Privacy Policy

Siftological Ltd ("we", "us", "our") is a company registered in England and Wales under company number 17230874. We operate the website at www.siftological.com and the Siftological AI platform (together the "Services").

For the purposes of UK data protection law, Siftological Ltd is the data controller in respect of personal data you provide to us directly. In respect of personal data contained within your organisation's project management data that we process on your behalf, we act as a data processor — see our Data Processing Agreement for details.

Our contact for all data protection matters is: [email protected]

Data you provide directly

• Contact and registration data: your name, company name, and work email address — collected when you submit our waitlist or eligibility assessment form.
• Communications data: the content of any emails or messages you send to us.

Data collected automatically

• Technical data: IP address, browser type and version, operating system, referring URL, pages visited, and time spent on pages — collected via server logs and standard web analytics.
• Cookie data: see Section 9 (Cookies) below.

Data from your project management tools (platform users only)

• When you connect a project management tool (e.g. Jira, GitHub, Asana, Linear), we access project metadata only — ticket titles, descriptions, labels, sprint data, and commit messages. We do not access, read, or store your source code.
• This metadata may incidentally contain personal data relating to your employees (e.g. names associated with tickets or commits). We process this data solely to provide the Services and in accordance with our Data Processing Agreement.

Data we do not collect

• We do not collect special category data (as defined under UK GDPR Article 9).
• We do not collect payment card data directly — payment processing is handled by a PCI-DSS compliant third-party provider.
• We do not knowingly collect personal data from individuals under the age of 18.

Under UK GDPR, we must have a lawful basis for processing personal data. The table below sets out our purposes and the corresponding lawful basis.

Where we rely on legitimate interests as our lawful basis, we have conducted a legitimate interests assessment and are satisfied that our interests are not overridden by your rights and interests. You may request a copy of this assessment by contacting us.

• Waitlist / enquiry data: retained for up to 24 months from the date of submission, or until you request deletion.
• Account data: retained for the duration of your account plus 12 months following closure, unless a longer retention period is required by law.
• Project metadata: retained only for as long as necessary to provide the Services. Deleted within 30 days of account closure.
• Financial records: retained for 7 years in accordance with UK tax and accounting obligations.
• Communications: retained for up to 3 years unless they form part of a contractual or legal record.

We do not sell personal data. We may share personal data with the following categories of third party, strictly on a need-to-know basis and under appropriate contractual protections:

• Cloud infrastructure providers: for hosting and data storage (e.g. AWS, Cloudflare).
• Email service providers: to deliver transactional and notification emails.
• Payment processors: to handle subscription payments securely.
• Analytics providers: to understand website usage (configured to minimise personal data collection).
• Professional advisers: solicitors, accountants, and insurers, where necessary.
• Regulatory authorities: HMRC, the ICO, or law enforcement, where we are legally required to do so.

All third-party processors are subject to data processing agreements and are required to process personal data only on our documented instructions.

We aim to keep personal data within the UK and the European Economic Area (EEA). Where data is transferred to a country outside the UK that is not subject to a UK adequacy decision, we ensure appropriate safeguards are in place — such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses — in accordance with UK GDPR Chapter V.

Under UK GDPR, you have the following rights in respect of your personal data:

• Right of access: to request a copy of the personal data we hold about you (Subject Access Request).
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to restriction: to request that we restrict processing of your data in certain circumstances.
• Right to data portability: to receive your data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making: not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect, without human review.
• Right to withdraw consent: where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month in accordance with UK GDPR Article 12. We will not charge a fee for reasonable requests.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:

• Encryption of data in transit (TLS) and at rest.
• Access controls and role-based permissions limiting data access to authorised personnel only.
• Regular security reviews of our platform and infrastructure.
• We do not store source code from your project management tools.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where the risk is high, in accordance with UK GDPR Articles 33 and 34.

Our website uses cookies and similar technologies. Cookies are small text files placed on your device to help the website function, improve your experience, and provide security features.

Strictly necessary cookies

These are required for the website to function and cannot be disabled. They include the Cloudflare Turnstile security token used to protect our forms from spam and abuse.

Analytics cookies

We may use analytics tools to understand how visitors use our website. Where we do, we configure these tools to minimise personal data collection and, where required by law, will request your consent before setting analytics cookies.

You can control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the website.

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at [email protected] and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. We will notify registered users of material changes by email and will update the effective date at the top of this page. We encourage you to review this policy periodically.

For any questions, requests, or complaints relating to this Privacy Policy or our data processing activities, please contact us:

You also have the right to complain to the Information Commissioner's Office if you believe your data protection rights have been infringed: