Legal

Privacy Policy

Effective date: 14 July 2026

1. Who we are

Referenced is operated by Watermill Digital Ltd, a company registered in the United Kingdom. This policy explains what data we collect when you use Referenced, why we collect it, and what rights you have over it. If you have any questions, email us at [email protected].

2. What we collect

When you register, we collect your name, email address, company name, and (optionally) phone number. Billing is handled by Stripe — we never see or store your card details ourselves. Once you're in, you tell us about the sites, brands, competitors, and prompts you want tracked, and our scans generate the AI answers and metrics that measure how those prompts perform.

3. How we use it

We use your data to run the service: scanning AI assistants for mentions of your brand, computing visibility and sentiment metrics, and showing you the results. We use your billing details to charge your subscription, and your email address to send account and service emails — things like billing receipts, scan alerts, and important product updates. We do not sell your personal data, and we do not use it for third-party advertising.

4. Processors we rely on

We use a small number of third-party processors to run Referenced, and each one only receives the data it needs to do its job:

  • Stripe — payment processing and billing.
  • OpenAI, Anthropic, Perplexity, and Google — used to scan AI assistants for mentions of your brand and to analyse the resulting text.
  • DataForSEO — used to retrieve Google search results as part of our scanning process.

5. Google user data

If you choose to connect a Google account to a site in Referenced, we access your Google Search Console performance data (queries, clicks, and impressions) and your Google Analytics 4 reports (sessions, traffic sources, and conversions). This access is read-only — Referenced cannot change anything in your Search Console or Analytics account.

We use this data solely to display your own analytics inside Referenced and to improve the prompt suggestions we generate for your own sites. We do not sell this data, share it with third parties, use it for advertising, or let anyone at Referenced read it, except where you have asked us for support or where we're required to for security or legal compliance.

Referenced's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You can disconnect your Google account at any time from your site's settings in Referenced — we delete the stored tokens immediately — or by revoking access directly from your Google Account permissions.

6. Crawler tracking data

If you enable crawler tracking — by installing our WordPress plugin or by sending data to our ingest API from your own server — Referenced receives counts of visits by known AI and search crawlers to your site: the bot's name, the page path it requested, the date, and a hit count. That's the whole list. This data is about bots, not people — it contains no visitor personal data: no IP addresses, no browser details, and nothing about your human visitors.

Your server sends this data using a per-site token that you generate in your site's settings. Nothing is sent until you create a token, and you can stop sending at any time by deactivating the plugin or regenerating the token, which immediately invalidates the old one. Crawler data is kept for as long as the associated site exists in Referenced, the same as your other site metrics.

7. Cookies

Referenced uses session and authentication cookies to keep you signed in and to keep the application working correctly. We do not use advertising cookies or cross-site tracking cookies.

8. Retention

We keep your account data for as long as your account exists. Scan data and synced Google metrics are kept for as long as the associated site exists in Referenced. If you delete your account, everything is deleted within 30 days.

9. Your rights (UK GDPR)

Under UK GDPR you have the right to access the personal data we hold about you, ask us to correct it, ask us to delete it, and request a copy in a portable format. You also have the right to complain to the Information Commissioner's Office (ICO) if you think we've mishandled your data. To exercise any of these rights, email [email protected] and we'll respond as quickly as we can.

10. Changes

We may update this policy from time to time. When we do, we'll post the new version here with an updated effective date, and we'll email you directly if a change is material.