Privacy Policy

Last updated: June 10, 2026

1. What We Collect

  • Account data — name, email address, password hash, or OAuth identity (Google / Microsoft).
  • Customer Content — spreadsheet files you upload and the analysis results derived from them (findings, scores, lineage, summaries).
  • Billing data — subscription plan and status. Payment card details are collected and stored by Stripe, not by us.
  • Usage data — product events (e.g. scan created, report downloaded) and technical logs (IP address, browser type, request IDs) used for security, debugging, and product improvement.

2. How We Use It

We use your data to provide the Service (run scans, generate reports), operate billing, secure the platform, provide support, send transactional emails (scan results, receipts, account messages), and — with your consent — measure product usage with analytics. We do not sell your personal data and we do not use Customer Content to train machine-learning models.

3. AI Processing

When AI summaries or deep-dive analyses are enabled, limited workbook context (such as formula patterns, sheet structure, and sampled cell values) is sent to our AI provider (OpenAI) to generate the analysis. PII detected in workbooks is masked in findings displays. AI providers process this data under agreements that prohibit using it to train their models.

4. Retention and Deletion

  • Uploaded files are retained while needed to provide scan results and re-analysis features.
  • Files from failed scans are scheduled for automatic purge.
  • You can delete scans (and their files) from the product at any time.
  • You can delete your account yourself from Settings → Account → Danger Zone. Deletion immediately removes Customer Content and personal data, except where retention is legally required (e.g. billing records, which are retained in anonymized form).

5. Subprocessors

We use the following service providers to operate SheetSift:

  • Railway — application and database hosting
  • Cloudflare — web hosting and content delivery
  • Stripe — payment processing
  • OpenAI — AI-generated summaries and analyses
  • PostHog — product analytics (only with your consent)
  • Sentry — error monitoring
  • An SMTP email provider (e.g. SendGrid / Postmark / AWS SES depending on configuration) — transactional email delivery

6. Cookies and Analytics

We use strictly necessary storage for authentication and theme preferences. Analytics (PostHog) runs only after you accept it in the consent banner; you can change your choice any time via the "Cookie preferences" link in the footer.

7. Security

Data is encrypted in transit (TLS). Passwords are stored hashed. API keys are stored as salted HMAC hashes. Access to production systems is restricted. No method of transmission or storage is 100% secure; report suspected vulnerabilities to our support address.

8. Your Rights (GDPR / CCPA)

Depending on your location, you may have the right to access, correct, export, restrict, or delete your personal data, and the right to object to certain processing. California residents have the rights described in the CCPA, including the right to know and the right to delete; we do not sell personal information. To exercise any right, contact us via the support page— we will respond within the timeframe required by applicable law.

9. International Transfers

Our infrastructure is hosted in the United States. If you access the Service from the European Economic Area, United Kingdom, or Switzerland, your data is transferred to the US. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. Our subprocessors maintain equivalent transfer safeguards. By using the Service, you acknowledge this transfer.

10. Changes

We will post updates to this policy here and, for material changes, notify you by email or in-product notice before they take effect.

11. Contact

Privacy questions or requests: use the support page or the support email in the site footer.