privacy

Privacy Policy

Last updated: June 16, 2026

Siftfy classifies the text you send to our API and returns a spam score. We are built so the content you submit for classification is never stored, logged, used to train a model, or sold. This policy explains exactly what we do and do not keep, where we process it, and how long we hold it.

What we collect

  • Account email. Used to send magic-link sign-in tokens and account notices.
  • API request metadata. Timestamp, request ID, response status, duration, detected language, the resulting spam probability, your tenant ID, and API key ID. We use it to bill, rate-limit, debug, and measure quality. This metadata does not include the text you submitted.
  • Billing details. If you upgrade to a paid plan, payment information is collected and stored by our processor (Stripe). Siftfy receives only a customer reference, plan, and renewal status — never full card numbers.
  • Server logs. Standard request logs including IP address, user agent, and the path requested. Retained for security and abuse prevention.
  • Cookies. A session cookie after sign-in (HTTP-only, 7-day expiry) and, only if you opt in, a first-party analytics cookie on our marketing website. We use no advertising or cross-site tracking cookies.

What we do not store

  • Prediction request bodies. The text you submit to /v1/predict is classified in memory and is not written to any database, log line, error report, backup, or support system. We do not use it to train or fine-tune any model, and we do not share it. Once we return the score, the text is gone from our systems.
  • PII inside request bodies. Because we do not retain the body, any personal data it happens to contain is not retained either.
  • Request content in diagnostics. Our logs and validation errors are built to carry only metadata (status, timing, language, probability, identifiers). They do not echo the submitted text.

Feedback corrections

If you use the optional /v1/feedback endpoint to tell us a message was correctly or incorrectly classified ("ham" or "spam"), we use the text you send only to compute a salted one-way fingerprint of it. We store that fingerprint, the ham/spam label, your tenant ID, and a count of how many times the same correction was submitted — never the readable text itself. The fingerprint cannot be reversed back into your content; it exists only so we can recognise the same correction again and improve classification accuracy. This is a correction signal tied to your account, and it is deleted with your account (see Your rights). We never train on or store your live prediction traffic.

How we use what we collect

  • Authenticate you and protect your account.
  • Bill, rate-limit, and operate the API.
  • Detect abuse, debug failures, and investigate security incidents.
  • Measure classifier quality in aggregate (for example, score distribution by language) using metadata only.
  • Send transactional email tied to your account (sign-in, billing receipts, plan changes).

Where we process data

Siftfy processes and stores customer data in the United States. Our databases, transactional email, and storage run on Amazon Web Services in the US (region us-east-1, Northern Virginia), and our application compute runs in a US region. If you access Siftfy from outside the United States, you are sending your data to the United States for processing.

Sharing and subprocessors

We share data with infrastructure providers only as necessary to operate the service. We do not sell or rent your data, and we do not share it with advertisers. Our current subprocessors are:

  • Amazon Web Services — hosting, database (DynamoDB), and transactional email (SES); United States.
  • Stripe — payment processing and subscription billing.
  • Google Analytics — first-party, opt-in usage analytics on the marketing website only; never receives API request content.
  • Fontshare — web-font delivery on the marketing website.

The canonical, current list lives on our Trust & Security page. We will disclose data to authorities only if compelled by valid legal process and, where permitted, will notify the affected account.

Retention

  • Prediction request content: not retained — processed in memory and discarded.
  • Account email and account metadata: retained for the life of the account.
  • Usage counts: retained while the account is active to support billing.
  • Server and application logs: retained for up to 90 days.
  • Revoked API keys: retained for 90 days after revocation, then purged.
  • Magic-link sign-in tokens: expire within 15 minutes.
  • Feedback fingerprints: retained as accumulated correction signal; contain no readable content and are deleted with your account.
  • Billing records: retained as required by tax and accounting law (typically 7 years).
  • Backups: point-in-time and versioned backups roll off within approximately 30 days.

Your rights

You may request access to, a copy of, correction of, or deletion of your account data. Email hi@siftfy.io from the address on the account and we will respond within 30 days. On a deletion request we remove your account email, API keys, passkeys, usage records, and the feedback fingerprints attributed to your tenant; backups containing that data roll off within approximately 30 days. Billing records we are legally required to keep are retained for the applicable period. Depending on where you live, you may have additional rights under laws such as the GDPR/UK GDPR or the CCPA/CPRA; we honour valid requests under those laws and do not discriminate against you for exercising them.

International transfers and DPA

For the limited request metadata described above, Siftfy acts as a data processor on your behalf, and our data-processing terms are set out in this policy. If your organization requires a separate Data Processing Agreement, contact hi@siftfy.io and we will work with you to put appropriate terms in place, including the Standard Contractual Clauses where they are required for transfers from the EEA, the UK, or Switzerland to the United States. See the Trust & Security page.

Security

Traffic is TLS-only. Passwords are not stored — sign-in is via magic-link email or WebAuthn passkey. API keys are stored hashed and shown to you only once at creation. We follow the principle of least privilege for internal access and review production access on a recurring basis. More detail is on our Trust & Security page.

Children

Siftfy is a developer tool and is not directed at children under 13, and we do not knowingly collect their data.

Changes

We will update this page with material changes and refresh the "last updated" date above. We will not apply a materially more permissive use to data we already collected — for example, beginning to train on previously submitted content — without first giving notice and, where required, obtaining your consent. Continued use of the service after a change constitutes acceptance of the revised policy.

Contact

Siftfy is operated by VectraSEO LLC, a Pennsylvania limited liability company, which is the controller for the account and billing data described above. Questions about this policy? Email hi@siftfy.io.