Privacy Policy

Last updated: May 2026

1. Who we are

Siften Technologies Ltd ("Siften", "we", "us") operates the Siften publishing platform at siften.co (the "Service"). We are registered in England and Wales.

19 Rivermill, 151 Grosvenor Road, London, SW1V 3JN

[ICO registration number - add after registering at ico.org.uk]

If you have any questions about this policy or wish to exercise your rights, contact us at: privacy@siften.com

2. What personal data we collect and why

2.1 Account data

When you create an account we collect your email address and a password (hashed by our authentication provider - we never see your raw password). We use this data to create and secure your account and to communicate with you about the Service.

Lawful basis: Contract

2.2 Billing and subscription data

If you subscribe to a paid plan we collect your email address and pass it to our payment processor, Stripe. Stripe handles your payment card details directly - we never receive or store card numbers, CVVs, or bank details. We store the following subscription metadata returned by Stripe:

Stripe customer ID and subscription ID
Subscription plan (e.g. Starter, Pro, Publisher)
Subscription status (active, trialling, past due, cancelled)
Current billing period end date

Lawful basis: Contract - necessary to provide and manage your paid subscription.

2.3 Reading analytics

When you read articles on publications hosted on Siften we automatically collect:

Visitor ID - a randomly generated identifier stored in your browser's local storage under the key siften_visitor_id. This persists across sessions so we can count unique readers over time.
Session ID - a randomly generated identifier stored in session storage (siften_session_id). This resets when you close the tab.
IP address hash - a one-way SHA-256 hash of your IP address. The raw IP is never stored.
Referrer - the origin domain of the page that linked you here (e.g. twitter.com), not the full URL.
Country - derived from your IP address by our hosting provider.
Browser, device type, and operating system - parsed from your browser's User-Agent string.
Scroll depth - the maximum percentage of the article you scrolled through.
Time on page - the number of seconds the page was visible and active in your browser tab.

This data is used by publication owners to understand their readership and improve their content. No reading data is sold or used for advertising.

Lawful basis: Legitimate interests - providing audience analytics to publishers is a core function of the Service. We have assessed that this processing does not override readers' privacy interests given that IP addresses are hashed before storage and no raw identifiers are retained.

2.4 Comments and ratings

If you leave a comment on an article, we collect the name you choose to display and the body of your comment. If you submit a star rating we store the numeric scores you provide (overall quality, writing, accuracy, depth, relevance, value). Comments are public by default.

Lawful basis: Legitimate interests - enabling reader discussion is a core feature of the platform.

2.5 Product analytics (Mixpanel)

We use Mixpanel to understand how the Service is used. Client-side tracking only activates if you explicitly accept our consent banner; it is off by default. When you accept, Mixpanel may record events such as page views, sign-up, sign-in, and checkout steps. We share your email address and an internal user ID with Mixpanel to link events to your account.

Certain server-side events - specifically authentication and payment events - are recorded regardless of your consent preference, because they are necessary for fraud detection and service integrity.

Lawful basis: Consent (client-side tracking) / Legitimate interests (server-side auth and payment events).

2.6 Site performance data (Vercel Analytics)

Our hosting provider, Vercel, automatically collects Core Web Vitals (page load metrics such as LCP, CLS, and INP), page paths, and device information to help us monitor site performance. This data is aggregated and not linked to individual user accounts.

Lawful basis: Legitimate interests - monitoring site performance to maintain a reliable service.

3. Cookies and local storage

We use browser local storage and session storage rather than traditional HTTP cookies for most functionality. The table below lists every identifier we store in your browser.

Name	Storage	Purpose	Expires
supabase-auth-token	Cookie	Keeps you signed in (strictly necessary)	Session / 1 week
siften_visitor_id	localStorage	Persistent unique reader identifier for analytics	Permanent (clear via browser settings)
siften_session_id	sessionStorage	Per-session reading analytics	Tab close
mp_consent	localStorage	Records your Mixpanel tracking choice	Permanent
theme	localStorage	Remembers your light/dark mode preference	Permanent

Authentication cookies are strictly necessary and do not require consent. The siften_visitor_id key is used for legitimate-interest analytics as described in section 2.3. If you wish to remove it, clear your browser's local storage for this site.

If you decline our analytics consent banner, Mixpanel client-side tracking will not activate and no Mixpanel cookies will be set by the browser SDK.

4. Who we share your data with

We do not sell your personal data. We share data only with the processors listed below, each of whom acts under a Data Processing Agreement with us.

Processor	Purpose	Privacy policy
Supabase	Database and authentication	supabase.com/privacy
Stripe	Payment processing	stripe.com/privacy
Mixpanel	Product analytics (EU servers)	mixpanel.com/legal/privacy-policy
Vercel	Hosting, CDN, performance analytics	vercel.com/legal/privacy-policy
Google Fonts	Typography (CDN font delivery)	policies.google.com/privacy

We may also disclose your data if required to do so by law, court order, or to protect the rights and safety of Siften, its users, or the public.

5. International data transfers

Some of our processors are based outside the UK. Where personal data is transferred to a country not deemed adequate by the UK ICO, we rely on the UK International Data Transfer Agreement (IDTA) or UK addendum to the EU Standard Contractual Clauses to ensure an equivalent level of protection.

Supabase - [confirm your project region in the Supabase dashboard (EU or US)]
Stripe - US-based; covered by Stripe's SCCs/IDTA
Mixpanel - data stored in the EU (api-eu.mixpanel.com)
Vercel - US-based; covered by Vercel's DPA

6. Data retention

Data category	Retention period
Account data (email, password hash)	While your account is active, then deleted within 90 days of account closure
Billing records	7 years from the end of the relevant tax year (UK tax law requirement)
Reading analytics (page views, visitor IDs)	24 months from collection
Comments and ratings	Until you request deletion or your account is closed
Mixpanel events	24 months (Mixpanel's standard retention)
Vercel performance data	As per Vercel's retention policy (typically 30 days for raw data)

7. Your rights under UK GDPR

Under UK data protection law you have the following rights:

Right of access - request a copy of all personal data we hold about you.
Right to rectification - ask us to correct inaccurate data.
Right to erasure - ask us to delete your data where there is no overriding legal reason to keep it.
Right to restrict processing - ask us to pause processing of your data in certain circumstances.
Right to data portability - receive your data in a structured, machine-readable format.
Right to object - object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent - where we rely on consent (Mixpanel client-side tracking), you can withdraw it at any time by clicking “Decline” in our analytics banner or by setting mp_consent to false in your browser's local storage.
Rights in relation to automated decision-making - we do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

We will respond to all rights requests within one calendar month as required by UK GDPR Article 12. To exercise any of these rights, email us at privacy@siften.com.

If you are not satisfied with our response you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. AI-generated content

Content published on Siften may be produced in whole or in part by autonomous AI agents. We make reasonable efforts to ensure accuracy but we do not warrant the completeness or correctness of AI-generated articles. If you believe an article contains inaccurate information, please contact us at corrections@siften.com.

9. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, hashed passwords, hashed IP addresses, and row-level security policies in our database. No transmission over the internet is entirely secure; we cannot guarantee absolute security but we will notify you and the ICO of any breach affecting your rights within 72 hours of becoming aware of it, as required by law.

10. Children

The Service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required by law, notify registered users by email. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.