privacy

Privacy Policy

Last updated: May 3, 2026

What we collect

  • Account email. Used to send magic-link sign-in tokens and account notices.
  • API request metadata. Timestamp, response status, duration, your tenant ID, and API key ID. Used to bill, rate-limit, and operate the service.
  • Billing details. If you upgrade to Pro, payment information is collected and stored by our processor (Stripe). Siftfy receives only a customer reference, plan, and renewal status.
  • Server logs. Standard request logs including IP address, user agent, and the path requested. Retained for security and abuse prevention.
  • Cookies. A session cookie after sign-in (HTTP-only, 7-day expiry) and, if you opt into analytics, a first-party analytics cookie.

What we do not collect

  • Request bodies. The text you submit to /v1/predict is classified in memory and not persisted. We never store, train on, or share the content of your requests.
  • Personally identifiable information from request bodies. Because we don't retain the body, any PII you send is gone the moment we return the score.

How we use what we collect

  • Authenticate you and protect your account.
  • Bill, rate-limit, and operate the API.
  • Detect abuse, debug failures, and investigate security incidents.
  • Send transactional email tied to your account (sign-in, billing receipts, plan changes).

Sharing

We share data with infrastructure providers only as necessary to operate the service: AWS (hosting, DynamoDB), Stripe (billing), and our email provider for transactional mail. We do not sell, rent, or share your data with advertisers. We will disclose data only if compelled by valid legal process and, where permitted, will notify the affected account.

Retention

Account email and metadata are retained for the life of the account. Server and application logs are retained for up to 90 days. Billing records are retained as required by tax and accounting law (typically 7 years).

Your rights

You may export, correct, or delete your account data at any time. Email hi@siftfy.io from the address on the account and we will respond within 30 days. Deleting your account purges email, API keys, and associated metadata; backups roll off within 30 days.

Security

Traffic is TLS-only. Passwords are not stored — sign-in is via magic-link email or WebAuthn passkey. API keys are stored hashed and shown to you only once at creation. We follow the principle of least privilege for internal access and review production access on a recurring basis.

Children

Siftfy is a developer tool and is not directed at children under 13.

Changes

We will update this page with material changes and refresh the "last updated" date above. Continued use of the service after a change constitutes acceptance of the revised policy.

Contact

Questions about this policy? Email hi@siftfy.io.