Privacy Policy
Last updated: February 2026.
1. Introduction
WayCite (“we”, “our”, or “us”) is operated by MariqueCalcus Limited, a company registered in England and Wales. Our registered office is at Martlet House E1 Yeoman Gate, Yeoman Way, Worthing, West Sussex, BN13 3QZ, United Kingdom. We are registered with the Information Commissioner’s Office (ICO) under registration number ZB029209.
This Privacy Policy applies to all services provided through waycite.com, the Blogger Portal, the Developer API, and the GEO Analysis Engine (collectively, the “Service”). It explains how we collect, use, share, and protect your personal data.
We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA). MariqueCalcus Limited is the data controller responsible for your personal data as described in this policy.
2. Information We Collect
We collect different categories of personal data depending on how you interact with the Service. The specific categories are described below.
(a) Account Information
When you create an account, we collect your name, email address, hashed password, and organisation name (if applicable). This information is necessary to provide you with access to the Service and manage your account.
(b) Blog Content
For bloggers who opt in to the GEO Analysis Engine, we collect article URLs, article text, and associated metadata. This content is collected only with the blogger’s explicit consent and is used solely for the purpose of generating GEO analysis reports.
(c) API Usage Data
For developer accounts, we collect API key identifiers, endpoints called, request timestamps, response codes, and query parameters. This data is used to monitor API performance, enforce rate limits, and generate usage reports for billing purposes.
(d) Contact and Communication Data
When you contact us through our contact form or by email, we collect your name, email address, and the content of your message. We use this information to respond to your enquiry and provide support.
(e) Technical Data
We automatically collect certain technical information when you access the Service, including your IP address, browser type and version, operating system, device information, pages visited, session duration, and referral source. This data helps us maintain the security of the Service, diagnose technical issues, and understand how users interact with our platform.
(f) Cookie Data
We use cookies and similar technologies as described in our Cookie Policy. Essential cookies are used to maintain session state and remember your preferences. Analytics cookies, where you have consented to their use, help us understand how the Service is used so we can improve it.
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data only where we have a lawful basis to do so. The table below sets out the legal bases we rely on for each type of processing activity.
| Legal Basis | Processing Activities | Details |
|---|---|---|
| Consent | Blog content crawling and analysis; marketing communications (newsletters) | You may withdraw your consent at any time by contacting us at privacy@waycite.com or by using the unsubscribe link in marketing emails. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. |
| Performance of a contract | Providing account services; API access and usage; generating GEO analysis reports | Processing is necessary to fulfil our contractual obligations to you under the applicable Terms of Service. |
| Legitimate interests | Service security and fraud prevention; service improvement; aggregated analytics | We balance our legitimate business interests against your rights and freedoms. You may object to processing based on legitimate interests by contacting us at privacy@waycite.com. |
| Legal obligation | Tax records; responding to lawful requests from regulatory authorities or courts | Processing is necessary to comply with legal obligations to which we are subject under UK and EU law. |
4. How We Use Your Information
We use the personal data we collect for the following purposes:
- Provide, operate, and maintain the Service, including account management and authentication.
- Generate GEO analysis reports that assess the AI citation readiness of submitted blog content across seven dimensions (structure, entity clarity, first-hand signals, freshness, Q&A alignment, competitive differentiation, and topic depth).
- Process API requests and serve search results with proper attribution to source content creators.
- Send transactional emails, including account confirmations, GEO analysis reports, security alerts, and service-related notifications.
- Respond to enquiries, provide customer support, and resolve complaints.
- Monitor and prevent security threats, fraud, abuse, and unauthorised access to the Service.
- Generate aggregated, anonymised analytics to understand usage patterns and improve the Service. Anonymised data cannot be used to identify individual users.
- Comply with applicable legal obligations, including tax reporting, regulatory requirements, and lawful data disclosure requests.
5. AI and Large Language Model Processing
Blog content submitted for GEO analysis is processed by third-party large language models (LLMs) to generate AI citation readiness scores. It is important that you understand how this processing works.
LLM providers we use:
- Claude, provided by Anthropic, PBC (San Francisco, California, USA).
- GPT-4, provided by OpenAI, Inc. (San Francisco, California, USA).
When you submit blog content for GEO analysis, that content is sent to these providers’ APIs as prompts for analysis. Under the current API terms of service of both Anthropic and OpenAI, content submitted via their APIs is not used to train their models.
We do not use your content to train any proprietary WayCite models. GEO scores and structured analysis results are stored in our database; the original prompts and raw LLM responses are not retained after analysis is complete.
For more information about how these providers handle data, please refer to: Anthropic’s Privacy Policy and OpenAI’s API Data Usage Policy.
6. Data Sharing and Sub-processors
We do not sell your personal data to any third party. We share personal data only with trusted sub-processors who are necessary to operate the Service, and only to the extent required for their specific function.
Our sub-processors fall into the following categories:
- Cloud infrastructure: Amazon Web Services (AWS) — hosting, storage, compute, and database services.
- LLM providers: Anthropic (Claude) and OpenAI (GPT-4) — GEO analysis processing as described in Section 5.
- Authentication: Kinde — identity management and secure authentication.
- Transactional email: Resend — delivery of account and service-related emails.
- Website hosting: Vercel — hosting and deployment of our web applications.
A full list of our current sub-processors, including their locations and purposes, is available at our Sub-processors List.
We may also disclose your personal data if required to do so by law, court order, or regulatory authority, or where disclosure is necessary to protect our rights, property, or the safety of our users or the public.
7. International Data Transfers
Your personal data may be transferred to and processed in the United States and other countries outside the United Kingdom and European Economic Area (EEA). These transfers are necessary to operate the Service using the sub-processors described in Section 6.
To ensure an adequate level of protection for your personal data when transferred internationally, we rely on the following safeguards:
- EU-US Data Privacy Framework and its UK Extension for transfers to US organisations that are certified under the framework.
- Standard Contractual Clauses (SCCs) approved by the European Commission, together with the UK International Data Transfer Addendum, as supplementary safeguards where the Data Privacy Framework does not apply.
Our EU representative for GDPR purposes is European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium. They can be contacted via EDPO’s online request form or by email at privacy@waycite.com.
8. Data Retention
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected. The specific retention periods are as follows:
- Account data: for the duration of your account plus 30 days after a deletion request to allow for processing and the completion of any pending operations.
- Blog content and GEO scores: until you revoke consent or your content materially changes, whichever comes first. When content changes, existing GEO scores are replaced with updated analysis.
- API usage logs: 90 days, after which logs are deleted or anonymised.
- Contact form submissions: 12 months from the date of submission.
- Technical and analytics data: 14 months from the date of collection, in accordance with the data minimisation principle. This period allows sufficient time for year-over-year trend analysis while limiting the retention of personal data.
- Legal and financial records: as required by applicable law, typically 6 years to comply with UK tax and accounting obligations.
When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.
9. Your Rights Under GDPR
If you are located in the United Kingdom or European Economic Area, you have the following rights under the UK GDPR and EU GDPR:
- Right of access: You have the right to obtain a copy of the personal data we hold about you, together with information about how and why we process it.
- Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure: You have the right to request deletion of your personal data (“right to be forgotten”) where there is no compelling reason for us to continue processing it.
- Right to restriction of processing: You have the right to request that we limit the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have challenged.
- Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to object: You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis, including profiling based on legitimate interests.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the EEA, you may also contact your local data protection authority.
To exercise any of these rights, please contact us at privacy@waycite.com. We will respond to your request within one month of receipt. In exceptional circumstances, where requests are complex or numerous, we may extend this period by a further two months, but we will inform you of any extension within the initial one-month period.
10. Your Rights Under CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: You have the right to request that we disclose what categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
- Right to delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions permitted by law.
- Right to opt-out of sale: You have the right to opt out of the “sale” of your personal information. We do not sell your personal information as defined under the CCPA.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide you with a different quality of service because you have exercised your rights.
To exercise your CCPA rights, please contact us at privacy@waycite.com. For full details, including categories of personal information collected and disclosed, see our CCPA Addendum.
11. Children’s Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at privacy@waycite.com. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information promptly.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: All data is encrypted at rest and in transit using TLS 1.2 or higher.
- Access controls: Strict access controls and authentication requirements ensure that only authorised personnel can access personal data, and only to the extent necessary for their role.
- Regular security reviews: We conduct periodic reviews of our security practices, infrastructure, and access controls to identify and address potential vulnerabilities.
- Incident response: We maintain incident response procedures to detect, investigate, and respond to data security incidents. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals without undue delay.
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. We encourage you to use strong, unique passwords and to keep your account credentials confidential.
13. Data Protection Officer
Given the current nature and scale of our processing activities, MariqueCalcus Limited is not required to appoint a Data Protection Officer (DPO) under Article 37 of the UK GDPR or EU GDPR. We keep this assessment under regular review as the scope of our processing evolves. For any data protection enquiries, please contact us at privacy@waycite.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. For material changes, we will provide at least thirty (30) days’ prior notice via email to the address associated with your account or through a prominent notice on the Service before the changes take effect.
The “Last updated” date at the top of this page indicates when this Privacy Policy was last revised. We encourage you to review this page periodically to stay informed about how we protect your personal data. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.
15. Contact Us
If you have questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how we handle your personal data, please contact us using the details below:
- Email: privacy@waycite.com
- Data Controller: MariqueCalcus Limited, Martlet House E1 Yeoman Gate, Yeoman Way, Worthing, West Sussex, BN13 3QZ, United Kingdom
- ICO Registration: ZB029209
- Company number: 16134255
- EU Representative: European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Online request form.
We aim to respond to all legitimate enquiries within one month. If your request is particularly complex or you have made a number of requests, we may need up to three months to respond, in which case we will notify you and keep you updated on progress.