) Providing the verification service Art 6(1)(b) — contract
IP address Rate limiting, security Art 6(1)(f) — legitimate interest
Session cookie Authentication state Art 6(1)(b) — contract
Credit transaction history Billing records, HMRC compliance Art 6(1)(c) — legal obligation

How We Use Data

We use your personal data to:

  • Deliver the service — process verification requests, generate reports, manage your account
  • Process payments — handle credit purchases and subscription billing via Stripe
  • Maintain security — rate limiting, fraud prevention, abuse detection
  • Send transactional emails — email verification, password reset, material service changes
We do not send marketing emails, sell your data to third parties, or use tracking/analytics cookies.

Third-Party Processors

We share data with the following processors, each under appropriate safeguards:

Anthropic (AI Verification)
  • Data shared: Claim text and source evidence (sent for AI verification)
  • Location: United States
  • Safeguards: Standard Contractual Clauses (SCCs)
  • Note: Anthropic does not use API inputs for model training
Stripe (Payments)
  • Data shared: Email address, payment details (handled directly by Stripe)
  • Location: United States
  • Safeguards: PCI DSS Level 1, Standard Contractual Clauses (SCCs)
  • Note: CiteGuardian never stores your card details. All payment data is handled by Stripe.
CDN Resources

Bootstrap CSS/JS and Font Awesome are loaded from public CDNs (jsdelivr.net, cloudflare.com). These CDN providers may log your IP address in accordance with their own privacy policies.

Cookies

CiteGuardian uses one essential cookie:

Cookie Type Purpose Duration
session Essential, first-party Flask session — maintains authentication state Browser session (or "Remember Me" duration)
  • We do not use analytics, advertising, or tracking cookies.
  • Cookie consent preference is stored in your browser's localStorage (not a cookie).

Data Retention

Data Retention Period
Account data (email, name, password hash) While your account is active; deleted on account closure request
Verification runs and reports While your account is active
Source cache (fetched URLs, chunks, embeddings) 7 days (automatic expiry)
Verdict cache (judge + scrub results) 7 days (automatic expiry)
Credit transaction logs 6 years (HMRC requirement)
Password reset tokens 1 hour (automatic expiry)
Email verification tokens Until used or account deleted

Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Portability — request your data in a structured, machine-readable format (JSON export)
  • Restriction — request that we limit processing of your data
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at bryan@ai-regenesis.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ico.org.uk — Helpline: 0303 123 1113

Data Security

We implement appropriate technical and organisational measures to protect your data:

  • Passwords — hashed with bcrypt (never stored in plain text)
  • API keys — stored as SHA-256 hashes (original key shown once at creation)
  • Transport — HTTPS encryption in transit
  • CSRF protection — Flask-WTF CSRF tokens on all forms
  • Security headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • Rate limiting — per-IP sliding window to prevent abuse

Children

CiteGuardian is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at the address associated with your account. The "Last updated" date at the top of this page indicates when the policy was last revised.

Contact

For any privacy-related questions or to exercise your data rights, contact us:

  • AI-Regenesis Ltd
  • 20 Wenlock Road, London, N1 7GU
  • Company No. 16376961 (England and Wales)
  • 020 3642 0390
  • bryan@ai-regenesis.com