Sircol Privacy Policy
Sircol is operated by Frontures Management LLC, a California limited liability company ("Sircol," "we," "us," or "our"). This Privacy Policy describes how we collect, use, share, and protect personal information when you use our services at sircol.com, app.sircol.com, and any related Sircol products (together, the "Services").
If you do not agree with this Policy, do not use the Services.
1. Who this policy applies to
This Policy applies to all visitors of sircol.com and all users of app.sircol.com, worldwide. Sircol is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, contact us at hello@sircol.com and we will delete it.
2. Information we collect
We collect three categories of information.
2.1 Information you provide directly
- Account information — your name, email address, password (stored only as a salted hash), and optional profile photo.
- Connected-account credentials — when you connect Gmail or another email provider, we store the OAuth refresh token (Google) or IMAP password (other providers). These are encrypted at rest using AES-256-GCM and used only to perform searches you initiate or that a connection initiates against your account with your approval.
- Search content — the text of search queries you compose, optional notes you attach to a search request, and (for the recipient of a request) the data your account returns from your connected sources for the matching query.
- Network information — the email addresses of people you invite to connect with you on Sircol.
- Support and feedback — any messages you send us at hello@sircol.com.
2.2 Information collected automatically
- Usage data — pages visited on sircol.com and app.sircol.com, links clicked, approximate time spent, browser and device type, referring URL, approximate location derived from IP address.
- Cookies and similar technologies — see § 8 Cookies and tracking for the full list.
- Authentication cookies — a session token that keeps you signed in (sb-* cookies set by Supabase Auth).
2.3 Information from third parties
- OAuth provider data — when you connect Gmail or Google Contacts, Google returns the profile data and the scoped API access you authorized.
- Email-search results — when another Sircol user sends a search request to your connected inbox, the results that match are pulled from your account by Sircol on your behalf and held in our database until you approve a subset, reject the request, or it expires. Until approval, only you can see the results.
We do not collect or process sensitive categories of personal information such as government identifiers, financial-account numbers, biometric or genetic data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, or union membership.
3. How we use information
We use the information described above to:
- Operate the Services — authenticate you, run the searches you (or a connection, with your approval) ask us to run, deliver approved results, and send transactional email such as account confirmations and invitations.
- Communicate with you — respond to your support questions and notify you of service-relevant changes.
- Improve the Services — understand how features are used, diagnose problems, and prioritize improvements. We rely on aggregated and de-identified usage data where feasible.
- Keep the Services secure — detect, prevent, and respond to fraud, abuse, security incidents, and policy violations.
- Comply with law — meet our legal obligations and respond to lawful requests from government authorities.
We do not use your information to train machine-learning models, sell it to third parties, or use it for cross-context behavioral advertising.
4. Legal basis for processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing your personal data are:
| Purpose | Legal basis |
|---|---|
| Providing the Services to you (running searches, managing your account, sending transactional email) | Contract — Article 6(1)(b) GDPR. We need to process your data to perform the contract you accept by creating an account. |
| Improving the Services, security and fraud prevention, business operations | Legitimate interests — Article 6(1)(f) GDPR. Our legitimate interests are running and improving the Services without overriding your fundamental rights. |
| Setting non-essential cookies (analytics) and any future marketing communications | Consent — Article 6(1)(a) GDPR. You can withdraw consent at any time. |
| Complying with legal obligations | Legal obligation — Article 6(1)(c) GDPR. |
5. How we share information
We share personal information only with the categories of recipients below, and only for the purposes described.
| Recipient | Purpose | Country |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Vercel, Inc. | Hosting and serving the app.sircol.com application | United States |
| Bluehost (Newfold Digital, Inc.) | Hosting the sircol.com marketing site DNS | United States |
| Google LLC | Gmail and Google Contacts API access for searches you authorize; Google OAuth authentication | United States |
| Resend, Inc. | Sending transactional email (account confirmation, password reset, invitations) | United States |
| Google LLC (Google Analytics) | Aggregate site analytics on sircol.com | United States |
| CustomerLabs, Inc. | Customer Data Platform — captures site events and forwards them to Google Analytics | United States |
Each of these recipients is a "service provider" under CCPA and a "processor" under GDPR. They process personal information on our instructions and are bound by written agreements that restrict use to the purposes above.
We may also disclose personal information to:
- Law-enforcement and regulators when required by a valid legal process (subpoena, court order) or to protect rights, safety, or property.
- A successor entity in connection with a merger, acquisition, financing, or sale of all or part of our business. If this happens, we will notify you and the successor will be bound by this Policy or a Policy no less protective.
We do not sell personal information for money. We do not "share" personal information for cross-context behavioral advertising as defined under California law.
6. International data transfers
Sircol is operated from the United States and our service providers are located in the United States. If you access the Services from outside the United States, your personal information will be transferred to, processed, and stored in the United States.
For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission (and, for UK transfers, the UK Addendum) entered into with our processors. Where additional safeguards are appropriate, we implement supplementary measures such as encryption in transit and at rest.
You can request a copy of the safeguards by emailing hello@sircol.com.
7. Data retention
We retain your information for as long as your account is active and as long as needed to provide the Services. Specifically:
- Account information (name, email, profile, settings) — retained while your account exists; retained indefinitely as aggregated/operational metadata after account closure unless you submit a deletion request under § 9 Your rights.
- Connected-account credentials (OAuth tokens, IMAP passwords) — retained while the connection is active. Deleted from active systems within 30 days of disconnection. May persist in encrypted backups for up to 60 days.
- Search content — search queries, results, and approval state are retained as long as needed to provide a record of the search exchange to both parties. Either party may delete a search request from their account at any time; the matching record is removed from active systems within 30 days.
- Backups — encrypted backups are retained on a rolling 30-day window. Information you delete from active systems will age out of backups within that window.
- Logs — application and security logs are retained up to 90 days.
After deletion, we may retain a minimal record of the fact that an account existed (date of creation, date of deletion, hashed identifier) to satisfy security, anti-abuse, and legal-compliance obligations. This minimal record is not used to identify you and cannot be used to reconstruct your account.
8. Cookies and tracking
We use a small number of cookies. Strictly necessary cookies (authentication) are set without consent because the Services do not work without them. Analytics cookies are set only with your consent where required by law.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| sb-* | Supabase (Sircol) | Authentication session | Session / 7 days |
| _ga, _ga_* | Google Analytics | Distinguish unique visitors; aggregate analytics | Up to 2 years |
| cl_* | CustomerLabs | Customer Data Platform — captures events for forwarding to Google Analytics | Up to 1 year |
You can disable cookies in your browser settings or use a privacy-focused browser. Disabling authentication cookies will prevent you from using app.sircol.com. You can opt out of Google Analytics specifically by installing the Google Analytics Opt-out Browser Add-on.
We do not use cookies for cross-site advertising or to build user profiles for third parties.
9. Your rights
Different rights apply depending on where you live. You can exercise any of these rights by emailing hello@sircol.com. We will respond within the timeframe required by the applicable law (typically 30 days; up to 45 days under CCPA, extendable by another 45 days where reasonably necessary). We will verify your identity before fulfilling a request — usually by matching the request email to a Sircol account.
9.1 If you are in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK GDPR)
You have the right to:
- Access — request confirmation of what personal data we hold about you and a copy.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your personal data, subject to limited exceptions.
- Restriction — request that we limit how we process your data while a dispute is resolved.
- Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Object — object to processing based on legitimate interests, including any direct marketing.
- Withdraw consent — at any time, where we rely on consent.
- Lodge a complaint — with your local supervisory authority. For UK users, that is the Information Commissioner's Office.
We do not engage in automated decision-making that produces legal or similarly significant effects.
9.2 If you are a California resident (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we have collected about you, the sources, the purposes for which we collected it, and the categories of third parties to whom we disclose it.
- Access the specific pieces of personal information we have collected.
- Delete personal information we have collected from you, subject to legal exceptions.
- Correct inaccurate personal information.
- Limit the use of sensitive personal information — note that we do not collect sensitive personal information as defined by CPRA.
- Opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination — we will not discriminate against you for exercising these rights.
Categories of personal information we have collected in the past 12 months (CCPA Cal. Civ. Code § 1798.140):
| Category | Examples |
|---|---|
| Identifiers | Name, email address, IP address, account ID |
| Customer Records (Cal. Civ. Code § 1798.80(e)) | Name, account password (hashed), profile image |
| Internet or other Electronic Network Activity | Browsing activity on Sircol, interactions with features |
| Geolocation | Approximate geolocation derived from IP address |
| Professional / Employment-Related Information | Only if you voluntarily include it in profile fields or search queries |
| Inferences | Aggregated usage patterns |
To exercise these rights, email hello@sircol.com with the subject line "California Privacy Request." You may authorize an agent to submit a request on your behalf; we will require proof of authorization.
9.3 If you are in Canada (PIPEDA)
You have the right to:
- Access your personal information held by us and to be informed of its existence, use, and disclosure.
- Challenge the accuracy of your personal information and have it amended.
- Withdraw consent to our processing, subject to legal or contractual restrictions and reasonable notice.
- Complain to the Office of the Privacy Commissioner of Canada about our handling of your information.
9.4 All other regions
If you are outside the regions above, you may still exercise any of the rights listed in this section. We will respond reasonably and within the timeframes set by applicable law.
10. Security
We protect your information using technical and organizational measures appropriate to the risk, including:
- Encryption in transit — TLS 1.2+ for all connections to sircol.com and app.sircol.com.
- Encryption at rest — IMAP passwords and OAuth refresh tokens are encrypted with AES-256-GCM in the database. Disk-level encryption is provided by our infrastructure providers.
- Access controls — row-level security policies in Supabase scope every user-owned table to the owning user. Administrative access is limited to authorized personnel under written confidentiality obligations.
- Authentication — passwords are stored as salted hashes via Supabase Auth.
- Logging and monitoring — security-relevant events are logged and retained for review.
No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us at hello@sircol.com immediately.
11. Children
The Services are not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided personal information to Sircol, please contact us at hello@sircol.com and we will delete the information.
12. Third-party links
The Services may link to third-party sites (for example, LinkedIn's people-search results). This Policy does not apply to those sites. We encourage you to review the privacy policies of any third party before providing personal information.
13. Changes to this Policy
We may update this Policy from time to time. When we do, we will update the "Effective date" and "Last updated" at the top of the document. If the changes are material, we will notify you by email or by an in-product notice. Your continued use of the Services after the effective date constitutes your acceptance of the updated Policy.
14. Contact us
Questions about this Policy, requests to exercise your rights, and other privacy inquiries should be sent to:
Frontures Management LLC
5214-F Diamond Heights Blvd #129
San Francisco, CA 94131
Email: hello@sircol.com
If you are in the European Economic Area or the United Kingdom, you may also contact your local data protection authority.