Privacy Policy
Last updated: 26 April 2026
1. Who we are
AICitta (“we”, “our”, “us”) is an independent career analytics service. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), AICitta is the data controller for the personal data described in this policy.
Contact: privacy@aicitta.com
2. What data we collect
| Data | Purpose | Basis |
|---|---|---|
| Anonymous session ID | Link your score to your report | Legitimate interest |
| Occupation title and tasks selected | Score calculation | Contractual necessity |
| Career Health Score and breakdown | Report generation | Contractual necessity |
| Email address (optional) | Deliver your PDF report | Consent |
| Payment data (card details) | Process £19 report purchase | Contractual necessity (handled by Stripe — we never see card numbers) |
We do not collect your name, address, date of birth, or any special category data as defined under UK GDPR Article 9.
3. How long we keep your data
Session data (occupation, tasks, score) is retained for 12 months from the date of creation, after which it is automatically deleted. Email addresses are retained for 24 months, or until you request erasure (whichever is sooner).
4. Sub-processors
We share data with the following third-party processors:
- Supabase Inc. — database hosting (EU West region, Ireland)
- Vercel Inc. — application hosting (EU region)
- Stripe Inc. — payment processing (UK/EU data residency)
- Resend Inc. — transactional email delivery
- Anthropic PBC — AI model inference (occupation scoring). Data sent: occupation title and task descriptions only. No personal data is included in prompts.
All sub-processors are covered by appropriate UK GDPR transfer mechanisms (adequacy decisions or Standard Contractual Clauses where applicable).
5. Cookies
AICitta uses a single first-party session cookie to maintain your anonymous session across pages. This cookie is strictly necessary for the service to function and does not require consent under PECR. Stripe may set cookies during the checkout process; these are covered by Stripe’s own privacy policy.
6. Your rights
Under UK GDPR you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Request erasure (“right to be forgotten”)
- Object to processing based on legitimate interest
- Data portability (where technically feasible)
- Lodge a complaint with the ICO at ico.org.uk
To exercise any right, email privacy@aicitta.com. We will respond within 30 days.
7. Changes to this policy
We may update this policy. Material changes will be notified by updating the date at the top of this page. Continued use of AICitta after a policy update constitutes acceptance of the revised terms.