Skip to content
Logo

Privacy Policy

Effective Date: February 6, 2026

At Xiftly, we believe that your emails are your business, not ours. Our architecture is designed so that we mathematically cannot access your data. This is the foundation of our “Sovereign Privacy” commitment.

1. Zero-Knowledge Architecture

Xiftly is a “Headless Sovereign” application. This means:

  • Local Processing: Your emails are fetched directly from your provider (e.g., Google) to your device. They are never transmitted to Xiftly's servers.
  • Local Encryption: All data stored on your device is encrypted using SQLCipher (AES-256).
  • Hardware Keys: The keys to decrypt your data are generated and stored in your device's hardware (Apple Secure Enclave or Android StrongBox). Xiftly does not have access to these keys.

2. Bring Your Own AI (BYOK) Privacy

Xiftly does not route your emails through a centralized AI proxy.

  • When you use AI features (Summarization, Drafting, Categorization), Xiftly communicates directly from your device to the AI provider (OpenAI, Anthropic, or Google) using your personal API key.
  • Your data stays between you and your chosen AI provider. Xiftly never sees the content of these requests.

3. Data We DO NOT Collect

  • We do not collect your email content, subjects, or sender information.
  • We do not collect your AI API keys. They are stored only in your device's secure hardware.
  • We do not collect your contacts or calendar data.

4. Data We DO Collect

To provide the service, we collect minimal, non-identifiable technical data:

  • Subscription Status: We store your user ID and subscription tier to manage Pro feature access.
  • Encrypted Settings (Optional): If you enable sync, we store an encrypted “Dark Blob” of your settings. We cannot decrypt this blob; only your authenticated devices can.
  • Usage Telemetry (Optional): Basic, anonymous crash reports and performance metrics to help us improve the app. You can opt-out of this in Settings.

5. Third-Party Services

  • Google/Gmail: Xiftly uses the Gmail API. Our use of information received from Google APIs adheres to the Google API Service User Data Policy, including the Limited Use requirements.
  • AI Providers: Your use of OpenAI, Anthropic, or Google Gemini is subject to their respective privacy policies.

6. Your Rights

Since we do not store your data, you have absolute control. Deleting the app and your local database permanently removes all your information from your device. You can also request the deletion of your account/subscription record from our backend at any time.

7. Contact Us

If you have any questions about our Sovereign Privacy model, please contact us at: privacy@xiftly.ai