Privacy Policy

Version 2026-05-25

This Privacy Policy explains what personal data Sift ("Sift", "we") collects, why, who we share it with, and the choices you have. Sift is a personal design-intelligence tool for adults (18+). By using Sift you agree to this policy.

1. Data we collect

• Account data — your email, authentication identity, optional display name, session data, and your recorded age/terms consent.
• Content you create — the URLs you choose to monitor, folders, tags, and the prompts you enter into Discover.
• Captured artifacts— screenshots/recordings of the third-party websites you ask Sift to capture, and the brand "skills" generated from them.
• Connected-service tokens — if you connect Mobbin, the OAuth tokens for that account (stored encrypted).

2. How and why we use it

• To provide the service: capture, monitor, organize, and analyze the sites you choose.
• To authenticate you and keep your account secure.
• To operate AI features (Discover and skill generation).
• To communicate service and, with your consent, optional product messages.

Our legal bases (where GDPR applies) are performance of our contract with you, your consent (e.g. marketing, connecting Mobbin), and our legitimate interest in operating and securing the service.

3. Who we share data with (sub-processors)

We use the following service providers to run Sift; each processes data on our behalf:

• Supabase — authentication, database, and file storage.
• Vercel — application hosting.
• Railway — the capture worker.
• Anthropic — AI analysis of page content and screenshots for skill generation and Discover.
• Exa — web search for Discover.
• Mobbin — if you connect it, for design-library search.
• fal.ai — media processing.
• Twilio (SMS) and Resend (email) — notifications.

We do not sell your personal data.

4. Third-party website captures

When you capture a site, Sift stores screenshots of that third-party website and may send its page content to Anthropic and Exa for analysis. Those pages may contain other people's information; you are responsible for ensuring you have the right to capture the URLs you add. See our Terms of Service and takedown process.

5. Retention

We keep your account and content until you delete them or close your account. Operational logs are retained for up to 90 days. When you delete your account we remove your data — including stored captures and connected-service tokens — within 30 days.

6. Your rights

Depending on where you live (e.g. GDPR/EEA/UK, CCPA/California, PIPEDA/Canada), you may have the right to access, export, correct, or delete your data, and to object to or restrict certain processing. You can export and delete your data from Settings, or contact us. We respond within the timeframes the law requires.

7. International transfers

Several providers above are based in the United States. Where we transfer data out of the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses.

8. Security

We use row-level access controls, encryption in transit, encryption of connected-service tokens at rest, and least-privilege access. No system is perfectly secure; we work to protect your data and will notify you and regulators of a breach as required by law.

9. Cookies

We use essential cookies needed to sign you in and run the app. We ask for consent before using any non-essential cookies.

10. Children

Sift is for adults. It is not directed to anyone under 18, and we do not knowingly collect data from minors.

11. Changes

We may update this policy; we will record the new version and, for material changes, ask you to review it. The current version is 2026-05-25.

12. Contact

For privacy questions or to exercise your rights, contact us at privacy@sift.app.