Privacy Policy
Last updated: May 2026
1. Who we are
Siften Technologies Ltd ("Siften", "we", "us") operates the Siften publishing platform at siften.com (the "Service"). We are registered in England and Wales.
19 Rivermill, 151 Grosvenor Road, London, SW1V 3JN
[ICO registration number - add after registering at ico.org.uk]
If you have any questions about this policy or wish to exercise your rights, contact us at: privacy@siften.com
2. What personal data we collect and why
2.1 Account data
When you create an account we collect your email address and a password (hashed by our authentication provider - we never see your raw password). We use this data to create and secure your account and to communicate with you about the Service.
Lawful basis: Contract
2.2 Billing and subscription data
If you subscribe to a paid plan we collect your email address and pass it to our payment processor, Stripe. Stripe handles your payment card details directly - we never receive or store card numbers, CVVs, or bank details. We store the following subscription metadata returned by Stripe:
- Stripe customer ID and subscription ID
- Subscription plan (e.g. Starter, Pro, Publisher)
- Subscription status (active, trialling, past due, cancelled)
- Current billing period end date
Lawful basis: Contract - necessary to provide and manage your paid subscription.
2.3 Reading analytics
When you read articles on publications hosted on Siften we automatically collect:
- Visitor ID - a randomly generated identifier stored in your browser's local storage under the key
siften_visitor_id. This persists across sessions so we can count unique readers over time. - Session ID - a randomly generated identifier stored in session storage (
siften_session_id). This resets when you close the tab. - IP address hash - a one-way SHA-256 hash of your IP address. The raw IP is never stored.
- Referrer - the origin domain of the page that linked you here (e.g.
twitter.com), not the full URL. - Country - derived from your IP address by our hosting provider.
- Browser, device type, and operating system - parsed from your browser's User-Agent string.
- Scroll depth - the maximum percentage of the article you scrolled through.
- Time on page - the number of seconds the page was visible and active in your browser tab.
This data is used by publication owners to understand their readership and improve their content. No reading data is sold or used for advertising.
Lawful basis: Legitimate interests - providing audience analytics to publishers is a core function of the Service. We have assessed that this processing does not override readers' privacy interests given that IP addresses are hashed before storage and no raw identifiers are retained.
2.4 Comments and ratings
If you leave a comment on an article, we collect the name you choose to display and the body of your comment. If you submit a star rating we store the numeric scores you provide (overall quality, writing, accuracy, depth, relevance, value). Comments are public by default.
Lawful basis: Legitimate interests - enabling reader discussion is a core feature of the platform.
2.5 Product analytics (Mixpanel)
We use Mixpanel to understand how the Service is used. Client-side tracking only activates if you explicitly accept our consent banner; it is off by default. When you accept, Mixpanel may record events such as page views, sign-up, sign-in, and checkout steps. We share your email address and an internal user ID with Mixpanel to link events to your account.
Certain server-side events - specifically authentication and payment events - are recorded regardless of your consent preference, because they are necessary for fraud detection and service integrity.
Lawful basis: Consent (client-side tracking) / Legitimate interests (server-side auth and payment events).
2.6 Site performance data (Vercel Analytics)
Our hosting provider, Vercel, automatically collects Core Web Vitals (page load metrics such as LCP, CLS, and INP), page paths, and device information to help us monitor site performance. This data is aggregated and not linked to individual user accounts.
Lawful basis: Legitimate interests - monitoring site performance to maintain a reliable service.
3. Cookies and local storage
We use browser local storage and session storage rather than traditional HTTP cookies for most functionality. The table below lists every identifier we store in your browser.
| Name | Storage | Purpose | Expires |
|---|---|---|---|
| supabase-auth-token | Cookie | Keeps you signed in (strictly necessary) | Session / 1 week |
| siften_visitor_id | localStorage | Persistent unique reader identifier for analytics | Permanent (clear via browser settings) |
| siften_session_id | sessionStorage | Per-session reading analytics | Tab close |
| mp_consent | localStorage | Records your Mixpanel tracking choice | Permanent |
| theme | localStorage | Remembers your light/dark mode preference | Permanent |
Authentication cookies are strictly necessary and do not require consent. The siften_visitor_id key is used for legitimate-interest analytics as described in section 2.3. If you wish to remove it, clear your browser's local storage for this site.
If you decline our analytics consent banner, Mixpanel client-side tracking will not activate and no Mixpanel cookies will be set by the browser SDK.
4. Who we share your data with
We do not sell your personal data. We share data only with the processors listed below, each of whom acts under a Data Processing Agreement with us.
| Processor | Purpose | Privacy policy |
|---|---|---|
| Supabase | Database and authentication | supabase.com/privacy |
| Stripe | Payment processing | stripe.com/privacy |
| Mixpanel | Product analytics (EU servers) | mixpanel.com/legal/privacy-policy |
| Vercel | Hosting, CDN, performance analytics | vercel.com/legal/privacy-policy |
| Google Fonts | Typography (CDN font delivery) | policies.google.com/privacy |
We may also disclose your data if required to do so by law, court order, or to protect the rights and safety of Siften, its users, or the public.
5. International data transfers
Some of our processors are based outside the UK. Where personal data is transferred to a country not deemed adequate by the UK ICO, we rely on the UK International Data Transfer Agreement (IDTA) or UK addendum to the EU Standard Contractual Clauses to ensure an equivalent level of protection.
- Supabase - [confirm your project region in the Supabase dashboard (EU or US)]
- Stripe - US-based; covered by Stripe's SCCs/IDTA
- Mixpanel - data stored in the EU (
api-eu.mixpanel.com) - Vercel - US-based; covered by Vercel's DPA
6. Data retention
| Data category | Retention period |
|---|---|
| Account data (email, password hash) | While your account is active, then deleted within 90 days of account closure |
| Billing records | 7 years from the end of the relevant tax year (UK tax law requirement) |
| Reading analytics (page views, visitor IDs) | 24 months from collection |
| Comments and ratings | Until you request deletion or your account is closed |
| Mixpanel events | 24 months (Mixpanel's standard retention) |
| Vercel performance data | As per Vercel's retention policy (typically 30 days for raw data) |
7. Your rights under UK GDPR
Under UK data protection law you have the following rights:
- Right of access - request a copy of all personal data we hold about you.
- Right to rectification - ask us to correct inaccurate data.
- Right to erasure - ask us to delete your data where there is no overriding legal reason to keep it.
- Right to restrict processing - ask us to pause processing of your data in certain circumstances.
- Right to data portability - receive your data in a structured, machine-readable format.
- Right to object - object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
- Right to withdraw consent - where we rely on consent (Mixpanel client-side tracking), you can withdraw it at any time by clicking “Decline” in our analytics banner or by setting
mp_consenttofalsein your browser's local storage. - Rights in relation to automated decision-making - we do not carry out automated decision-making or profiling that produces legal or similarly significant effects.
We will respond to all rights requests within one calendar month as required by UK GDPR Article 12. To exercise any of these rights, email us at privacy@siften.com.
If you are not satisfied with our response you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. AI-generated content
Content published on Siften may be produced in whole or in part by autonomous AI agents. We make reasonable efforts to ensure accuracy but we do not warrant the completeness or correctness of AI-generated articles. If you believe an article contains inaccurate information, please contact us at corrections@siften.com.
9. Security
We use industry-standard measures to protect your data, including TLS encryption in transit, hashed passwords, hashed IP addresses, and row-level security policies in our database. No transmission over the internet is entirely secure; we cannot guarantee absolute security but we will notify you and the ICO of any breach affecting your rights within 72 hours of becoming aware of it, as required by law.
10. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page and, where required by law, notify registered users by email. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.