Privacy Policy

This Privacy Policy explains how Sift Health (“we”, “us”) collects, uses, and shares information when you use our website, scanning service, dashboard, API, and reports (the “Service”). It covers our own data practices. It does not cover the practices of websites we scan at your request, and it is separate from the findings our reports make about those websites.

• Account information. Email address, name, organization name, and authentication identifiers when you sign up or sign in.
• Site and scan configuration. Domains you add, optional organizational metadata you attach to them (such as a client name or tags), verification records, and monitoring schedules.
• Scan observations. Page-level facts about scanned websites: response headers, TLS certificate details, detected third-party scripts, form structure, and similar publicly observable indicators, plus the scores and findings derived from them.
• Messages. Contact-form submissions and support correspondence.
• Billing. Subscription status and invoices via our payment processor (Stripe). We never see or store full card numbers.
• Service logs. Standard technical logs (IP address, user agent, timestamps) used for security, rate limiting, and abuse prevention.

Sift Health scans websites, not people. Scans request only publicly accessible pages, never authenticate, and never submit forms, so the Service is not designed to receive protected health information (PHI) and we ask that you never send it to us, including through the contact form.

Our own marketing site does not run third-party advertising trackers. Holding ourselves to the standard we scan for is the point of the product.

• to run scans you request and produce reports, scores, and findings;
• to power monitoring: comparing new scans against your baseline and alerting you to score drops, expiring certificates, or newly detected trackers;
• to operate accounts, billing, and support;
• to secure the Service, enforce rate limits, and prevent abuse;
• to send service notices and, with your consent, product updates; you can opt out of non-essential email at any time.

We do not sell personal information and we do not share it with advertisers. We share information only with service providers who process it on our behalf under contract: cloud hosting and database infrastructure, Stripe for payments, and an email delivery provider for alerts and notices. We may also disclose information if required by law or to protect the Service and its users.

Reports you generate are yours to share; a report link or export shared by you is outside our control.

Scan results and findings are retained while your account is active so trends and monitoring baselines work. If you cancel, your scan history remains exportable for a limited window (currently 90 days, draft) before removal on our retention schedule. Account records are kept as needed for legal and accounting obligations, then deleted. Contact messages are kept as long as needed to handle the inquiry.

We use industry-standard safeguards: encrypted transport (TLS) for all traffic, hashed credentials, scoped API keys, and least-privilege access to production systems. No system is perfectly secure; if we learn of a breach affecting your information, we will notify you consistent with applicable law.

You can access and update account information from the dashboard, export your scan history, and request deletion of your account and associated data through the contact form. Depending on where you live, you may have additional rights (such as access, correction, deletion, or portability) under laws like the CCPA or GDPR; we honor verified requests consistent with those laws.

The Service is for businesses and professionals and is not directed to children under 16. We do not knowingly collect personal information from children.

We may update this policy as the Service evolves. For material changes we will give notice (for example by email or an in-product notice) before they take effect, and we will update the effective date above.

Privacy questions or requests? Reach us through the contact form. Please do not include PHI.