Privacy Policy of SiftMate
1. Data controller
The controller of personal data processed in connection with the use of the SiftMate mobile application (the "App") is:
Zielona Góra, Lubusz Voivodeship, Poland
E-mail: support@siftmate.app
(the "Controller")
2. Data we collect
The App operates on an anonymous model - it does not require registration, login, or personal data such as your name, email or phone number.
We process the following categories of data:
| Type of data | Description | Purpose |
|---|---|---|
| Device identifier | On Android: a persistent identifier provided by the Android system (Android ID), stable across app reinstalls, reset only on factory reset. On iOS: a randomly generated UUID stored in the secure system Keychain, stable across reinstalls. Not linked to your name, email or other personal data. | Associating checks with the device, payment processing, enforcing free tier limits |
| Free verification counter | Number of free full verifications used on this device | Enforcing free tier limits, preventing abuse |
| URLs | Links submitted by the user for verification | Fetching page content, credibility analysis |
| Text content | Text pasted by the user (max. 2,000 characters) | Credibility analysis |
| Analysis results | Observations, credibility assessment, sources - generated by the system | Displaying results, improving service quality |
| Payment data | Transaction ID, amount, currency, provider (Google Play on Android or Apple App Store on iOS). We do not process card payment details. | Processing and settling payments |
| Report ratings | Optional: thumbs up/down on an analysis result | Improving service quality |
| Audit logs | Record of data deletion requests: truncated device identifier (first 8 characters), timestamp, and outcome | Documenting fulfilment of the right to erasure (GDPR Art. 17) |
| Device integrity data | An integrity token generated by the Google Play Integrity API and sent to Google with each analysis request (Android). Does not contain any data identifying the user. | Protection against abuse and automated queries |
3. Legal basis for processing (GDPR Art. 6)
- Art. 6(1)(b) - processing necessary for the performance of a contract (providing the credibility analysis service)
- Art. 6(1)(f) - the Controller's legitimate interests (preventing abuse, improving service quality)
4. Data processors
| Entity | Role | Data location |
|---|---|---|
| Supabase Inc. | Database and backend | EU (Ireland, eu-west-1) |
| Google LLC | AI model content processing via Google Gemini (full analysis) | USA / global |
| RevenueCat Inc. | In-app payment management | USA |
| Google LLC (Google Play) | In-app payment processing (Android) | USA / global |
| Apple Inc. (App Store) | In-app payment processing (iOS) | USA / global |
| Google LLC | Device integrity verification (Google Play Integrity API) - Android | USA / global |
| Google LLC | Website analytics (Google Analytics 4) - only with user consent | USA |
Data transfers to the USA are carried out on the basis of standard contractual clauses (SCCs) or adequacy decisions (EU-U.S. Data Privacy Framework), in accordance with GDPR Art. 46.
5. AI content processing
Content submitted for full analysis is passed to Google's Gemini AI model (Google LLC). This data:
- Is used to generate a response to the user's query
- Does not contain any data identifying the user
6. Data retention periods
| Data | Retention period |
|---|---|
| Device identifier and free verification counter | The device record (identifier and counter) is retained after a deletion request to prevent abuse (legitimate interest, GDPR Art. 6(1)(f)). All other data linked to the device is deleted. Inactive records are removed after 24 months. |
| Analysis results | 12 months from creation |
| Payment data | 5 years - in accordance with accounting regulations |
| Report ratings | 12 months from creation |
| Audit logs | 12 months from creation |
7. Your rights (GDPR Art. 15–22)
You have the following rights:
- Right of access - you can ask what data we process
- Right to rectification - you can request correction of inaccurate data
- Right to erasure - you can request deletion of all data associated with your device
- Right to restriction of processing
- Right to data portability
- Right to object to processing based on legitimate interests
- Right to lodge a complaint with your national supervisory authority
8. Data security
- Encrypted transmission (HTTPS/TLS)
- Database secured with Row Level Security (RLS)
- No storage of card payment details
- Pseudonymous device identifier (not linked to personal data)
- Data minimisation - we collect only what is necessary
9. Cookies and analytics
The mobile app does not use cookies or analytics tools. We do not profile app users.
The website siftmate.app uses Google Analytics 4 (Google LLC) only with the user's consent. GA4 collects anonymous traffic data (visits, country, device type) with IP anonymisation enabled. Data is stored by Google on servers in the USA under standard contractual clauses (SCCs). Consent can be withdrawn at any time by clicking "Cookie settings" in the website footer.
Your cookie preference is stored locally in your browser (localStorage) and is not transmitted to SiftMate servers.
10. Children
The App is not intended for persons under the age of 16. If you believe a child is using the App, please contact us - we will delete the associated data.
11. Changes to this Privacy Policy
We will notify you of material changes via an in-App notification. Continued use of the App after changes are made constitutes acceptance of the updated policy.
12. Contact
E-mail: support@siftmate.app