Legal

Privacy Policy

Effective June 8, 2026 · How Citrico collects, uses, shares, and protects data.

1. Introduction

Citrico LLC, a New Mexico limited liability company ("Citrico", "we", "us", or "our"), operates the Citrico multi-tenant software-as-a-service platform at citrico.app (the "Platform"). The Platform helps commercial cleaning companies run accountability workflows for the restaurant operators they serve, and lets those operators verify that cleaning work was performed.

This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and the rights you have. It applies to citrico.app, any subdomain we operate, and the Platform features delivered through those properties, including white-label tenant portals (for example, a cleaning-company tenant whose portal renders under the SaniFilPro brand).

Citrico plays two different roles depending on whose data is at issue:

  • Data controller for information about people and organizations who sign up to be Citrico customers (cleaning companies that license the Platform, their billing contacts, and Citrico personnel). For this data, Citrico decides the purposes and means of processing.
  • Data processor for information that cleaning-company tenants collect from their own operators, supervisors, and cleaning crew while running their business on the Platform. For this data, the cleaning company is the controller and Citrico processes the data on the controller's behalf under the Master Services Agreement (MSA) signed at the time of subscription.

If you are an operator, supervisor, or cleaner using a tenant's portal, the cleaning company that issued your account is the data controller for your account data. Direct privacy requests about that data to your cleaning company. See Section 7 (Your Rights) for the request-routing detail.

2. Information We Collect

2.1 Account information

When a cleaning company signs up to license the Platform, we collect the company legal name, doing-business-as (DBA) name, billing contact, founder and admin email addresses, names of administrative users, business mailing address, and tax identification information when required for billing or compliance.

2.2 Tenant configuration

As the tenant onboards, we store their brand settings (logo, color tokens, white-label domain configuration), selected plan tier, list of stores under management, employee and supervisor roster, role assignments, and workflow preferences (checklist templates, visit schedules, ticket categories).

2.3 Service data hosted on behalf of tenants

On behalf of each cleaning-company tenant, the Platform stores the operational data they collect in the normal course of running cleaning oversight. This includes:

  • Photo evidence uploaded by cleaning crew, including image content and capture timestamps
  • Bilingual checklist responses (English and Spanish)
  • Supervisor visit scores, notes, and flagged items
  • Tickets and correction tasks with status, assignments, and resolution proof
  • Invoices issued from the tenant to its restaurant-operator customers
  • End-user account records (email or identifier, role, password hash, PIN hash, language preference)

For end-user accounts, passwords are stored using industry-standard one-way hashing. Personal identification numbers (PINs) used by cleaners are likewise stored only as salted one-way hashes. Plaintext passwords and PINs are never stored or logged.

2.4 Technical data

When you use the Platform, we automatically collect technical metadata necessary to operate the service: IP address, browser type and version, operating system, device type, session cookie identifiers, login and logout timestamps, page-view paths, referring URL, and error logs. We also collect performance telemetry used to diagnose outages and latency issues.

2.5 Communications

When you contact us by email, submit a support request, or exchange messages with Citrico staff about billing, abuse, or technical issues, we retain the contents of those communications and any attachments for as long as needed to resolve the matter and meet our legal obligations.

3. How We Use Your Information

We use the information described in Section 2 for the following purposes:

  • Operate the Platform. Authenticate users, route requests to the correct tenant, render the right brand chrome, store photos and checklist responses, run multi-tenant database queries, deliver scheduled supervisor visit reminders, keep ticket workflows moving.
  • Process payments and issue invoices. Bill cleaning-company tenants for their subscription, generate receipts, send dunning notices, manage cancellations, and reconcile our own books.
  • Send transactional email. Account verification, password resets, magic-link sign-in tokens, billing notices, security alerts, and product notifications about service changes. These are sent through our email delivery provider from citrico.app and tenant white-label domains.
  • Improve platform reliability and security. Diagnose errors, detect abuse and credential stuffing, investigate anomalous access, evaluate performance, and plan capacity.
  • Comply with legal obligations. Respond to lawful requests, retain records we are required to keep, enforce our Terms of Service, and defend against legal claims.

We do not use your information for: third-party advertising, sale to data brokers, or training third-party large-language-model or other AI systems. Tenant data and end-user data is not exported to any AI vendor for model training.

4. How We Share Your Information

4.1 Service providers

We rely on a small set of reputable, US-based cloud service providers to deliver the Platform. Each receives only the data required to perform its function. The categories are:

  • Database hosting for tenant and account data.
  • Application hosting and content delivery for the web platform and tenant domains, including DNS.
  • File storage for photo evidence uploaded by cleaning crews and supervisors.
  • Email delivery for transactional email (sign-in links, password resets, notifications, billing notices).
  • Payment processing for subscription billing. Card details are handled by the payment processor and never touch our servers.

We do not transfer data to service providers for any purpose other than to deliver the Platform. A current list of providers is available on request at support@citrico.app.

4.2 Cleaning-company tenants

Each cleaning-company tenant can only see data inside their own tenant boundary. The Platform enforces per-tenant isolation at every database query; cross-tenant data access by a tenant is not possible through the application surface. Tenant administrators see only their own organization's configuration, employees, operators they serve, photos, checklists, tickets, and invoices.

4.3 Citrico personnel

A limited number of Citrico personnel hold a superadmin role ("CitricoStaff") and may access tenant data for technical support, debugging production incidents, abuse investigation, or compliance with this Privacy Policy and the MSA. Every CitricoStaff access to tenant data is logged with actor, timestamp, and reason.

4.4 Legal compliance

We may disclose information when we have a good-faith belief that disclosure is required by a valid subpoena, court order, or other legal process, or is necessary to protect the rights, property, or safety of Citrico, our users, or the public. Where we are legally permitted, we will notify the affected tenant in advance so they can seek a protective order.

4.5 Business transfers

If Citrico LLC is acquired, merged, or sells substantially all of its assets, information may be transferred to the successor entity. The successor must honor this Privacy Policy or give affected users notice and a right to delete before any change in terms takes effect.

4.6 What we do not share

We do not share your data with advertisers, data brokers, marketing networks, or any third party for cross-context behavioral advertising. We do not sell your data within the meaning of the California Consumer Privacy Act (CCPA) or any analogous state statute.

5. Multi-Tenant Data Isolation

Citrico is a multi-tenant SaaS platform. Many cleaning companies run their own accountability operations on the same shared Platform, and the integrity of that model depends on strict per-tenant isolation. We implement isolation in the following ways:

  • Query-level scoping. Every database query that touches tenant data is scoped by a tenant identifier resolved from the authenticated session. Queries without a tenant scope cannot return tenant rows.
  • Per-tenant photo storage. Photo files are organized into per-tenant paths and served only through signed URLs scoped to the tenant.
  • Per-tenant authentication. End users (operators, supervisors, cleaners) authenticate against their own tenant. A user account in one tenant cannot log into a different tenant.
  • Tenant admin scope. Tenant administrators see only their own organization's data. They cannot view, list, or enumerate other tenants.
  • Cross-tenant access is staff-only. Only CitricoStaff superadmins can move across tenant boundaries, and only for the support, debugging, and abuse investigation purposes described in Section 4.3. Every such access is logged.

6. Data Retention

We retain data according to the following defaults:

  • Active customer data. Retained for the life of the subscription plus the period necessary to resolve disputes, enforce our agreements, and meet legal obligations.
  • After subscription cancellation. For 90 days after cancellation, the tenant retains the ability to export their data through the Platform export tools.
  • Deletion after 90 days. After the 90-day export window closes, we delete tenant data from primary systems unless we are legally required to retain it (for example, tax records, fraud investigation, or pending litigation).
  • Backups. Encrypted database and blob backups are retained for 30 days after creation, then purged on rolling schedules. Data deleted from primary systems may persist in backup snapshots until those snapshots age out of the 30-day window.

A tenant may request an accelerated deletion or extended retention by contacting support@citrico.app. We will confirm receipt within 5 business days and complete the request within 30 days, subject to legal hold exceptions.

7. Your Rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal information, to object to or restrict certain processing, and to receive your data in a portable format. We honor rights under the California Consumer Privacy Act (CCPA / CPRA), the EU and UK General Data Protection Regulations (GDPR), and analogous state and national laws where applicable.

7.1 Where to send a request

Routing matters, because Citrico is sometimes the controller and sometimes the processor:

  • If you are an operator, supervisor, or cleaner using a cleaning-company tenant's portal: contact YOUR cleaning company. They are the data controller for your account data. Citrico is a processor for that data and will forward your request to your cleaning company if you reach us directly.
  • If you are a Citrico customer (a cleaning-company admin or billing contact) and the request is about YOUR Citrico account or YOUR organization's tenant data: contact support@citrico.app.

We respond to verifiable rights requests within 30 days. We may extend this period by an additional 30 days where the request is complex or where a large volume of records is involved, and we will notify you of any extension. We do not charge a fee for a first request in any 12-month period; we may charge a reasonable fee for repeat or excessive requests as permitted by law.

8. Cookies and Tracking

The Platform uses the following categories of cookies and similar technologies:

  • Essential session cookies. Required to authenticate users, hold session state, and protect against cross-site request forgery. The Platform will not work without these.
  • Analytics. Anonymized, aggregate traffic measurement (page views, country, referrer) through our hosting platform. No personal identifier is recorded.

We do not set advertising cookies. We do not embed third-party tracking pixels (no Facebook Pixel, no Google Ads remarketing, no LinkedIn Insight, no programmatic ad tags). The Platform does not participate in cross-context behavioral advertising.

9. Children's Privacy

The Platform is a business-to-business product intended for use by adult employees of cleaning companies and the restaurant operators they serve. It is not directed at children, and we do not knowingly collect personal information from anyone under 16. If you believe a minor has provided personal information to the Platform, contact support@citrico.app and we will delete it.

10. International Data Transfers

Citrico hosts data primarily in the United States through its cloud database and application hosting providers (US East). If you access the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Platform, you understand that the United States may have data-protection laws that differ from those in your country.

For tenants and users in jurisdictions that require additional transfer safeguards (for example, EU/UK data subjects covered by the GDPR), Citrico will execute Standard Contractual Clauses or an equivalent mechanism upon written request to support@citrico.app.

11. Security

We use reasonable administrative, technical, and physical safeguards including:

  • TLS 1.2 or higher for all data in transit between users and the Platform
  • Encryption at rest where supported by the underlying hosting providers
  • Industry-standard one-way password hashing for all user credentials
  • SHA-256 PIN hashing with a per-tenant pepper for cleaner PINs
  • Role-based access control across application surfaces (admin, supervisor, cleaner, operator, CitricoStaff)
  • Logged audit trail of CitricoStaff access to tenant data
  • Principle of least privilege for internal access to production systems
  • Regular review of authentication and session lifecycle

No system is 100% secure. We cannot guarantee absolute security, but we work to reduce risk continuously. If you believe you have discovered a security vulnerability in the Platform, please disclose it responsibly to support@citrico.app. We will acknowledge receipt within 2 business days. We will not pursue legal action against researchers who report in good faith and avoid privacy violations, service disruption, or destruction of data.

If a security incident affects your data and triggers a legal notification requirement, we will notify affected customers and, where applicable, regulators within the timelines required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page shows when it was last revised. For material changes (changes that reduce your rights or significantly broaden how we use your data), we will give tenant administrators at least 30 days advance notice by email before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

13. Contact

For any privacy question, request, or complaint, contact us:

  • Citrico LLC
  • Attn: Legal
  • Email: support@citrico.app
  • 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, USA

Back to home

Privacy Policy · Citrico