Trust, Security & Privacy

SeenAndCited combines features we build, capabilities provided by our hosting and backend platform, and controls that you — the customer — configure inside your workspace. Where appropriate, the sections below indicate which side is responsible.

• Email + password and Google sign-in are available for end users. Passwords are never stored in plain text; the backend platform manages credentials and session tokens.
• Application data is partitioned by workspace. Database row-level security policies restrict each workspace member to data belonging to workspaces they are a member of.
• Administrative operations (billing, plan changes, invites) are gated by workspace role checks performed on the server.
• Client-portal passwords (used by agency clients to view read-only reports) are hashed with scrypt — a memory-hard key-derivation function — before storage.

• All traffic between your browser and SeenAndCited is served over HTTPS (TLS).
• Application data is stored in a managed Postgres database operated by our backend platform provider, with encryption at rest provided by that platform.
• Secrets (API keys, webhook signing keys) are stored in an encrypted secrets store and injected into server-side code at runtime — they are never bundled into client JavaScript.

For details of what personal data we process and the legal bases under GDPR, see our Privacy Policy. In summary we collect: account information (name, email), workspace and site configuration you create, billing metadata returned by our payments processor, and usage telemetry needed to operate the service (sign-in events, API request logs, error reports).

SeenAndCited relies on a small set of third-party services to deliver the platform. The current list is maintained in our Data Processing Agreement and includes our cloud hosting and backend platform, transactional email provider, payments processor (merchant of record), and the AI engines and SEO data providers used to run analyses on your behalf. We do not sell personal data.

We use the minimum cookies required to operate the app (authentication, session, preferences) plus first-party analytics to understand product usage. See our Cookie Policy for the full list and how to opt out where applicable.

We retain workspace data while your account is active. When you delete a workspace or close your account, associated workspace data is removed from active systems; backups are rotated on a rolling schedule and overwritten in line with our hosting provider's retention windows. Billing records are retained for as long as required by applicable accounting and tax law.

You can request a copy of, correction of, or deletion of your personal data by emailing the address below. We respond within the timelines required by applicable law. For more detail, see our Privacy Policy.

If you believe you have found a security vulnerability in SeenAndCited, please report it privately to security@seenandcited.online with steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We acknowledge legitimate reports and work with reporters in good faith.

SeenAndCited is operated from the United Kingdom by EU Systems Ltd and follows UK GDPR and EU GDPR requirements for data we process on behalf of customers. We do not currently hold independent certifications such as SOC 2, ISO 27001 or HIPAA. We will update this page as our compliance posture changes.

Privacy: privacy@seenandcited.online
Security: security@seenandcited.online
General: Contact page