Draft document — legal review required

This template reflects a SaaS email / classification-assistance architecture (EU, standard subprocessing). Legal bases, retention and wording must be adjusted to your operational reality and validated by counsel or a DPO.

Last template update: 7 April 2026.

1. Who is the controller?

The controller of personal data collected in the Siftbox service is: Webdigit srl, Place de Moulbaix 10 - 7812 Moulbaix, Belgique — contact: hello@siftbox.ai.

2. What data do we process?

  • Account data: identifier, sign-in email address, profile elements needed to run the service.
  • Mail data (if you connect Gmail or IMAP): message metadata (subject, sender, labels, snippets per configuration), and possibly content or excerpts sent to the classification engine depending on consent level / account settings (e.g. standard, excerpt for AI refinement, transient body if enabled).
  • Technical data: security and operations logs, correlation IDs, IP address, audit logs for sensitive actions (sign-in, OAuth, settings), with minimisation (no plain-text passwords in logs).
  • Waitlist or pre-launch contact data: per forms shown on the site.

3. Why and on what legal basis (GDPR)?

Typical purposes and **indicative** legal bases (confirm with counsel):

  • Providing the SaaS (account creation, authentication, dashboard) — contract performance or pre-contractual measures (Art. 6(1)(b) GDPR).
  • Gmail / IMAP OAuth linking and synchronisation — contract performance and/or explicit consent depending on the framework chosen for mailbox access (Art. 6(1)(a) or (b) per analysis).
  • Classification and prioritisation aids — contract performance; for optional processing involving an AI vendor or extra excerpts, **consent** or **legitimate interest** per risk analysis and transparency (to be decided and documented).
  • Security, abuse prevention, evidence in disputes — legitimate interest (Art. 6(1)(f)) or legal obligation where applicable.
  • Legal and accounting obligations — Art. 6(1)(c) where applicable.

4. Recipients and subprocessors

Data is processed by the publisher and, as needed, by technical subprocessors including: application hosting (e.g. Infomaniak), database (e.g. OVHcloud France), transactional email provider, Google for the Gmail API when you enable connection, and queue/cache infrastructure (Redis) per deployment.

An up-to-date subprocessor list and Art. 28 GDPR safeguards must be maintained contractually and shared with business customers if a DPA is signed.

5. Transfers outside the European Economic Area

If a subprocessor or service involves a transfer outside the EEA, EU Commission standard contractual clauses, the Data Privacy Framework (if applicable) or equivalent mechanisms must be documented. Analyse each actual vendor (Google, host, etc.).

6. Retention

Data is kept for the life of the account and a reasonable period after closure for legal defence and obligations, unless anonymised. Precise retention per category should be set in the processing register and explained clearly here.

7. Your rights

Under the GDPR you may have rights of access, rectification, erasure, restriction, objection, portability (where applicable), and to withdraw consent at any time when processing is consent-based.

You may lodge a complaint with the data protection authority in your country (France: CNIL; Belgium: Gegevensbeschermingsautoriteit / APD-GBA).

8. Security

The publisher applies appropriate technical and organisational measures: encryption of sensitive secrets at rest where designed, access control, bounded logging, multi-tenant (tenant) isolation in the database per service design.

9. Cookies and trackers

The site may use strictly necessary cookies (session, language preferences). Any non-essential tracker must be described and, if required, consented under ePrivacy Directive / national laws.

10. Minors

The service is not aimed at children under 16 (or the age required in your jurisdiction). Do not knowingly collect their data without an appropriate legal basis.

11. Changes to this policy

This policy may be updated. Material changes should be communicated by a reasonable channel (email or in-product notice).