Privacy Policy

Last updated: March 21, 2026

This Privacy Policy explains how AiCitationChecker ("we," "us," or "our"), accessible at aicitationchecker.org, collects, uses, and protects your personal data when you use our Service. It is written to comply with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and applicable Romanian data protection law.

1. Data Controller

The data controller responsible for your personal data is:

AiCitationChecker
Email: contact@aicitationchecker.org
Website: aicitationchecker.org

2. What Data We Collect

We collect only the data necessary to provide and improve the Service. We do not use tracking pixels, advertising cookies, or behavioral profiling, and we do not sell your data to any third party.

2.1 Account Information

Username — to identify your account
Email address — for authentication, account management, and service communications
Hashed password — stored as a one-way cryptographic hash; we never store your password in plain text

2.2 Usage Data

Verification history — the references you submit for verification and the results returned
Credit usage logs — records of credit consumption per verification request
Session logs — IP address, browser/client type, timestamps of login and activity, for security and debugging purposes

2.3 API Keys

If you generate an API key for programmatic access, we store that key (in hashed or encrypted form) linked to your account.

2.4 Payment Data

We do not collect or store any payment card information. All billing and payment processing is handled exclusively by Lemon Squeezy. The only payment-related data we retain is confirmation of your active plan tier and credit balance.

2.5 Cookies

We use session cookies only — strictly functional cookies required to maintain your authenticated session while you are logged in. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. See our Cookie Policy for details.

3. Legal Basis for Processing (Art. 6 GDPR)

Data Category	Purpose	Legal Basis
Account information (email, username)	Account creation, authentication, service communications	Contract — Art. 6(1)(b)
Hashed password	Secure authentication	Contract — Art. 6(1)(b)
Verification history	Providing results; allowing review of past queries	Contract — Art. 6(1)(b)
Credit usage logs	Tracking credit consumption; billing accuracy	Contract — Art. 6(1)(b)
Session logs (IP, timestamps)	Security, fraud prevention, abuse detection	Legitimate interests — Art. 6(1)(f)
API keys	Enabling programmatic access	Contract — Art. 6(1)(b)

4. How We Use Your Data

Service delivery — processing your reference verification requests and returning results
Account management — managing your plan, credits, and session
Security — detecting and preventing unauthorized access, abuse, and fraud
Service improvement — understanding aggregate usage patterns (anonymized data only)
Communications — transactional emails only (password resets, plan activation, significant service changes); no marketing emails without explicit consent

5. Third-Party Data Processors

5.1 CrossRef (Crossref.org)

When you submit a reference for verification, the reference text (bibliographic metadata such as title, authors, and DOI) is sent as a query to the CrossRef public API. CrossRef is a US-based non-profit. Only the reference text string you submit is transmitted — no account information or identity data is sent to CrossRef. We rely on the necessity of the transfer for contract performance (Art. 49(1)(b) GDPR).

5.2 Lemon Squeezy

Payment processing is handled by Lemon Squeezy LLC, Salt Lake City, UT, USA. Lemon Squeezy acts as the Merchant of Record for all purchases and processes billing data directly from you. Lemon Squeezy has a GDPR-compliant Data Processing Agreement (DPA). AiCitationChecker receives only your email, plan tier, and transaction status from Lemon Squeezy — no card data is ever transmitted to or stored by AiCitationChecker. See Lemon Squeezy's Privacy Policy.

6. Data Retention

Data Type	Retention Period
Account data (email, username, hashed password)	While account is active + 30 days after deletion
Verification history	While account is active + 30 days after deletion
Credit usage and billing records	Up to 5 years (Romanian/EU financial record-keeping obligations)
Session logs (IP, timestamps)	Up to 90 days, then automatically deleted
API keys	Until revoked by you or upon account deletion

7. Your Rights Under GDPR

You may exercise any of these rights by contacting us at contact@aicitationchecker.org:

Right of access (Art. 15) — request a copy of your personal data
Right to rectification (Art. 16) — request correction of inaccurate data
Right to erasure (Art. 17) — request deletion ("right to be forgotten")
Right to data portability (Art. 20) — receive your data in a machine-readable format
Right to restriction of processing (Art. 18) — request restricted processing in certain circumstances
Right to object (Art. 21) — object to processing based on legitimate interests
Right to withdraw consent — where processing is based on consent, you may withdraw at any time

We will respond to all requests within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including: password hashing, HTTPS/TLS encryption, session-based authentication with automatic expiry, encrypted API key storage, and access controls on a need-to-know basis.

If we become aware of a data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

9. International Data Transfers

AiCitationChecker's primary systems are operated within the European Union. Third-party processors involving US transfers:

CrossRef — reference text queries only; no personal account data; transfer necessary for contract performance (Art. 49(1)(b))
Lemon Squeezy — payment processing; covered by a GDPR-compliant DPA

10. Children's Privacy

AiCitationChecker is not directed at children under the age of 16. If you believe a child under 16 has provided us with personal data, contact us at contact@aicitationchecker.org and we will delete it promptly.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
Bulevardul General Gheorghe Magheru 28–30, Sector 1, 010336 București, România
Phone: +40 318 059 211
Email: anspdcp@dataprotection.ro
Website: www.dataprotection.ro

We encourage you to contact us first — most concerns can be resolved quickly and directly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and notify registered users by email at least 14 days before the changes take effect.

13. Contact

AiCitationChecker
Email: contact@aicitationchecker.org
Website: aicitationchecker.org