Where your intake data lives, and who can see it.

Two surfaces, both customer-initiated. Nothing happens until you submit a form.

The marketing site (web-cited.com). Zero cookies, zero analytics, zero third-party scripts. We do not count visits, sessions, referrers, IPs, or any other identifier. The only thing the site writes to your browser is a single local-storage key (wc-notice-dismissed-v1) that remembers you closed the privacy notice. That key never leaves your browser and is never transmitted to us.

The intake form at /start. The fields you fill in are submitted to our own API at api.web-cited.com:

• Contact: first and last name, work email.
• Company: company name and website.
• Audit scope: the primary market you serve, whether you have a storefront or service area, a short business description, the buyer questions you want us to test across the engines, and your competitor list.
• Tier and consent: the audit tier you've selected (Pulse, SXO Audit, or Enterprise) and your explicit acknowledgment of our scope and consent language.

The contact form at /contact. The same API endpoint receives your name, email, subject category, and message body. Nothing else.

We do not have an upload widget. The only files that ever move into our systems are the ones we generate during an audit (your report PDF, your Playbook, your Schema Pack) - we do not accept arbitrary file uploads from customers.

Marketing site - Cloudflare Pages. The static HTML, CSS, JavaScript, and images at web-cited.com are served by Cloudflare Pages through Cloudflare's global edge network. DNS for web-cited.com is also provided by Cloudflare. Cloudflare may retain access logs (including IP addresses and request headers) at the infrastructure level for security and content delivery; Web Cited does not access, request, or retrieve those infrastructure logs.

Intake API - Cloudflare Workers. The endpoint at api.web-cited.com that receives intake and contact submissions runs on Cloudflare's edge-compute platform. At-rest operational data for the intake API (the submission record, scope notes, and audit-trail metadata) is stored on Cloudflare's storage backends, encrypted at rest and in transit (TLS terminating at Cloudflare's edge).

Audit pipeline - Railway. The audit pipeline at audit.web-cited.com runs on Railway, a managed application hosting platform. Railway executes the audit and stores intermediate audit state (your submitted URLs, buyer questions, and per-engine LLM responses) during processing. Railway may retain access logs at the infrastructure level under its own privacy policy.

CRM and email transit. Your contact record and deal record live in HubSpot. Transactional emails (scope confirmation, kickoff, follow-up) are sent through Resend on a verified Web Cited sub-domain. Invoices and hosted checkout run through Stripe; Web Cited never sees your card data.

No analytics, no tracking, no fingerprinting. The marketing site makes no third-party requests on page load - every asset on every page is served from web-cited.com itself. There is no Google Analytics, no Plausible, no Fathom, no server-side analytics, no chat widget, no embedded video, no marketing pixel.

Web Cited personnel. Aliso LLC dba Web Cited personnel with engagement scope. Today this is the founder. Access to the intake API, CRM, and audit pipeline is via per-platform consoles with two-factor authentication.

Subprocessors. The current subprocessor list mirrors Terms of Service §6.7 and our Privacy Policy:

Personal-data processors (handle your contact details, company information, and payment information):

• Cloudflare - marketing site (Pages), intake API (Workers), and at-rest operational storage.
• HubSpot - CRM holding your contact and deal records.
• Resend - transactional email delivery for scope, kickoff, and follow-up emails.
• Stripe - payment processor for invoices and hosted checkout. Web Cited never sees your card data.

Audit-content backends (process your Customer Content - buyer questions, brand and competitor list, URLs; do not directly receive your name, email, or other contact details):

• Railway - managed hosting that runs the audit pipeline and stores intermediate audit state during processing.
• OpenAI, Anthropic, Google (Gemini), and Perplexity - LLM backends queried with your buyer questions to test how each engine answers.
• DataForSEO - structured search-engine and SERP data provider.

Each provider acts as a data processor under our instructions and is governed by its own privacy policy and our data-processing agreement with it. The authoritative current list is in our Privacy Policy.

• We never train AI models on your data. Your buyer questions, competitor list, URLs, and intake content are used to produce your audit and nothing else. We do not feed your Customer Content into model training pipelines, embeddings stores, or fine-tuning datasets.
• We never sell, share, or transfer your data to third parties beyond the named subprocessors above. Not for analytics, not for marketing, not for any commercial purpose. No data brokers. No advertising partners.
• We never add you to a marketing list. Submitting the intake form or the contact form does not enroll you in a newsletter, drip sequence, or nurture campaign.
• We never run analytics or tracking on the marketing site. No Google Analytics, Plausible, Fathom, Mixpanel, Segment, or server-side analytics. No ad pixels. No fingerprinting. No third-party fonts. The site sets zero cookies.
• We never transmit sensitive content through email bodies. Transactional emails contain links to documents and engagement metadata, not the underlying Customer Content.
• We never store your card data. Payment data is handled entirely by Stripe under Stripe's terms; Web Cited's systems do not see card numbers, CVCs, or expirations.
• We never publish your audit content. Public sample artifacts on the site are built from publicly available data or from customers who have explicitly approved publication; real customer Customer Content never lands in marketing assets.

Default retention periods, mirrored from our Privacy Policy. You can request earlier deletion at any time (see below).

• Intake-form data and CRM record (your contact details, company, deal record, scope notes): retained while the relationship is active and for as long as we may reasonably need it for follow-up engagements, dispute resolution, and operational records. Indefinite by default; deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
• Email correspondence (scope, kickoff, follow-up, support, ad-hoc threads): retained in Resend's logs and in our mail provider's archive while the relationship is active. Indefinite by default; deleted within 30 business days of a deletion request.
• Intake API operational data (the at-rest record on Cloudflare's storage): retained for the duration of the engagement and for normal operational purposes (debugging, audit-trail integrity, abuse prevention) thereafter. Deleted within 30 business days of a deletion request.
• Playbook URL content (Audit and Enterprise tiers): 12 months hosted at a private URL, plus 12 months in archive, then deleted at 24 months from delivery unless a separate retention agreement applies. Full schedule in Terms of Service §6.1.
• Paid invoices and tax records: 7 years, retained by Stripe and by Web Cited as required by U.S. and California tax and accounting law. We can remove your name and company from any draft, unpaid, or voided invoice on request, but cannot delete paid-invoice records during the retention period.
• Local-storage notice-dismissed key (wc-notice-dismissed-v1): set in your browser only; never transmitted to Web Cited or any third party. Persists until you clear browser site data.

Legal-records carve-out. We may retain specific records longer than the periods above where required by law (tax and accounting records, records under legal hold or active dispute resolution). The carve-out is narrow and applies only to the specific records covered.

Breach notification. If we confirm unauthorized access to, loss of, or disclosure of personal data we control, we will notify affected customers without undue delay - and in any event consistent with our obligations under applicable law. The notification will identify the nature of the incident, the data categories involved, our containment steps, and any action we recommend you take.

How to report a suspected incident or vulnerability. Use the contact form with subject "SECURITY". The form routes straight to a human inbox. We commit to acknowledging within one business day and substantively responding within five business days. Please include enough detail to reproduce the issue: affected URL, expected vs observed behavior, and any payload or steps. We do not currently operate a paid bug-bounty program but we credit responsible disclosure in any post-incident notes when the reporter requests it.

We ask that you do not publicly disclose a suspected vulnerability before we have had a reasonable opportunity to respond and remediate.

We aim to be straight about what we do and do not have today.

• SOC 2: not currently certified. If your procurement function requires SOC 2 to onboard a vendor, contact us; we can provide our subprocessor list, this security page, the privacy policy, and security questionnaire responses as an interim.
• ISO 27001: not currently certified.
• GDPR / UK GDPR: we serve a primarily US business audience but where GDPR or UK GDPR applies to a given engagement we honor the data-subject rights described in our Privacy Policy (access, rectification, deletion, portability, objection) and rely on the legal bases set out there (performance of contract, legitimate interests, legal obligation, consent).
• California privacy laws (CCPA / CPRA): we honor data-subject access and deletion requests through the process described in the Privacy Policy. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
• HIPAA: not applicable. Web Cited does not collect, store, or process Protected Health Information (PHI). Audits in regulated industries (healthcare, finance, etc.) should not include PHI or other regulated data in the intake.
• PCI DSS: Web Cited's systems do not store, process, or transmit cardholder data. All card handling is performed by Stripe, which maintains its own PCI DSS attestation.
• Governing law and entity: Web Cited is the trade name of Aliso LLC, a California limited liability company located in Orange County, California. These commitments are governed by California law, consistent with Terms of Service §15.

Three ways to confirm what is on this page.

1. Read the Terms of Service and Privacy Policy. Both are click-wrap accepted at intake and are the binding versions of the commitments above. If anything on this page differs from those documents, the legal documents govern.
2. Inspect the marketing site. Open browser devtools on any page of web-cited.com and watch the network tab: every asset is served from the same origin, no third-party requests fire on page load, and no cookies are set. The single local-storage key is named wc-notice-dismissed-v1 and never leaves your browser.
3. Ask a security or procurement question. Use the contact form with subject "SECURITY" and we will respond in writing within two business days.

This page is a public commitment. We update it as our infrastructure changes; the date below shows when it was last reviewed.

Last reviewed: May 10, 2026.