New: Actions, your automated GEO workflows Discover

Privacy policy

Last updated: June 13, 2026

This policy describes how Citeme, a product published by Mekaa SAS (229 rue Saint-Honoré, 75001 Paris, France), collects, uses and protects your personal data, in compliance with the GDPR. Data controller and data protection officer: Alexandre Teillet ([email protected]).

Data we collect

When you create an account or request a demo, we collect: email address, name, company and the URL of the audited site. While browsing, we collect anonymized audience measurement data (page views, visit duration, device type).

Editor integrations (Webflow, WordPress, Shopify)

When you connect Citeme to a site editor, we process only what is needed to audit and optimize that site:

  • OAuth access tokens are encrypted at rest with AES-256-GCM and never exposed to your browser. They are tied to a single connected site.
  • Connected sites are read through the official platform API (for Webflow, the Webflow Data API), not scraped. The only exception is the anonymous free "lite audit", which fetches the public HTML of the single URL you explicitly submit.
  • The anonymous lite audit stores your submitted URL, an optional email if you ask for results, and your IP address only as a daily-salted hash (never the raw IP), used for rate limiting.
  • The analytics tracker (optional, paid plans) records visits from identified AI bots only. It does not collect any data about your human visitors.
  • On uninstall or disconnect, the OAuth token is deleted immediately and remaining integration data is purged within 30 days.

Sub-processors used to fulfil audits and workflows: OpenAI, Anthropic, Google, Perplexity, and xAI (LLM calls only, no training on your data).

Purposes and legal bases

Your data is processed to: provide the Citeme service (contract performance), send our newsletter if you opted in (consent), improve the site (legitimate interest) and comply with our legal obligations.

Retention

Account data is kept for the duration of the contractual relationship, then 3 years after the last activity. Billing data is kept for 10 years in line with accounting obligations.

Processors

We rely on GDPR-compliant processors: cloud hosting, Supabase (database), Stripe (payments), Sanity (content), Customer.io (emails), PostHog (analytics). No data is ever sold to third parties.

Your rights

You have the right to access, rectify, erase, restrict, port and object. To exercise them: [email protected]. You may also lodge a complaint with the CNIL (cnil.fr).