Privacy Policy

Last Updated: May 19, 2026

Overview

Flynk11 Ltd ("we", "us", "our") operates Cite42, a pay-per-call REST API and Model Context Protocol (MCP) server that retrieves AI search visibility data from third-party large language models (collectively, the "Service"). This Privacy Policy explains how we collect, use, and share information when you sign up for an account, top up credits, or call the API directly or via MCP. By using the Service you agree to the data practices described in this policy. In essence, we collect the minimum personal and usage data we need to run the Service, process it lawfully under UK and EU data protection rules, and never sell it to anyone.

Information We Collect

We collect the following categories of information from users of the Service:

  • Account Information: When you create an account we collect your email address, authentication identifiers and (if you choose to provide them) your name, organization, and country. Authentication is handled by our processor Clerk; you may also sign in with a federated identity provider (Google, GitHub) in which case Clerk receives the identifiers permitted by that provider.
  • Billing Information: When you top up credits we collect billing email, country, and a Stripe customer ID. Full payment card numbers are not collected, transmitted to, or stored by us; they are entered into and held by Stripe, our PCI-compliant payment processor. We receive a tokenized payment-method reference, the amount, the success/failure status, and (where Stripe provides them) tax-relevant fields such as VAT number and billing country.
  • API Inputs: When you call the API or invoke an MCP tool, we receive and process the request body, for example, the brand name, prompt set, URL, or competitor list you submit. These inputs are necessary to perform the operation you requested. We store the request and a sanitized excerpt of the response for billing, dispute resolution, debugging, and limited service improvement.
  • API Outputs: The data returned by Cite42, rankings, citations, mention rates, sentiment scores, is generated by third-party language models on your request. It is associated with your account so that you can read your past results (always free of charge) and so that we can debug failures.
  • Usage and Telemetry Data: Like most online services we automatically collect technical data about how you use the Service: API key prefix used, endpoint called, status code, latency, model providers invoked, credits debited, and the IP address and User-Agent of the request. This data lets us bill correctly, enforce rate limits, troubleshoot, and detect abuse.
  • Cookies and Similar Technologies: We use a small number of strictly necessary cookies for authentication and a cookie that records your cookie preferences. We do not use advertising or cross-site tracking cookies. See our Cookie Policy for the full list.

We do not knowingly collect, and ask you not to send us, special-category data (race, health, political opinions, biometrics, sexual orientation), or personal data about identifiable individuals other than yourself. The API is designed to query AI models about brands, products, and public topics, not about private individuals, see the Terms of Service for the corresponding restriction.

How We Use Information

We use the information we collect for the following purposes:

  • Providing the Service: Authenticating you, accepting API requests, routing them to the appropriate model providers, returning structured results, debiting credits, and storing your past results so you can read them again at no cost.
  • Billing and Fraud Prevention: Charging your selected payment method via Stripe, maintaining an immutable credit ledger, calculating taxes where applicable, and detecting payment fraud, credit-card testing, abusive account creation, and API-key compromise.
  • Rate Limiting and Abuse Detection: Counting requests per key, per IP, and per account; identifying patterns consistent with scraping for resale outside the white-label tier, mass-querying of private individuals, or automated abuse.
  • Service Improvement: Analyzing aggregated and de-identified usage telemetry to debug failures, tune performance, and improve which model providers we use. We do not use the substantive content of your inputs or outputs to train any model. See the AI Processing section below.
  • Communication: Sending account-related notifications (e.g. low credit balance, key compromise, security alerts, material changes to these policies). We do not send marketing emails without your explicit opt-in.
  • Legal Compliance: Retaining records for tax accounting, responding to lawful requests from competent authorities, and enforcing our agreements.

We do not sell personal data. We do not engage in "sharing" of personal data for cross-context behavioral advertising as defined under U.S. state privacy laws.

AI Processing

The core function of Cite42 is to forward your query to one or more third-party large language model APIs (and, where applicable, to retrieve information from publicly accessible AI-generated search surfaces) and return structured results. To do this, we transmit the request you submit, your brand name, prompts, competitors, URL, or other input, together with the minimum metadata required for the call. The set of model providers we route to may change over time as models are added, retired, replaced, or temporarily unavailable, and we reserve the right to modify it without further notice. The model providers we currently route to can be obtained on request by emailing privacy@flynk11.com.

We use commercial API access to these providers, not consumer products, and where a provider offers a setting that prevents API content from being used to train its general models, we have enabled that setting. We do not opt you in to model training on your behalf. Each model provider operates under its own terms of service and privacy policy, which you can review on the provider's own website.

We do not use the substantive content of your inputs or Cite42's outputs to train any AI model owned or operated by Flynk11. Aggregated, de-identified telemetry (e.g. "requests per endpoint per day", "average latency by model") may be used to improve routing, caching, and reliability. Anonymized, fully aggregated usage statistics (e.g. "how often Cite42 calls were made last month") may be published in marketing material.

Cross-customer caching. If two customers submit the same prompt to the same model on the same day, we may serve both customers from a single underlying model call. The cached payload contains the model's answer to the prompt, not any account-identifying information. Cache lookups are scoped to public, non-personal prompts; we do not cache or share requests that reference private individuals or appear to contain personal data.

Legal Bases for Processing (UK/EEA)

If you are in the United Kingdom or the European Economic Area, our processing of your personal data is governed by the UK GDPR, the EU GDPR, and the UK Data Protection Act 2018. We rely on the following Article 6 bases:

  • Contract: Processing your account, API requests, payment transactions, and results is necessary to deliver the Service you have purchased.
  • Legitimate Interests: Operating, securing, and improving the Service, including rate limiting, abuse detection, debugging, and aggregated analytics, is in our legitimate interest, and is not overridden by your fundamental rights and freedoms given the technical and minimal nature of the data involved.
  • Consent: Non-essential cookies and any marketing emails are only set or sent on the basis of your prior, freely given, specific and revocable consent.
  • Legal Obligation: Retention of billing records for tax purposes and disclosures to competent authorities are based on legal obligations to which we are subject.

Sharing of Information

We do not sell personal data and we do not engage in cross-context behavioural advertising. We share information only with the limited set of recipients described below, each under a written agreement requiring confidentiality and appropriate safeguards.

Operational subprocessors

The following service providers help us run the Service and process limited categories of your personal data on our behalf:

ProviderFunctionData category
ClerkAccount authentication and session managementEmail, OAuth identifiers, session tokens, IP, User-Agent
StripePayment processing for credit top-upsBilling email, billing country, payment-method token, VAT identifier where supplied. Full payment-card details are held by Stripe, not by us.
Cloud infrastructure providersApplication hosting, database storage, logs, backupsAll Service data at rest and in transit, stored primarily in the European Economic Area.

Third-party AI model providers

The Service routes each query you submit to one or more independent third-party large language model providers and, where applicable, to publicly accessible AI-generated search surfaces, in order to retrieve the structured answer you requested. We do not control these providers; we use their commercial APIs under their own terms of service. The set of providers we route to may change over time as models are added, retired, replaced, or temporarily unavailable. We reserve the right to modify the set of model providers used by the Service at our discretion, without further notice to you, provided the Service continues to deliver its advertised function.

The content actually transmitted to a model provider is the request you submit (for example, a brand name, prompt, URL, or competitor list) together with the minimum metadata required for the call. We do not transmit your account identity, billing details, or unrelated personal data to model providers. Where a provider offers a contractual setting that prevents your API content from being used to train its general models, we have enabled that setting; we do not opt you in to model training on your behalf. A current list of the model providers we route to can be obtained on request by emailing privacy@flynk11.com.

Other recipients

We may also disclose information:

  • where required by law or in response to a lawful request from a competent authority, including for tax, accounting, or law-enforcement purposes;
  • where reasonably necessary to enforce our Terms of Service, to investigate suspected fraud, abuse, or security incidents, or to protect the rights, property, or safety of Flynk11, our users, or third parties;
  • to professional advisers (such as lawyers, auditors, and accountants) bound by professional confidentiality obligations;
  • in connection with a corporate transaction such as a merger, acquisition, financing, or sale of substantially all assets, in which case we will notify affected users and ensure that any acquirer remains bound by commitments at least as protective as this policy.

We do not share, sell, rent, or otherwise disclose personal data for advertising or marketing by third parties.

Data Retention

We retain personal data only as long as needed for the purposes described above. Our default retention windows are:

  • Account data: while your account is active and for up to 90 days after deletion, after which it is purged or anonymized except where extended retention is required by law.
  • API request and response logs: 180 days, after which they are deleted or aggregated into non-identifying statistics. Reading your own past results from your dashboard remains free during this window.
  • Credit ledger and invoices: retained for the period required by UK and EU tax law (currently six years from the end of the relevant tax year).
  • Security and abuse-detection logs: up to 12 months.
  • Backups: rolling, encrypted, with a maximum 35-day cycle.

International Transfers

Flynk11 Ltd is established in the United Kingdom. Several of our subprocessors are established in the United States or process data globally. When we transfer personal data from the UK or EEA to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs, supplemented where appropriate by technical safeguards (TLS in transit, AES-256 at rest, strict access controls, and transfer risk assessments). You can request a copy of the safeguards applicable to a particular transfer by emailing privacy@flynk11.com.

Your Rights

Under the UK GDPR, EU GDPR, and equivalent laws (including the California Consumer Privacy Act and other U.S. state privacy laws where applicable), you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (the "right to be forgotten"), subject to legal retention obligations.
  • Restrict processing while a dispute or correction is pending.
  • Port data you have provided to us in a structured, machine-readable format.
  • Object to processing carried out on the basis of legitimate interests.
  • Withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing).
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or another EU/EEA supervisory authority.

To exercise any of these rights, email privacy@flynk11.com. We will respond within one month of a verified request, extendable by up to two further months for particularly complex requests.

Security

We protect your data with TLS 1.2+ in transit, AES-256 at rest, role-based access control with multi-factor authentication for our team, audit logging, isolated environments, regular dependency patching, and an incident response procedure aligned with UK GDPR Article 33 breach-notification obligations. API keys are stored as SHA-256 hashes; we never see your plaintext key after the moment of creation and you are responsible for keeping it secret.

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify you and the relevant supervisory authority as required by law.

Children's Privacy

The Service is not directed to, and we do not knowingly collect data from, anyone under 16. If you become aware that a person under 16 has provided data to us, please contact us at privacy@flynk11.com and we will delete that data.

Automated Decision-Making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you. The Service generates AI search visibility data at your request and for your own analysis; Cite42 does not make decisions about you. We do use automated systems to enforce rate limits and to detect abuse, if a rate-limit or anti-abuse decision affects you, you can request human review at privacy@flynk11.com.

Changes to This Policy

We may update this Privacy Policy. The "Last Updated" date at the top reflects the most recent revision. Material changes will be communicated by email to the address on your account or via a prominent in-product notice at least 14 days before they take effect. Continued use of the Service after that point constitutes acceptance of the updated policy; if you do not agree, you may close your account.

Contact

For privacy questions, requests, or complaints:

  • Email: privacy@flynk11.com
  • Controller: Flynk11 Ltd, registered in England and Wales. Registered address and registration number are listed on the Legal Notice page.
  • UK supervisory authority: Information Commissioner's Office, ico.org.uk
Privacy Policy | Cite42