← Sigil

Privacy Policy

Effective: 27 May 2026 · Version 0.1 (pre-launch)

Sigil is a credential gateway for AI agents — we hold OAuth tokens to third-party services on your behalf and proxy AI agents’ access through a permission layer you control. We aim to handle your data with the care that role demands.

What we collect

  • Account identifiers: the email address and name you provide at signup, your Auth0 subject identifier, the time you created your account, and the SHA-256 hash of your recovery code.
  • OAuth credentials you connect: when you connect a data source (Gmail, GitHub, etc.), Sigil stores the resulting refresh + access tokens AES-256-GCM encrypted with a per-user data encryption key, itself wrapped by a master key held in a hardware security module. Plaintext tokens never leave decryption operations.
  • Audit trail: every authentication, grant change, and tool call performed by an AI agent on your behalf is recorded in an append-only log keyed to your account. You can review and export this from your dashboard.
  • Technical telemetry: IP address, browser user agent, and timestamps for the security-sensitive events above.

What we don’t collect

  • The contents of any data you connect — your emails, calendar entries, repositories. Tool calls are proxied; we record metadata, not payloads.
  • Marketing analytics by default. We use minimal telemetry to keep Sigil running and report errors.

Sub-processors

  • Auth0 (Okta, Inc.) — authentication, MFA, session management. EU region.
  • Microsoft Azure — application hosting and PostgreSQL storage. UK South region.
  • Sentry — application error reporting. EU region.
  • Resend — transactional email (welcome, recovery, security notices). EU region.

Your rights under UK GDPR

You can at any time:

  • Export your data — your account, audit log, connection metadata, and grants — as JSON viaDashboard → Account → Download data export.
  • Delete your account — permanently removes your Sigil record, encrypted credentials, and audit history. Auth0 user is removed in the same operation. SeeDashboard → Account → Close your account.
  • Object to processing — by closing your account. We have no marketing-purpose processing to opt out of separately.

Retention

Account data is retained as long as your account is active. On deletion, all keyed-to-user data is removed within 30 days, including backups. Cryptographic audit hashes may persist longer in cold-storage logs for security-incident investigation only.

Contact

Questions or requests under this policy: privacy@joinsigil.com.

This is a pre-launch v0.1 of our policy and will be expanded before public beta. The substance — that we cannot read the credentials you entrust to us, and that you own the data — will not change.