1. Who this applies to
This Privacy Policy describes how CitrusWeb ("CitrusWeb", "we", "us") handles data in CitrusWeb Works, our software service for manufacturing shops ("you", "your"). It covers both people evaluating the product and shops using it under a subscription.
2. What we collect
We keep collection minimal and tied to running the service:
- •Account information, such as the email address you sign in with and basic profile and role details.
- •Shop data you enter or import, including RFQs, drawings, inspection records, inbound and outbound email content, employee and skills records, and any files or CSVs you upload. This is your data.
- •Usage and funnel events, such as which features and workflow steps are used, so we can understand and improve the product.
3. How we use it
We use account information to authenticate you and manage your subscription. We use shop data only to provide the service you asked for, for example extracting an RFQ or classifying and drafting a reply to an inbound email. We use usage and funnel events to operate, secure, and improve the product.
We do not sell your data, and we do not use your shop data to train AI models. AI features send only the specific content needed for a task to our AI provider, never your whole database, and their output is a draft for a person to review and approve.
4. Subprocessors
We rely on a small set of named providers to deliver the service. Each processes only what its role requires:
- •Anthropic, our AI provider (Claude), which processes the content you submit to an AI feature. Anthropic does not use API-submitted data to train its models.
- •Vercel, for application hosting and request handling.
- •Supabase, for the database, authentication, and file storage that hold your data.
- •Postmark, for transactional and outbound email delivery.
5. Where your data lives
Your data is hosted in the United States. It sits in one shared, encrypted database, isolated from every other shop by row-level security keyed to your organization, so one shop cannot see another shop's records. Data is encrypted in transit (TLS) and at rest (AES-256 on the managed database).
6. How long we keep it
We retain your data for the life of your subscription. After cancellation there is a 30-day grace period during which you can still export, and then your data is deleted on schedule or on your earlier request.
Content sent to our AI provider is not retained for training and is subject to that provider's own limited retention. Backups follow the same deletion schedule as the data they protect.
7. Your rights
You control your data:
- •Access: you can see the data held in your tenant.
- •Export: you can export your data to CSV on demand.
- •Deletion: you can ask us to delete your data, and we will do so subject to the retention above.
8. Cookies
We use a minimal set of cookies and similar technologies, limited to what is needed to sign you in, keep the app working, and understand basic product usage. We do not use them to build advertising profiles or sell your activity.
9. What we do not claim
We are honest about our stage. CitrusWeb Works does not currently hold SOC 2, ISO 27001, CMMC, or HIPAA certification, and we do not represent that it does. It is also not built to hold ITAR, EAR, or CUI export-controlled technical data, which must not be uploaded to the platform.
10. Contact
For privacy questions or to make an access, export, or deletion request, contact us at privacy@citrusweb.works. If we add a new subprocessor or make a material change to this policy, we will update this page and give notice.