Legal

Privacy Policy

Last updated: May 10, 2026

1. Information We Collect

SiftMail collects only the information necessary to provide email triage services:

  • Account data: Your email address and OAuth provider (Google or Microsoft).
  • Email content: Sender, subject, headers, and message body. SiftMail processes email content for two purposes: (a) security scoring (phishing, malware, and promotional classification) and (b) the Sift Inbox Index, which builds a searchable, structured index of your inbox (e.g., receipts, travel, subscriptions) so you can find buried information by natural language search. Email content is processed by automated systems only; no human at SiftMail reads your email.
  • OAuth tokens: Access and refresh tokens are encrypted at rest using AES-256-GCM and used only to access your mailbox on your behalf.
  • Usage data: Actions taken (quarantine, release, feedback), settings, and plan information.

2. How We Use Your Information

  • Score incoming emails for spam, phishing, and promotional content.
  • Apply quarantine, digest, and allow/block rules based on your settings.
  • Generate digest reports summarizing threats blocked.
  • Improve our scoring algorithms based on aggregated, anonymized patterns.

3. Shadow Mode

By default, SiftMail operates in Shadow Mode. In this mode, we analyze and score your emails but do not move, delete, or modify any messages. All quarantine actions are logged but not executed until you explicitly enable live mode. This ensures you can review SiftMail's behavior before granting it the ability to act on your behalf.

4. Data Storage & Security

  • All data is stored in encrypted PostgreSQL databases.
  • OAuth tokens are encrypted at rest with AES-256-GCM.
  • All API traffic is encrypted in transit via TLS.
  • PII is redacted from application logs.
  • We use rate limiting and API key authentication to protect endpoints.

5. Third-Party Services

We use the following third-party services: Google OAuth and Gmail API (for Gmail access), Microsoft Identity Platform and Graph API (for Outlook access), and Stripe (for payment processing). Each is governed by their own privacy policies.

6. Google API Limited Use Disclosure

SiftMail's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We request the gmail.modify scope because SiftMail's core functions require both reading message content (for security classification and inbox indexing) and modifying labels (for quarantine, organization, and user-initiated archiving). A read-only scope cannot apply labels; a metadata-only scope cannot power the Sift Inbox Index.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read your email content unless you provide explicit consent for support purposes.
  • We do not transfer Google user data to third parties except as necessary to provide the service or as required by law.
  • All Google user data access is limited to the practices explicitly disclosed in this privacy policy.

7. Data Retention & Deletion

You can disconnect your account at any time, which immediately revokes our access to your mailbox. Cached email metadata and scoring history are deleted within 30 days of disconnection. You may request complete data deletion by contacting support.

8. Your Rights

You have the right to access, correct, or delete your personal data. You can disconnect your email provider at any time through the dashboard. For data export or deletion requests, contact us at privacy@siftmail.app.

9. Contact

For privacy-related questions or requests, email us at privacy@siftmail.app.