NOT LEGAL ADVICE — TEMPLATE FOR ATTORNEY REVIEW. Privacy disclosures must accurately match actual data practices and be approved by qualified counsel before publication. Do not publish this document until verified against the production data flows, subprocessor list, cookie inventory, and applicable jurisdictional requirements.

AgentCite — Privacy Policy (Template)

Effective Date: May 24, 2026 Controller: AgentCite, Inc., AgentCite, Inc., privacy@agentcite.com

This Privacy Policy explains how AgentCite collects, uses, and shares personal information when you visit our website, sign up for our Services, or are contacted as part of our outbound program.

1. Who This Applies To

• Customers — real estate agents and their teams who subscribe to AgentCite.
• Prospects — individuals we contact through cold outbound (email, LinkedIn, Instagram, SMS where consented).
• End Consumers — clients of our Customers whose data passes through us solely to support review-request workflows and analytics. AgentCite acts as a service provider / processor for that data; the Customer is the controller.
• Website Visitors.

2. Information We Collect

From Customers

• Account: name, business name, email, phone, mailing address, password hash.
• Payment: billing details processed by our payment processor (we do not store full card numbers).
• Service data: brokerage, license number, target markets, content preferences, photos, bios, testimonials.
• Delegated access: OAuth tokens and credentials for Google Business Profile, social platforms, and directory sites you connect. We store these encrypted and use them only to perform the Services.
• Communications and support history.

From Prospects

• Business contact information sourced from public records, MLS production reports, and licensed data vendors (e.g., name, brokerage, work email, city, transaction volume estimates).
• Engagement signals (opens, clicks, replies) generated by our outreach tools.

From End Consumers (via Customer)

• Name, email, phone, transaction context, and review submissions, provided by our Customer to power the review-request pillar.

Automatic

• Device, browser, IP address, log data, and analytics events from our website and product.
• Cookies and similar technologies (see Section 8).

3. How We Use Information

• Provide, operate, and improve the Services.
• Execute the five-pillar managed service (bio syndication, GBP optimization, review velocity, content, directory claiming).
• Bill and collect fees.
• Conduct outbound marketing to business prospects, consistent with CAN-SPAM and applicable law.
• Query third-party LLMs to measure citation outcomes; aggregate, de-identified results may be used for research.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms.

4. Legal Bases (EEA/UK)

Where GDPR applies, we rely on: performance of a contract, legitimate interests (operating and marketing our business to other businesses), consent (where required, e.g., certain cookies, marketing to consumers), and compliance with legal obligations.

5. How We Share Information

We share personal information with:

• Subprocessors that help us deliver the Services (see Section 9).
• Customers, where information is generated on their behalf (e.g., review submissions).
• Professional advisors (accountants, lawyers, auditors).
• Authorities when required by law, court order, or to protect rights, safety, or the integrity of the Services.
• Acquirers in a merger, acquisition, financing, or asset sale, subject to confidentiality.

We do not sell personal information for money. Certain cross-context behavioral advertising disclosures may apply under CCPA/CPRA and are described in Section 10.

6. Data Retention

• Customer account data: while the account is active and for up to [24] months thereafter, then deleted or de-identified.
• Delegated access tokens: revoked upon termination or earlier on request.
• Prospect data: while there is a legitimate B2B interest and per our suppression policies; suppression lists retained as required by CAN-SPAM/GDPR.
• End-consumer review data: per the Customer's instructions and the DPA.
• Financial records: retained as required by tax and accounting law.

7. Security

We use administrative, technical, and physical safeguards including encryption in transit and at rest for sensitive fields (including delegated tokens), least-privilege access controls, logging, MFA for internal systems, and incident response procedures. No system is 100% secure; we do not guarantee absolute security. Detailed commitments are in the DPA.

8. Cookies

We use strictly necessary, functional, analytics, and (when appropriate) marketing cookies. EU/UK visitors are presented with a consent banner. You may manage preferences via the banner or your browser. A current cookie inventory is maintained at [/cookies] or available on request.

9. Subprocessors (Placeholder)

We rely on the following categories of subprocessors. A current, named list is maintained at [URL] and updated when material changes occur:

• Cloud hosting and infrastructure: [Vendor — e.g., Vercel, AWS]
• LLM and AI providers: [OpenAI, Anthropic, Google]
• Email sending and outbound tooling: [Vendor]
• CRM and customer data: [Vendor]
• Payment processing: [Stripe]
• Analytics and product telemetry: [Vendor]
• Google Business Profile API access (operated by Google)
• Directory submission tools: [Vendor]
• Customer support: [Vendor]

10. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal information, withdraw consent, and lodge a complaint with a supervisory authority.

• California (CCPA/CPRA): rights to know, delete, correct, limit use of sensitive personal information, opt out of sale/sharing, and non-discrimination. Submit requests via privacy@agentcite.com or [link]. We will verify identity before responding. Authorized agents must provide written authorization.
• EEA/UK (GDPR): rights as listed above. Our EU representative (if appointed) is [TBD].
• Other US states (e.g., Virginia, Colorado, Connecticut, Utah, Texas): comparable rights honored where applicable.

We respond within the period required by applicable law (typically 30–45 days).

11. International Transfers

Personal information may be processed in the United States and other countries. For transfers from the EEA/UK/Switzerland, we rely on Standard Contractual Clauses, the UK IDTA, or other lawful transfer mechanisms.

12. Children

The Services are not directed to anyone under 18 and we do not knowingly collect personal information from children.

13. Changes

We may update this Policy. Material changes will be notified in-product or by email at least 30 days in advance where reasonably practicable.

14. Contact

AgentCite, Inc. AgentCite, Inc. privacy@agentcite.com DPO / Privacy Lead: [NAME]

Template v0.1 — pending counsel review.