What we collect, why we collect it, and the rights you have in relation to your information.

1. About this policy

This Privacy Policy describes how Outercite (“Outercite”, “we”, “us”, or “our”) collects, uses, discloses, and safeguards information when you visit outercite.ai or any of our extension .com / .com.au, the Outercite web application at outercite.ai or app.outercite.com, any Outercite branded sub-products (CitePulse™, Vericite™, Citezens™, Citescout™, Nextcite™, Citerank™, Recite™), our APIs, browser extension, email, and any related service (together, the “Services”).

This document is written to satisfy the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth), the EU General Data Protection Regulation (GDPR) and UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Where any regional obligation imposes additional protections, those apply in addition to the baseline commitments here.

By using the Services you confirm that you have read this policy. If you do not agree with it, please do not use the Services.

2. Who we are

The Services are operated by Outercite Pty Ltd (ACN / ABN to be inserted once company registration is finalised), a company incorporated in Australia with its principal place of business in Perth, Western Australia. For the purposes of the GDPR, Outercite is the data controller of personal data you provide to us directly, and a data processor where we handle personal data on behalf of an agency customer or workspace administrator.

Our postal address, data protection contact, and EU / UK representative details are listed in the Contact us section below.

3. Information we collect

We collect only what we need to run the Services and meet legal obligations. Categories:

3.1 Information you provide directly

• Account details — name, email address, organisation name, password (hashed by our authentication provider), role, profile picture if you choose to add one.

• Business profile information — the business name, website, physical address, phone number, service areas, industry category, keywords and prompts you want tracked, competitors you've identified, and any branding assets you upload.

• Billing information — billing address and tax ID. Payment card and banking details are collected and stored by our payment processor (Stripe) and are never stored on Outercite servers.

• Communications — messages you send us via support forms, email, chat, or social channels; feedback, bug reports, and feature requests.

• Integration credentials — OAuth tokens for services you choose to connect (Google Search Console, Google Business Profile, Slack, etc.). Tokens are encrypted at rest.

3.2 Information we collect automatically

• Usage and diagnostic data — pages viewed, features used, in-app actions, error logs, API calls, request identifiers, approximate geographic region derived from IP.

• Device and connection data — IP address, browser type and version, operating system, device model, language preferences, time zone.

• Cookies and local storage — see the Cookie Policy for detail. We use a small number of strictly necessary cookies and short-lived storage keys; we do not currently deploy advertising or cross-site tracking cookies.

3.3 Information generated by the Services

Outercite queries third-party AI search engines (ChatGPT, Claude, Gemini, Perplexity, Grok, DeepSeek) using your keywords and prompts, then records the responses. The responses themselves may contain names, business names, URLs, and excerpts of publicly available content. We treat the raw responses, our confidence judgements, and any derived insights as data “relating to” your business profile rather than to you personally, but where such output happens to identify an individual, it is treated as personal information and subject to this policy.

3.4 Information from third parties

• Identity and fraud checks received from our authentication and payment providers.

• Public data fetched from sources you point us at — your own site, your competitors' public sites, Australian Bureau of Statistics open data, public search results.

• Enrichment from third-party data services (e.g. Perplexity research, Google Search Console if connected) that supply information about your business and market.

3.5 Information we do not knowingly collect

• Sensitive personal information (health, religion, sexual orientation, union membership, criminal history). Do not submit such data to the Services.

• Government-issued identification numbers (passport, driver licence, TFN) — unless strictly required for tax or anti-money-laundering compliance on enterprise contracts, and only through a separate, agreed channel.

• Personal information about individuals under 18 (see Children).

4. How we use information

We use information to:

• Provide, operate, personalise, and improve the Services.

• Authenticate users, enforce account permissions, and prevent abuse.

• Process payments, send receipts, manage subscriptions, and handle refund requests.

• Run the multi-agent prediction engine, generate reports, and deliver insights.

• Send operational communications (service notices, security alerts, important account updates) — these cannot be opted out of while you hold an active account.

• Send marketing communications where permitted by law — you can unsubscribe at any time via the link in every marketing email.

• Provide customer support and respond to enquiries.

• Monitor service health, debug errors, measure performance, and maintain security.

• Comply with legal, tax, regulatory, and law-enforcement obligations.

• Defend or exercise our legal rights.

• Aggregate and anonymise data for internal research, benchmarks, and product development. Anonymised data that cannot reasonably be linked back to you is not subject to this policy.

We do not sell personal information.We do not “share” personal information for cross-context behavioural advertising as defined under CCPA/CPRA.

5. Legal bases for processing (GDPR)

If you are in the European Economic Area or the UK, our legal bases are:

• Contract — to provide the Services you've signed up for (Article 6(1)(b)).

• Legitimate interests — product improvement, fraud prevention, security monitoring, and internal analytics, where these don't override your rights (Article 6(1)(f)).

• Consent — where you opt in to marketing communications or non-essential cookies. You can withdraw consent at any time (Article 6(1)(a)).

• Legal obligation — when we must retain or disclose data to comply with law (Article 6(1)(c)).

6. How we share information

We share information only in the limited circumstances below.

6.1 Within your organisation or agency workspace

Outercite supports multi-tenant accounts. Data you create within an organisation or agency workspace is visible to other authorised members of that organisation, subject to role-based permissions. Agency account holders may see data for their own client workspaces. You are responsible for managing who has access within your organisation.

6.2 Service providers and sub-processors

We engage trusted vendors to operate the Services. Each vendor is bound by contractual confidentiality and data-protection obligations, and handles personal information only under our instructions. See Third-party service providers.

6.3 Legal and safety

We may disclose information when required by law (court order, subpoena, government demand), to comply with tax or anti-fraud obligations, to enforce our terms, or to protect the safety, rights, or property of Outercite, our customers, or the public. Where lawful, we will notify you of legal demands for your data before producing it.

6.4 Corporate events

If Outercite is involved in a merger, acquisition, investment, financing, reorganisation, or sale of assets, we may transfer information to the acquiring or surviving entity. Successor entities will be bound by this policy (or one offering substantially similar protections).

6.5 With your consent

Any other disclosure — only with your explicit, specific consent.

7. Third-party service providers

The following providers process personal data on our behalf. This list is current as of the “Last updated” date above and may change; material changes will be reflected here and, where required, notified in advance.

7.1 Infrastructure and storage

• Cloud Servers (Sydney region) — primary application hosting.

• Cloud Servers USA — background worker and prediction-engine compute.

• Supabase / PostgreSQL — primary database hosting.

• Redis — caching and job queue.

7.2 Authentication and identity

• Clerk — user authentication, organisation management, session handling.

7.3 Payments

• Stripe — subscription billing, card processing, invoicing. Payment card data is tokenised by Stripe and never stored on Outercite servers. Stripe's own privacy notice is incorporated by reference.

7.4 AI and search providers

To measure how AI search engines cite businesses, we submit queries to the following providers. Queries may include your business name, keywords, and prompts — details that you have configured to be submitted. Each provider has its own data-handling terms.

• OpenAI — ChatGPT, GPT-4 family, GPT-4.1-mini (

• Anthropic — Claude family

• Google — Gemini

• DeepSeek — DeepSeek Chat

• Perplexity — Perplexity Sonar

• xAI — Grok

We negotiate, where possible, that our traffic is excluded from provider-side model training. We do not send your account profile, billing information, or unrelated content to these providers.

7.5 Communications

• Resend — transactional and marketing email delivery.

• Slack — if you connect it, for notifications.

• Twilio — optional WhatsApp / SMS delivery for alerts.

7.6 Observability

• Sentry / GlitchTip — error and exception tracking.

• Prometheus / Grafana / Loki — self-hosted metrics and logging.

7.7 Blockchain and NFT infrastructure

• Base (Coinbase L2) — on-chain minting of agent-citizen NFTs.

• IPFS pinning for NFT metadata and avatars. IPFS content is public and may be cached by third parties indefinitely once pinned.

A full, current sub-processor list is available on request to team@outercite.com.

8. International data transfers

Outercite is headquartered in Australia, with data stored primarily in Sydney, but some sub-processors (notably Stripe, Clerk, the AI providers listed above, and blockchain infrastructure) process data in the United States, the European Union, or other jurisdictions. When we transfer personal data from Australia, the EEA, or the UK to another country, we rely on one or more of:

• The European Commission's adequacy decisions, where available.

• Standard Contractual Clauses approved by the European Commission.

• The UK International Data Transfer Addendum or IDTA.

• Your informed consent for the transfer, where appropriate.

Blockchain data is inherently global and, once written to a public chain, cannot be geographically restricted.

9. Data retention

We retain personal information only as long as necessary for the purposes set out in this policy, or as required by law. Specific guidelines:

• Account data — retained while your account is active and for up to 12 months after deletion, for recovery, dispute resolution, and audit purposes.

• Citation monitoring history — retained for the duration of your subscription plus 90 days, unless you request earlier deletion.

• Billing records — retained for at least 7 years as required by Australian tax law.

• Communications with support — retained for 3 years.

• Error logs and diagnostic data — typically 90 days; longer for incidents under investigation.

• Backups — rolling window of up to 35 days before overwriting.

• On-chain data — immutable; see Blockchain & on-chain data.

10. Your rights

Depending on your location and applicable law, you may have some or all of the following rights in relation to your personal information:

• Access — request a copy of the personal data we hold about you.

• Correction — ask us to correct inaccurate or incomplete data.

• Deletion — ask us to delete personal data we no longer need.

• Portability — receive your data in a structured, machine-readable format.

• Objection — object to processing based on legitimate interests.

• Restriction — ask us to limit how we process your data.

• Withdraw consent — where our processing is based on consent.

• Opt out of marketing — unsubscribe from marketing email at any time.

• Lodge a complaint — with your local data-protection authority (see below).

To exercise any of these rights, email team@outercite.com. We will respond within 30 days, or sooner where required by applicable law. We may need to verify your identity before fulfilling a request. There is no charge for exercising your rights, unless the request is manifestly unfounded or excessive.

11. Australian Privacy Principles (Australian residents)

Outercite handles personal information in accordance with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You may request a copy of this policy in an alternate format, ask how we handle your personal information, or complain about a possible breach. Send requests to team@outercite.commarked “APP enquiry”.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

12. European / UK residents (GDPR)

If you reside in the EEA, Switzerland, or the UK, you have the rights listed in Section 10 above. You may also lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu. For UK complaints, contact the Information Commissioner's Office at ico.org.uk.

Outercite will appoint an EU representative and UK representative as required once EU / UK service is offered and registered; their contact details will appear here.

13. California residents (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, including the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to opt out of the sale or sharing of personal information.

In the preceding 12 months, Outercite has collected the following categories of personal information described in Cal. Civ. Code § 1798.140: identifiers; commercial information; internet or other network activity; geolocation (at country / region level); professional or employment-related information; and inferences drawn from the above. We have disclosed categories of personal information for business purposes (operating the Services) to the service providers listed in Section 7. We have not sold or shared personal information as those terms are defined under the CCPA/CPRA, and we do not use or disclose sensitive personal information for purposes requiring the right to limit.

California residents may authorise an agent to make a request on their behalf in accordance with applicable law. To exercise these rights email team@outercite.comwith the subject line “California Privacy Request”.

14. Children

The Services are intended for use by businesses and professionals aged 18 or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact privacy@outercite.com and we will delete it promptly.

15. Security

We apply industry-standard technical and organisational measures to protect personal information, including transport-layer encryption (TLS 1.2+), encryption at rest for sensitive fields, access controls, role-based permissions, continuous monitoring, and regular backups. A more detailed overview is available on our Security page.

No system is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you as soon as reasonably practicable and in accordance with applicable law (including the Notifiable Data Breaches scheme under Australian law, Articles 33–34 of the GDPR, and equivalent laws elsewhere).

16. AI and automated decision-making

Outercite is an AI-driven product. You should be aware that:

• The Services query third-party large language models and return their output. We do not control what those models say and cannot guarantee the factual accuracy, completeness, timeliness, or absence of bias in their responses.

• Our prediction engine runs multi-agent simulations and produces forecasts. Forecasts are probabilistic, not guarantees. Do not rely on them as the sole basis for material business decisions.

• We do not use your personal information to make decisions that produce legal or similarly significant effects about you without human involvement.

• Autonomous agent actions (“Citezens”) run with the permissions you configure. You control the autonomy level, can pause or revoke at any time, and are responsible for reviewing actions that exceed your comfort threshold.

17. Blockchain and on-chain data

If you opt in to the Citezens™ NFT feature, the following are written to the Base (Coinbase Layer-2) public blockchain:

• A token ID for each of your agent citizens.

• The hash of your organisation's identifier (not the identifier itself).

• A pointer to an IPFS metadata document containing the agent's persona fields and an avatar image.

• The custodial wallet address that holds the tokens on your behalf.

Public blockchain data is immutable. Once a transaction is confirmed it cannot be modified or deleted, even at your request. IPFS content may persist on nodes beyond our control. Before minting, consider whether you are comfortable with this permanence. You can decline to mint; the Services function without NFTs.

18. Cookies and similar technologies

We use a small number of cookies and browser storage keys to operate the Services. A detailed breakdown (category, purpose, provider, duration) is in our Cookie Policy.

19. Changes to this policy

We may update this policy from time to time. When we do, we'll revise the “Last updated” date at the top. Material changes will be announced by email (to the primary contact of record for each account) and in-app notice at least 14 days before they take effect, where practicable. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

20. Contact us

Data protection enquiries: team@outercite.com

General legal enquiries: team@outercite.com

Postal address: Outercite Pty Ltd, 38 King Edward road, Osborne Park, Western Australia