Privacy Policy

Sievr is a developer API operated by Applied Solutions Limited. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights over it. It applies to the Sievr API, dashboard, marketing site, and documentation (together, the "Service").

We collect three categories of data:

Account data.When you sign up we store your email address and, if you sign in with GitHub, your GitHub user ID and avatar URL. We don't collect names, addresses, or phone numbers at signup.

Request content. Text you send to /v1/scan is processed in memory to produce a verdict and a redacted copy. We do not persist the input text to our database. The text leaves our process the moment the response is returned.

Operational metadata. For each request we keep a row in our usage log containing: timestamp, API key ID, plan, character count, latency, verdict (allow / flag / block), and request ID. This is what bills you and what flags abuse. It does not include the request body or the response body.

Billing data. If you subscribe to a paid plan, Stripe collects your payment details directly — we never see your card number. From Stripe we receive a customer ID, subscription status, plan, and invoice history.

• Authenticate you to the dashboard and the API.
• Run the requested scan and return the result.
• Meter usage against your plan and report it to Stripe for billing.
• Enforce rate limits, detect abuse, and investigate security incidents.
• Send transactional email — sign-in links, invoices, account and security notices. We don't send marketing email without separate opt-in.
• Improve detection accuracy in aggregate (e.g., counting how often verdicts are produced) — never by reading individual request content.

• We do not store the text you send to the scan endpoint.
• We do not train models on your input text. Our injection classifier is trained on public datasets and our own hand-curated samples.
• We do not sell personal data.
• We do not run third-party advertising or analytics trackers on the dashboard.

We share the minimum data necessary with a small number of sub-processors:

• Hostinger — VPS hosting. The Service runs on Hostinger infrastructure; all stored data lives on their disks.
• Stripe — payments, subscriptions, and metered billing. Stripe handles your card data directly under their own privacy policy.
• Resend — transactional email delivery (sign-in links, account notices). Receives your email address and the message contents.
• GitHub — only if you sign in with GitHub OAuth. We exchange OAuth tokens to verify your identity.
• Anthropic— only if you opt in to the LLM tiebreaker stage of injection detection. When enabled, the text being scanned is sent to Anthropic's API for a classification call. Anthropic does not retain or train on API inputs by default; see their data usage policy.
• Sentry — error tracking. Stack traces and limited request metadata are sent when our application throws.

We may also disclose data if compelled by law (subpoena, court order) or to protect our rights or others' safety. We don't volunteer data to authorities without legal process.

Our application servers and database are hosted in the European Union. Sub-processors (Stripe, Resend, GitHub, Anthropic, Sentry) operate globally; data sent to them may be processed in the United States or other regions, under their own safeguards. If you are in the EU/UK, we rely on Standard Contractual Clauses or equivalent transfer mechanisms where applicable.

• Request bodies: not stored. Held in memory for the duration of the scan only.
• Usage events (timestamp, key ID, plan, latency, verdict, character count): retained for at least the current and previous billing period for billing and dispute resolution, typically 18 months.
• Account data: retained while your account is active. Deleted within 90 days of account closure, except records we are legally required to keep (e.g., tax records tied to invoices).
• Server logs (HTTP access logs, error logs): retained 30 days.

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email support@app-solutions.co.uk. We'll respond within 30 days.

Most of what we hold is already visible from the dashboard: your account email, API keys, plan, and usage history. Closing your account from the dashboard triggers deletion under the schedule in section 7.

The dashboard sets a single first-party session cookie used by our authentication library to keep you signed in. It is not a tracking cookie and is not shared with third parties. The marketing site does not set non-essential cookies.

We use TLS for all network traffic, store API keys hashed at rest, restrict production database access to a small number of operators, and patch our infrastructure on a regular cadence. No system is perfectly secure — if you discover a vulnerability, please report it to support@app-solutions.co.uk.

The Service is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we'll delete it.

We may update this Privacy Policy from time to time. Material changes will be announced by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Questions, requests, or complaints: support@app-solutions.co.uk. If you are in the EU/UK and unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority. Sievr's controller of record is Applied Solutions Limited, governed by the laws of Scotland, UK.

See also our Terms of Service.