How We Handle Your Data
CITAQ processes B2B product data only. We do not collect, store, or process consumer personal information. This policy describes how we handle operator account data and product catalog information under GDPR, CCPA, and applicable data protection law.
Regulatory Classification
CITAQ operates as a B2B verification infrastructure platform. We process product claims, evidence documents, and operator account data — not consumer personal data. Operators who use CITAQ remain the data controllers for their own customer data. CITAQ does not act as a sub-processor for consumer PII under any operator arrangement.
No consumer PII processed. CITAQ does not track, profile, or store data about the end consumers who visit your store. No consumer cookies. No behavioral tracking. No personal data from third-party customers.
Data We Process
Name, email address, company name, store URL, and billing contact used for account management and authentication.
Product claims, descriptions, SKUs, attributes, and images you submit for verification analysis.
Certifications, laboratory test reports, compliance records, and third-party attestations you upload.
Authentication tokens, API call logs, and access records required for platform security and immutable audit trail.
Credit wallet activity, payment records, and billing history. Required for regulatory compliance.
Aggregated, anonymized operational metrics. Subject to k-anonymity (k=5). No individual operator identifiable.
Data Retention Schedule
Evidence Immutability
Evidence documents, audit log events, verification credentials, and cryptographic hash records cannot be permanently deleted. This is a structural constraint of the platform, not a policy decision.
You may flag evidence as inactive within 30 days of upload. The document is removed from active verification status but retained in the immutable audit vault.
A 30-day grace period exists for flagging evidence submitted in error. After 30 days, no erasure is possible without a legal mandate (court order, regulatory requirement).
Cryptographic hash fingerprints of all evidence documents are retained permanently, even if the underlying document is soft-deleted. This enables audit trail continuity without storing document content.
Full erasure is only possible with a court order or regulatory mandate. CITAQ will comply within 72 hours of receiving a valid legal instrument.
Metrics We Do Not Collect
CITAQ operator dashboards display only: compliance status, evidence expiry dates (absolute), policy violation counts (absolute), and pending review items (absolute). The following metrics are architecturally prohibited from operator-facing surfaces:
This is a constitutional constraint (PROHIBITION-004), not a configurable setting. These metrics cannot be enabled, requested via API, or provided through any channel.
Security Controls
All stored data encrypted using AES-256-GCM. Evidence vault encrypted with per-tenant envelope keys.
All network connections use TLS 1.3 minimum. TLS 1.2 rejected. Certificate pinning on critical endpoints.
All evidence documents and audit events receive a SHA-256 hash fingerprint retained permanently.
Operational telemetry subject to k-anonymity (minimum group size 5). Differential privacy with Laplace noise applied.
All data access events logged with timestamp, user ID, and operation type. Immutable append-only store.
Affected operators notified within 72 hours of confirmed breach per GDPR Article 33 requirement.
Data Residency and Transfers
EU operator data remains within the EU. Cross-region replication is disabled. Automatic PII redaction prevents EU data from routing to non-EU infrastructure. Complies with GDPR Article 44 (data transfer restrictions).
US and global operator data processed in us-east-1. All data encrypted at rest and in transit. CCPA rights apply to California-based operators.
Isolation guarantee: Cross-tenant data access is prevented at the database level via row-level security (RLS). No operator can access another operator's catalog, evidence vault, or account data under any conditions.
Sub-Processors
CITAQ uses the following sub-processors. All sub-processors have executed Data Processing Agreements (DPAs) and maintain adequate safeguards under GDPR Article 46.
Your Rights
Download all account data, product catalog records, and evidence metadata associated with your operator account in JSON or CSV format.
Update product claims, evidence metadata, account information, and contact details at any time via the platform dashboard.
Request account deletion. Evidence attestations, audit trail events, and SHA-256 hashes are excluded from erasure due to immutability constraints (PROHIBITION-001).
Export your full account data in machine-readable JSON or CSV format. Evidence references export as URIs pointing to your uploaded documents.
Object to processing based on legitimate interest. We will evaluate and respond within 30 days.
Contact your jurisdiction's data protection authority. EU operators may contact the relevant supervisory authority in their member state.
Rights requests are handled within 30 days (GDPR standard). Submit requests to privacy@citaq.io. Identity verification required before processing.
No Algorithmic Profiling
CITAQ is a deterministic evidence retrieval system. We perform no machine learning inference on your data. We do not build behavioral profiles, make predictions about your product performance, or make automated decisions that affect your account status. Verification status changes only when you take an action (uploading evidence, modifying claims) or when submitted evidence reaches its expiry date.
Privacy requests: privacy@citaq.io
Security incidents: security@citaq.io
72-hour breach notification commitment under GDPR Article 33.