Privacy Policy

Account data

When you register: name, email address, company/organisation name. We use this to create and maintain your account and communicate with you about the service.

Site and monitoring data

When you add a site: the URL and display name you provide. If you upload nginx access logs or use the JS beacon, WordPress plugin, or Cloudflare Worker, we receive data generated by your site visitors including IP addresses, user-agent strings, request paths, and timestamps. This data is used to identify AI crawler activity on your site.

Citation and crawl event data

We store the results of AI citation checks: which AI systems were asked about your content, the prompts used, the AI responses, whether your site was cited, and which competitor domains were mentioned.

Payment and billing data

When you subscribe, Stripe processes your payment. We receive from Stripe: your Stripe customer ID, subscription status, and invoice records. We do not receive or store your card number, bank account details, or CVV — these are held exclusively by Stripe.

Plugin API key

A unique API key is generated for your account for use with the WordPress plugin. This key is stored and used to authenticate plugin requests.

Partner programme data

If you apply to the Partner Programme: your name, email, agency name, website, and any notes you provide. On approval, a Stripe Connect Express account is created using your email.

Technical and usage data

Server logs and error tracking data including IP addresses, browser type, pages visited, and error reports. Used to maintain and improve the service.

• •Contract performance (Article 6(1)(b)): processing necessary to provide the service you have subscribed to — account management, citation monitoring, report generation, billing
• •Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, service improvement, and sending you relevant product updates. We have assessed that our legitimate interests are not overridden by your rights.
• •Legal obligation (Article 6(1)(c)): where required by law, e.g. retaining financial records for HMRC purposes
• •Consent: where we ask for your consent (e.g. optional marketing communications), you may withdraw it at any time

• •Stripe Payments Europe Ltd (payments, partner payouts) — EU/UK — stripe.com/privacy
• •Anthropic, PBC (AI citation checking — Claude) — US — anthropic.com/privacy
• •OpenAI, LLC (AI citation checking — ChatGPT) — US — openai.com/policies/privacy-policy
• •Google LLC (AI citation checking — Gemini) — US — policies.google.com/privacy
• •xAI Corp (AI citation checking — Grok) — US — x.ai/legal/privacy-policy
• •Groq, Inc (AI citation checking — Llama models) — US — groq.com/privacy-policy
• •Perplexity AI, Inc (AI citation checking — Sonar) — US — perplexity.ai/hub/legal/privacy-policy
• •Resend Inc (transactional email delivery) — US — resend.com/privacy
• •Hetzner Online GmbH (cloud hosting infrastructure) — DE/EU — hetzner.com/legal/privacy-policy
• •Cloudflare, Inc (CDN, DDoS protection, DNS) — US — cloudflare.com/privacypolicy
• •Sentry.io / Functional Software Inc (error monitoring and diagnostics) — US — sentry.io/privacy

• •Disclosing the use of Unsourced monitoring tools in your own Privacy Policy
• •Obtaining any consent required under UK GDPR, EU GDPR, or other applicable law from your site visitors
• •Entering into a data processing agreement with Unsourced if required under Article 28 UK GDPR (contact rene@unsourced.app)

• •Trial account data: automatically deleted 30 days after collection
• •Standard and Pro account data: retained for 6 months (180 days) from the date of collection
• •Account data (email, name): retained for the duration of your account, then deleted within 30 days of account closure or deletion request
• •Financial records (Stripe billing data): retained for 7 years in accordance with HMRC requirements
• •Partner programme data: retained for the duration of programme participation, then deleted within 30 days of programme exit on written request
• •Error and diagnostic logs: retained for 90 days

• •Right of access: request a copy of the personal data we hold about you
• •Right to rectification: request correction of inaccurate or incomplete data
• •Right to erasure ("right to be forgotten"): request deletion of your personal data (subject to legal retention obligations)
• •Right to data portability: receive your data in a machine-readable format
• •Right to restriction: request that we limit how we process your data
• •Right to object: object to processing based on legitimate interests
• •Rights related to automated decision-making: we do not use solely automated decision-making that produces significant effects on individuals

• •All data in transit encrypted via TLS 1.2+
• •Passwords hashed using bcrypt (12 rounds)
• •Authentication tokens expire after 24 hours
• •API keys are unique per account
• •Access logs monitored for anomalies
• •Automated backups to encrypted object storage