Privacy Policy.

This Privacy Policy explains how SaltingIO LLC, a Wyoming limited- liability company (“SaltingIO,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you visit sifting.io, create a SiftingIO account, or use the SiftingIO REST and WebSocket APIs, dashboards, SDKs, and related services (collectively, the “Service”). SiftingIO is a product of SaltingIO LLC and is not a separate legal entity; SaltingIO is the controller of personal data processed in connection with the Service.

This Policy is designed to comply with the EU and UK General Data Protection Regulations (“GDPR” and “UK GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable privacy laws. It should be read together with our Terms of Use, Cookie Policy, and Important Disclosures.

The Service is not directed to individuals under 16; if you are under 16, please do not use the Service or provide personal information to us.

The data controller is SaltingIO LLC, 30 N Gould St, STE R, Sheridan, WY 82801, United States. We have not appointed a statutory Data Protection Officer; privacy questions and rights requests are handled by our privacy team.

Contact us about this Policy or to exercise your rights:

• Privacy and rights requests: privacy@sifting.io
• Security disclosures and DPA requests: security@sifting.io
• Parent-company correspondence: info@salting.io

We collect personal information in three ways.

3.1 Information you provide. When you register, use, or contact us about the Service, you may give us:

• account details: email address, name, password (stored as a salted hash);
• organization details: company name, billing address, VAT/tax identifier, technical contact;
• API credentials and configuration you create within the dashboard (API keys are stored securely; raw keys are not retrievable after creation);
• payment details: billing name, billing address, country, and the last four digits of your card. Full card numbers and bank details are collected and stored by our payment processor (Stripe, Inc.) and are not stored on our systems;
• communications: support tickets, sales inquiries, survey responses, feedback, content of emails you send us;
• content you choose to upload, such as logos for invoices or files attached to support tickets.

3.2 Information we collect automatically. When you interact with the Service we automatically collect:

• usage and telemetry: API endpoint, asset/symbol requested, response status, latency, error rates, request volume, plan tier, throttle events, and other operational metrics tied to your account or API key;
• device and connection: IP address, derived approximate location (country/region only), browser user-agent string, operating system, referring URL, language;
• log files: timestamped records of authentication, key issuance and rotation, account changes, billing events, security events;
• cookies and similar technologies, see our Cookie Policy.

3.3 Information from third parties. We may receive limited information from:

• our payment processor (Stripe), confirming successful charges, chargebacks, refunds, and tax information;
• identity-verification, sanctions-screening, or fraud-prevention providers, when we are required to verify a customer or prevent abuse;
• analytics providers (e.g. privacy-respecting page-view analytics), limited to aggregated traffic data;
• partners or affiliates who refer you to the Service.

We do not deliberately collect special categories of personal data (for example, race, religion, health, biometric data, political opinions). Please do not submit such data through the Service.

We use personal information for the following purposes:

• Provide the Service. Create and maintain your account, authenticate API requests, deliver market data, calculate usage, enforce rate limits and license scope, provide dashboards, and offer customer support.
• Billing and collections. Process payments, invoices, refunds, taxes, and dunning; detect and prevent payment fraud and chargeback abuse.
• Security and abuse prevention. Detect and block unauthorized access, credential leaks, scraping, key sharing, denial-of-service activity, and other abuse; investigate security incidents.
• Operate, improve, and develop the Service. Diagnose issues, monitor performance, capacity-plan, and develop new features. Where this involves personal data, it is on the basis of our legitimate interests in running and improving a reliable Service.
• Communicate with you. Send transactional emails (account, billing, security, incident notices), respond to inquiries, and, only where we have a lawful basis, send product updates, newsletters, or marketing.
• Comply with law and protect rights. Meet our legal, regulatory, and tax obligations; respond to lawful requests from authorities; protect our rights, the rights of users, our Data Sources, and the public; enforce our Terms.

We do not sell your personal information for monetary consideration, and we do not use your personal information to train third-party generative AI models. We also do not use the content of your API requests or your customers’ data to train machine-learning models that we offer to third parties.

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract, to create your account, deliver the Service, process payments, and provide support (Art. 6(1)(b)).
• Legitimate interests, to secure the Service, prevent abuse, monitor performance, develop new features, understand aggregate usage, conduct internal analytics, and communicate with existing customers about features similar to those they already use (Art. 6(1)(f)). We balance these interests against your rights and freedoms.
• Consent, for non-essential cookies, marketing emails to non-customers, and any other processing where consent is required (Art. 6(1)(a)). You may withdraw consent at any time.
• Legal obligation, to keep accounting records, respond to lawful requests, and comply with sanctions, anti- money-laundering, and tax law (Art. 6(1)(c)).

We share personal information only in the following circumstances:

• Sub-processors and service providers. Vetted vendors that process data on our behalf to deliver the Service, including cloud hosting and infrastructure (Amazon Web Services, primarily in the eu-west-2 / London region), payment processing (Stripe, Inc.), email delivery, customer support tooling, error tracking, and analytics. Each is bound by contractual data- protection terms and may only use the data for the purposes we instruct. A current list of sub-processors is available on request to privacy@sifting.io.
• Authentication and identity providers if you choose to log in via a third-party identity provider, limited to the data needed to authenticate you.
• Professional advisors such as auditors, lawyers, accountants, and insurers, where reasonably necessary.
• Legal, regulatory, and safety reasons. When we believe in good faith that disclosure is necessary or appropriate to comply with law, court order, subpoena, or governmental request; to enforce our Terms; to protect against fraud or security threats; or to protect the rights, property, or safety of SaltingIO, our users, our Data Sources, or the public.
• Corporate transactions. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case we will require the recipient to honor this Policy or notify you of any material changes.
• With your consent, for any other disclosure.

We do not sell your personal informationfor monetary consideration, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

We are headquartered in the United States, and our primary production environment is hosted in the United Kingdom (AWS eu-west-2, London region). Some sub-processors may process data in other countries, including the United States and other locations worldwide. As a result, your personal information may be transferred to and processed in countries with data-protection laws different from those in your jurisdiction.

When we transfer personal data outside the European Economic Area, the United Kingdom, or other regions imposing transfer restrictions, we rely on appropriate safeguards, including:

• European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum;
• adequacy decisions where applicable;
• supplementary technical and organizational measures such as encryption in transit and at rest, access controls, and logging.

You may request a copy of the safeguards we have put in place by emailing privacy@sifting.io.

We keep personal information only as long as necessary for the purposes described in this Policy and as required to comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

Where a longer retention period is required by law (for example, to defend a legal claim or comply with a regulatory or tax obligation), we retain the data for the period required and then delete or anonymize it.

We maintain administrative, technical, and physical safeguards designed to protect the personal information we process, including encryption in transit (TLS) and at rest, role-based access controls, principle-of-least-privilege for production systems, centralized authentication and audit logging, vendor security reviews, and regular review of our controls.

No system can be made completely secure. You are responsible for choosing a strong password, protecting your credentials and API keys, and notifying us promptly at security@sifting.io of any actual or suspected unauthorized access.

In the event of a personal-data breach affecting your data, we will notify the relevant supervisory authority and, where required, affected individuals within the timeframes required by applicable law (for example, within 72 hours of becoming aware where required under the GDPR).

Depending on where you live, you may have rights in respect of your personal information.

10.1 EEA, UK, and Switzerland (GDPR / UK GDPR). You may have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate or incomplete data;
• request erasure of your data (“right to be forgotten”);
• restrict or object to certain processing;
• request portability of data you provided to us;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local supervisory authority, for example, the UK Information Commissioner’s Office (ICO), or your national data-protection authority in the EEA.

10.2 California (CCPA/CPRA). If you are a California resident, you have the right to:

• know the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of recipients;
• request deletion of personal information we collected from you;
• request correction of inaccurate personal information;
• opt out of the “sale” or “sharing” of personal information, although as noted, we do not sell or share personal information as those terms are defined under the CCPA/CPRA;
• limit the use or disclosure of sensitive personal information to the limited purposes permitted by law;
• be free from discrimination for exercising these rights.

10.3 Other jurisdictions. Residents of other U.S. states with comprehensive privacy laws (e.g. Virginia, Colorado, Connecticut, Utah, Texas) and other jurisdictions may have similar rights, which we honor where applicable.

10.4 How to exercise your rights. Email privacy@sifting.io from the email address associated with your account, or use the dashboard’s account-deletion tools where available. We will respond within the timeframe required by applicable law (typically within 30 days for GDPR/UK GDPR and within 45 days for CCPA/CPRA, extendable as permitted by law). We may need to verify your identity before acting on your request. Authorized agents may submit requests on your behalf with proof of authorization.

We do not use your personal information to make decisions that produce legal effects concerning you, or similarly significant effects on you, based solely on automated processing within the meaning of Article 22 of the GDPR. Automated systems are used for security and abuse detection, but material decisions (such as account suspension for breach) involve human review.

The Service is not directed to children. We do not knowingly collect personal information from individuals under 16 (or under 13 in the United States, in line with COPPA). If you believe a child has provided personal information to us, please contact privacy@sifting.io and we will delete it.

The Service may contain links to or integrations with third-party websites and services that we do not control, including exchanges, liquidity providers, and developer tools. Their privacy practices are governed by their own policies. We are not responsible for their content or privacy practices and encourage you to review them.

We may update this Policy from time to time. The updated version will be posted at this URL with a revised “Last updated” date. If changes are material, we will notify you through the Service or by email at least 14 days before they take effect, unless a shorter period is required by law. Your continued use of the Service after the effective date of an updated version constitutes acceptance of those changes.

Privacy team: privacy@sifting.io.
Postal: SaltingIO LLC, 30 N Gould St, STE R, Sheridan, WY 82801, United States.