Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

This Privacy Policy applies to the Sift platform accessible at sift.software, including the dashboard, API, WhatsApp integration, and any associated services (collectively, "the Service").

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, and password when you create an account.
• Organization details: Company name, market, preferred languages, and role type during onboarding.
• Property data: Listings you upload via Excel/CSV files or configure through scraping profiles, including addresses, prices, descriptions, and images.
• Company documents: PDFs, Word documents, and text files you upload for context extraction (company brochures, service descriptions, etc.).
• Agent configuration: Custom prompts, greeting messages, lead scoring rules, and personality settings you configure.
• Calendar data: Availability schedules, blocked dates, and appointment details.
• Payment information: Processed by PayPal; we do not store credit card numbers or bank details.

2.2 Information Collected Automatically

• Lead data: Names, phone numbers, email addresses, budgets, preferences, and timelines provided by leads during AI conversations.
• Chat messages: Full conversation transcripts between leads and your AI agent, including messages sent via web widget and WhatsApp.
• Lead scoring data: Qualification scores, temperature ratings (hot/warm/cold), and extracted lead attributes generated by the AI.
• Conversation summaries: AI-generated summaries of lead conversations stored for context continuity.
• Usage metrics: Message counts, storage usage, API call counts, and feature utilization for billing and analytics.
• Session data: Authentication tokens and session identifiers stored in browser local storage.

2.3 Information We Do Not Collect

We do not collect IP addresses for tracking, do not use third-party analytics cookies, do not track users across websites, and do not sell personal data to advertisers or data brokers.

3. How We Use Your Information

• Service delivery: AI-powered lead qualification, property matching, conversation management, and appointment scheduling.
• Personalization: Configuring your AI agent's behavior, language, personality, and lead scoring based on your settings.
• Billing: Tracking message usage, storage consumption, managing subscriptions, processing payments, and enforcing plan limits.
• Communication: Sending usage alerts (at 80% and 100% message limits), password reset emails, and critical service notifications.
• Service improvement: Analyzing aggregate usage patterns to improve features, performance, and reliability. We do not use your conversation content to train AI models.
• Security: Protecting against unauthorized access, abuse, and fraud through authentication, rate limiting, and audit logging.

4. Lawful Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Turkey, we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you subscribed to (account management, AI conversations, billing).
• Legitimate interests: Service improvement, security, fraud prevention, and aggregate analytics, balanced against your privacy rights.
• Consent: Where required, such as for optional marketing communications. You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws, such as financial record-keeping for tax purposes.

5. Data Sharing & Sub-Processors

We share your data only with the following categories of service providers, strictly for the purposes described:

We do not sell, rent, or trade your personal data to any third party. We do not share data with advertisers or data brokers.

6. International Data Transfers

Your data may be processed in countries outside your jurisdiction, including the United States (OpenAI, Supabase, Vercel, Twilio) and the European Union. Where data is transferred outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Contractual obligations with sub-processors that require equivalent data protection standards

7. Data Storage & Security

We implement the following security measures to protect your data:

• Encryption in transit: All data is transmitted over HTTPS/TLS.
• Encryption at rest: Database hosted on Supabase with PostgreSQL encryption at rest.
• Access control: Row-level security (RLS) policies ensure organizations can only access their own data.
• Authentication: Supabase Auth with JWT tokens, session management, and optional multi-factor authentication.
• File storage: Uploaded documents stored in private Supabase Storage buckets with signed URL access.
• Rate limiting: API rate limiting and authentication middleware to prevent abuse.
• Audit logging: Billing events and significant account actions are logged for security and compliance.

8. Data Retention

• Active accounts: Data is retained for as long as your account is active and the Service is being used.
• Cancelled subscriptions: Account data is retained on the Free plan. You may continue to access and delete your data.
• Deleted data: When you delete specific data categories (chat logs, leads, properties) from Settings, deletion is permanent and immediate.
• Account deletion: Full account deletion removes all associated data permanently, including authentication records, organization data, and all dependent records.
• Billing records: Transaction records may be retained for up to 7 years as required by tax and financial regulations.
• Backups: Supabase maintains automated backups; deleted data may persist in backups for up to 30 days before being purged.

9. Your Rights

Under GDPR, CCPA, and other applicable privacy regulations, you have the following rights:

• Right of access: View all your data through the Sift dashboard at any time.
• Right to rectification: Update your account information, agent configuration, and organization details through the dashboard.
• Right to erasure: Bulk delete chat logs, leads, or properties from Settings. Delete your entire account from Settings > Danger Zone.
• Right to data portability: Export leads as CSV from the Leads page. Export calendar data as ICS files.
• Right to restrict processing: Contact us to request restriction of specific processing activities.
• Right to object: Object to processing based on legitimate interests by contacting us.
• Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior processing.
• Right to lodge a complaint: File a complaint with your local data protection authority.

To exercise any of these rights, email privacy@sift.software. We respond to all requests within 30 days.

10. Cookies & Local Storage

Sift uses browser local storage — not traditional HTTP cookies — for the following purposes:

• Authentication session: Supabase Auth stores JWT tokens in local storage to maintain your login session.
• Cookie consent preference: Your acceptance of the cookie/storage notice.
• UI preferences: Dashboard page state and settings.

We do not use third-party tracking cookies, analytics pixels, or cross-site tracking technologies. No data is shared with advertising networks.

11. WhatsApp & Messaging

If you enable WhatsApp integration:

• Inbound and outbound messages are routed through Twilio's infrastructure and Meta's WhatsApp Business Platform.
• Message content is stored in our database for conversation continuity and AI context.
• Phone numbers are stored to identify leads and route messages to the correct organization.
• Twilio and Meta have their own privacy policies governing their handling of message data.
• You are responsible for obtaining any required consent from leads before engaging them via WhatsApp, in compliance with WhatsApp's Business Policy and applicable telecommunications regulations.

12. AI & Automated Processing

The Service uses OpenAI's language models for:

• Generating conversational responses to leads
• Extracting lead qualification data (budget, timeline, preferences)
• Scoring leads (hot/warm/cold) based on conversation analysis
• Generating conversation summaries
• Extracting information from uploaded company documents

This constitutes automated decision-making under GDPR Article 22. However, these decisions are advisory in nature — the AI suggests lead scores and schedules appointments, but human agents retain full control and can override any AI decision through the dashboard.

We do not use your data to train or fine-tune AI models. OpenAI's API data usage policies apply to data sent for processing.

13. Children's Privacy

The Service is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, contact us at privacy@sift.software.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
• Document the breach, its effects, and the remedial actions taken.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you via email or a prominent notice on the Service for significant changes.
• Provide at least 30 days' notice before material changes take effect.

Continued use of the Service after changes become effective constitutes acceptance of the revised policy.

16. Contact & Data Protection Officer

For privacy inquiries, data requests, or concerns:

We aim to respond to all privacy-related requests within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.