Privacy Policy

Effective May 24, 2026 Last updated May 24, 2026 GDPR · CCPA compliant

SiftingSignal is built around a simple posture: collect the minimum data needed to operate the product, never sell it, never share it with advertising networks, and let any reader who wants their data exported or deleted do so without friction. This policy explains the specifics, including the rights granted to readers in the European Union under the General Data Protection Regulation (GDPR) and to California residents under the California Consumer Privacy Act (CCPA / CPRA).

If anything in this document is unclear, write to [email protected]. A human will read it.

01 What we collect

When you use SiftingSignal, we collect:

Email address — used solely to send the magic-link sign-in email and account-related notifications. We do not market off this list without your explicit opt-in.
Stance and position data — the answers you give to topic questions and the positions you record on the platform. This is what powers the personal Mirror view and lets you see your own trajectory over time.
Reactions — the reaction taps you place on posts (e.g. Thoughtful, Cites source, Disagree). Used in aggregate to compute engagement signals; tied to your account so your Mirror can reflect your reactions.
Bookmarks and saved syntheses — items you have explicitly saved.
A session cookie — to keep you signed in across page loads.
A salted hash of your IP address — kept only for abuse detection (rate-limiting, ban enforcement). We do not retain raw IP addresses.
Reduced-fidelity timing metadata — when you visit a page, what you reacted to, so we can build the Mirror and improve the product. No third-party analytics, no behavioral ad pixels.

02 What we do not collect

We deliberately do not collect:

Your real name (the platform uses a chosen display name only).
Raw IP addresses (we keep only a salted hash for abuse defense).
A photo, biography, or other identifying personal information.
Demographic information (age, gender, race, income, location beyond country-level for EU AI Act compliance).
Third-party tracking pixels, advertising identifiers, or cross-site cookies.
Biometric data of any kind.
Your browsing activity off SiftingSignal.

We do not sell any of this data. We do not share it with advertising networks. We do not buy data from data brokers to augment your profile.

03 How we use what we collect

The data we collect is used for four purposes:

Authentication. Your email address is used to send sign-in magic links and account notifications.
Personalization. Your stances, reactions, and bookmarks feed your personal Mirror view — which shows how your positions relate to each tier, to the consensus, and to your own past positions.
Aggregate computation. Reactions and stances feed the aggregator's engagement signals in aggregate; individual entries are not exposed to other readers without your action.
Product improvement. Coarse usage patterns help us understand which syntheses are useful and which need editorial attention.

The lawful basis for processing under GDPR Article 6 is: consent for the account-creation flow and for any future marketing communications; legitimate interest for the core sense-making service (synthesis personalization, Mirror computation) and for abuse defense; contractual necessity for fulfilling the platform-of-use to you as an account holder.

04 Data retention

User account data — email, stances, reactions, bookmarks — is retained for as long as your account is active. When you delete your account, this data is deleted within 30 days, with the following narrow exceptions:

Sponsored placement audit records that you interacted with are retained for three years from the date of placement, per the FTC's final rule on AI endorsements (16 CFR 255). Audit records are stored separately and do not include your account-level identifiers.
Salted hashes used for abuse defense are retained for 90 days.
Aggregate, de-identified usage statistics are retained indefinitely (they no longer relate to you as an identifiable person).

05 Third parties

SiftingSignal uses a small number of vetted sub-processors. Each is contracted under standard data processing terms; for EU users, standard contractual clauses apply where the sub-processor is outside the EU.

Sub-processor	Purpose	Data shared
Resend	Transactional email (magic-link sign-in, account notifications)	Email address only
Cloudflare	Hosting, DNS, edge caching, abuse defense	HTTP request data (subject to salted-hash IP policy)
Voyage AI	Text embeddings for the aggregator (anonymized signal content only)	No user-identifiable data; only the source signal text being embedded
Anthropic / Google	Language model inference for synthesis and verification	No user-identifiable data; signal content and synthesis prompts only

We do not use any third-party analytics providers, advertising networks, or marketing automation tools. If we add a sub-processor in the future, this list will be updated and the change disclosed.

06 Your rights

You have the following rights regardless of where you are located, and additional explicit rights if you are in the EU (under GDPR) or California (under CCPA / CPRA):

Access (GDPR Art. 15 · CCPA § 1798.110)

You can request a copy of all personal data we hold about you. We will respond within 30 days.

Erasure / deletion (GDPR Art. 17 · CCPA § 1798.105)

You can request that we delete your account and associated personal data. We will complete deletion within 30 days, subject to the narrow retention exceptions in section 04.

Rectification (GDPR Art. 16)

You can request that we correct any inaccurate personal data we hold about you.

Portability (GDPR Art. 20)

You can request a machine-readable export of your stances, reactions, and bookmarks (JSON format).

Restriction (GDPR Art. 18)

You can request that we restrict processing of your data while we resolve a dispute about accuracy or lawful basis.

Object (GDPR Art. 21)

You can object to processing based on legitimate interest. We will assess and either honor the objection or explain why an overriding legitimate ground applies.

Opt-out of sale / sharing (CCPA § 1798.120)

SiftingSignal does not sell your personal information and does not share it for cross-context behavioral advertising. There is nothing to opt out of, but you may submit a formal request and we will confirm in writing.

Non-discrimination (CCPA § 1798.125)

We will not degrade your service for exercising any of these rights.

Right to lodge a complaint (GDPR Art. 77)

EU users may lodge a complaint with their local data protection authority. We would prefer you reach out to us first so we can resolve it directly.

To exercise any of these rights, email [email protected] with your account email address and the specific right you wish to exercise. We respond within 30 days per GDPR Article 12(3).

07 Cookies

SiftingSignal uses one cookie: a session cookie that keeps you signed in across page loads. We do not use analytics cookies, advertising cookies, or any third-party trackers.

If you are in the EU or the UK, you will see a consent banner on your first visit explaining the cookie and your options. "Essential only" is offered with equal prominence to "Accept" per the ePrivacy Directive.

08 International data transfers

SiftingSignal is operated from the United States. EU users' personal data may therefore be processed in the United States by us and by some of our sub-processors. Where this is the case, we rely on the European Commission's Standard Contractual Clauses (2021/914) as the safeguard for the transfer, supplemented by the relevant sub-processor's adequacy decision or equivalent mechanism where available.

If a sub-processor's safeguards are invalidated by a court of competent jurisdiction, we will replace that sub-processor or restructure the processing within a reasonable period.

09 Children

SiftingSignal is intended for users 18 years of age or older. We do not knowingly collect personal data from children under 13 (or under 16 in the EU per GDPR Article 8). If we learn that we have collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please email [email protected].

10 Security

We use industry-standard encryption (TLS 1.2+) in transit and at rest. Magic-link sign-in eliminates the password-reset attack surface. Operator accounts require two-factor authentication. Despite reasonable measures, no system is perfectly secure; if we discover a breach affecting your data, we will notify you per applicable law (GDPR Art. 34 · state breach notification laws) without undue delay.

11 Changes to this policy

When we update this policy, the "Last updated" date at the top changes. Material changes — anything that expands data collection or alters how we use existing data — are surfaced in-app and via an email notification before the change takes effect.

12 Contact

For privacy questions, data requests, or anything covered by this policy:

[email protected]

For EU users: we have not yet appointed a formal EU representative under GDPR Article 27 (the platform is below the activity threshold that requires one). When that threshold is crossed, the representative will be named in this policy.

This privacy policy was drafted by the editorial team and reflects current platform behavior as of the effective date. It has not yet been reviewed by external privacy counsel; that review is scheduled before any meaningful EU-traffic launch. If you spot an inaccuracy or ambiguity, please email [email protected].