Privacy and security
Cleaning a customer list means handling names, emails, and phone numbers, real people's data. So the honest question is not "do you promise it's private", it's "can I prove it". You can. Sift is a static web app with no backend: your file is read and cleaned entirely in your own browser, on your own device, and its contents are never uploaded. Below are three tests you can run yourself, and the exact security policy that enforces it. Verifiable, not claimed.
Open Sift and try the tests โ
Watch every network request the app makes, and confirm your file is not in any of them.
The simplest proof of all. If the app can clean your file with the internet switched off, the cleaning is obviously happening on your device, not on a server.
A browser will only open network connections that a page's Content-Security-Policy allows. Sift sends a strict one that blocks the browser from connecting anywhere except the app's own host, its analytics endpoint, and its signup endpoint, so there is no path for your file to be sent to some third party even by accident. This is the real header the site serves; you can confirm it in the Network tab on the main document's response headers:
Content-Security-Policy:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'self' https://eu.i.posthog.com
https://eu-assets.i.posthog.com https://*.supabase.co;
worker-src 'self' blob:;
object-src 'none'; base-uri 'self';
form-action 'none'; frame-ancestors 'none'
The line that matters for your data is connect-src: it is the allowlist of hosts
the browser may contact. It permits only Sift's own origin, the analytics endpoint, and the
signup endpoint. There is nowhere for your file to go.
Two things, and being straight about them is the point, because neither one contains your file's contents:
That is the whole list. Your contact data, the file you came here to clean, is never in either.