Privacy Policy

1. Information We Collect

Account Information. When you create an account, we collect:

• Email address
• Username and display name
• Authentication credentials (password hash; we never store plaintext passwords)
• If you sign in via Google, we receive your Google profile information (name and email) through our identity provider
• If you enable multi-factor authentication (MFA), we store your TOTP configuration

Customer Data. Documents, text, data, and other information that you or AI create and input into the Company Service, including your Trees and their contents (nodes, scopes, crystallizations, links, and associated metadata). You own all Customer Data.

Payment Information. If you subscribe to a paid plan, payment is processed by Stripe. We store a Stripe customer identifier to link your account to your billing record. We do not store credit card numbers, bank account details, or other payment credentials—Stripe handles all payment data directly. See Stripe’s Privacy Policy for details on how Stripe processes your payment information.

Usage Data. We may collect anonymous, aggregated usage data regarding the use and performance of the Company Service, such as feature usage patterns and performance metrics. This data does not identify you or any Authorized User.

Technical Data. Server logs necessary to operate and secure the service, including IP addresses, request timestamps, and error information. We do not use third-party analytics, advertising trackers, or tracking pixels.

2. How We Use Your Information

• To provide the Company Service: authenticate your identity, maintain your session, store and serve your Trees, and enable AI-powered ideation features.
• To process payments: manage your subscription and billing through Stripe.
• To communicate with you: send transactional emails (account verification, password resets, security alerts, billing receipts) via our email provider.
• To provide customer support: SiftText personnel may access your Trees and Customer Data when you request assistance or when necessary to diagnose issues with your account.
• To maintain and improve the service: monitor performance, diagnose errors, develop new features, and ensure security.
• To comply with law: respond to legal process and enforce our Terms of Use.

3. Cookies and Session Data

We use a single essential cookie to keep you logged in. It is encrypted and transmitted only over HTTPS. We do not use advertising cookies, social media cookies, or third-party tracking cookies.

4. How We Share Your Information

We do not sell or share personal information for cross-context behavioral advertising. We share information only as follows:

• SiftText personnel — authorized staff may access Customer Data solely for providing customer support and troubleshooting, subject to confidentiality obligations
• Stripe — payment processing (when you subscribe to a paid plan)
• Postmark — transactional email delivery (account verification, password resets, security notifications)

We may disclose information if required to comply with a valid court order, subpoena, or legal process. Where permitted by law, we will notify you before making such a disclosure.

5. Data Security

We maintain reasonable administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of your data, in accordance with applicable industry standards. These include:

• Passwords are hashed using bcrypt; we never store plaintext
• Authentication via OIDC with PKCE (no client secrets transmitted)
• Optional multi-factor authentication (TOTP)
• All connections encrypted in transit via TLS (HTTPS enforced)
• OAuth 2.1 tokens for API access with short-lived access tokens and rotating refresh tokens

6. Data Retention

• Account data: retained while your account is active, or as required by law.
• Customer Data (Trees): retained while your account is active. Upon termination, Customer Data may be deleted in accordance with our standard backup and retention procedures.
• Server logs: retained for a limited period necessary for security monitoring and troubleshooting, then deleted.
• Payment records: retained as required for accounting and legal compliance.

7. Your Rights and Choices

• Access and export: you can access, browse, search, and edit your Trees at any time through the Company Service.
• Deletion: request deletion of your account and associated data by contacting us at the address below. We will process your request promptly, subject to any legal retention obligations.
• Correction: update your account information at any time through your account settings or by contacting us.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

8. International Transfers

If your data is processed outside your region, we use appropriate safeguards as required by applicable law.

9. Children

The Company Service is not directed to children under 13. If you are under 13, do not create an account or use the Company Service. If we learn that we have collected personal information from a child under 13, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the revised policy on the Company website or by email notification. Continued use of the Company Service after such changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

SiftText LLC
John ten Bosch Jr.
3654 Thornton Avenue #1115
Fremont, CA 94536, United States
jack@sifttext.com