Legal
Privacy Policy
Last updated: May 27, 2026
1. Information We Collect
SiftMail collects only the information necessary to provide email triage services:
- Account data: Your email address and OAuth provider (Google or Microsoft).
- Email content: Sender, subject, headers, and message body. SiftMail processes email content for two purposes: (a) security scoring (phishing, malware, and promotional classification) and (b) the Sift Inbox Index, which builds a searchable, structured index of your inbox (e.g., receipts, travel, subscriptions) so you can find buried information by natural language search. Email content is processed by automated systems only; no human at SiftMail reads your email.
- OAuth tokens: Access and refresh tokens are encrypted at rest using AES-256-GCM and used only to access your mailbox on your behalf.
- Usage data: Actions taken (quarantine, release, feedback), settings, and plan information.
2. How We Use Your Information
- Score incoming emails for phishing, malware, and promotional content, and surface the results in your dashboard.
- Build and maintain your Sift Inbox Index — a per-user, searchable, structured index of your inbox (receipts, travel, subscriptions, financial, shipping, events, photos, documents, accounts, dining) so you can find buried information using natural language search.
- Apply organizational and security labels in your Gmail (e.g., Sift/Phishing, Sift/Receipts, Sift/Travel) and archive messages when you act on a recommendation.
- Authenticate your account and operate features you have enabled in your settings.
3. User Control Over Actions
SiftMail applies organizational and security labels (such as Sift/Phishing, Sift/Receipts, and Sift/Travel) to your Gmail automatically as part of its core functionality. These labels are non-destructive — your messages remain in your inbox and you can remove labels at any time from Gmail or from your SiftMail dashboard. Destructive or significant actions, including archiving a flagged message, releasing a quarantined message, or modifying allow/block rules, occur only when you explicitly initiate them. You can disconnect SiftMail at any time from your dashboard or from your Google Account permissions page.
4. Data Storage & Security
- All data is stored in encrypted PostgreSQL databases.
- OAuth tokens are encrypted at rest with AES-256-GCM.
- All API traffic is encrypted in transit via TLS.
- PII is redacted from application logs.
- We use rate limiting and API key authentication to protect endpoints.
5. Third-Party Services
- Google OAuth and Gmail API — to authenticate you and access your Gmail mailbox.
- Microsoft Identity Platform and Microsoft Graph API — to authenticate Outlook users and access their mailbox.
- Anthropic API — to perform AI classification of email content for security scoring and inbox indexing. Email content sent to Anthropic is processed under Anthropic's API terms, is used solely to return classification results, and is not used to train AI models.
- Stripe — for subscription billing and payment processing. SiftMail does not receive or store your full payment card details.
- Resend — for transactional email delivery (verification, account notifications).
- Railway — for application hosting and encrypted database infrastructure.
Each provider is governed by its own privacy policy.
6. Google API Limited Use Disclosure
SiftMail's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- We request the
gmail.modifyscope because SiftMail's core functions require both reading message content (for security classification and inbox indexing) and modifying labels (for quarantine, organization, and user-initiated archiving). A read-only scope cannot apply labels; a metadata-only scope cannot power the Sift Inbox Index. - We do not use Google user data for serving advertisements.
- We do not allow humans at SiftMail to read your email content except in narrow circumstances expressly permitted by the Google API Services User Data Policy: (a) with your explicit written consent to investigate a specific issue you have reported, (b) to comply with applicable law, or (c) to investigate suspected abuse or security incidents.
- We do not transfer Google user data to third parties except as necessary to provide the service or as required by law.
- All Google user data access is limited to the practices explicitly disclosed in this privacy policy.
7. Data Retention & Deletion
You can disconnect your account at any time, which immediately revokes our access to your mailbox and stops further processing of your email. When you disconnect, your cached email data, Sift Inbox Index, and scoring history are deleted within 30 days. You may also request immediate, complete data deletion at any time by emailing privacy@siftmail.app.
8. Your Rights
You have the right to access, correct, or delete your personal data. You can disconnect your email provider at any time through the dashboard. For data export or deletion requests, contact us at privacy@siftmail.app.
9. Contact
For privacy-related questions or requests, email us at privacy@siftmail.app.