Trust and data
You don't have to trust us with your data, because we don't hold it. Your identity and records live in your own data server. Here's what Sifa ID runs, where, and how.
How trust works here
On most networks you hand your data to a company and hope they look after it. Sifa works the other way around. Your identity and your records live in your own data server on AT Protocol, the open network Bluesky also runs on. They're yours, wherever you go.
Sifa is an app that reads and aggregates your public records and writes new ones only with your permission. Trusting Sifa isn't handing over custody, because the data was never ours to hold. Leave whenever you like and it comes with you.
What we store, and what we don't
Your canonical profile lives in your data server, not our database. To keep search and your profile pages fast, Sifa keeps a derived index of public records, plus a few things that have to live with us: your notification settings, notes you write about people, and short-lived caches (5 to 15 minutes) that are never written to the database. We don't build advertising profiles, and we don't process special-category data.
At a glance
Sub-processors
The only third parties that process your personal data for us. Both are in the EU.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Hosting (servers and database) | Germany |
| Scaleway | Transactional email (only if you turn on notifications) | France |
What we run ourselves
Open-source software on our own servers in Germany. No CDN, no third-party telemetry.
- PostgreSQL Database
- Valkey Cache
- Caddy Reverse proxy and TLS
- Umami Analytics, cookieless and self-hosted
- GlitchTip Error monitoring, self-hosted
Security
- Encrypted in transit. HTTPS everywhere, with HSTS preloaded for two years.
- No passwords to leak. You sign in with AT Protocol OAuth, so we never hold a password. Your session is an opaque, httpOnly cookie.
- Hardened responses. Content-Security-Policy, X-Content-Type-Options, Referrer-Policy and a strict Permissions-Policy on every response.
- Rate limiting and CORS. Requests are rate-limited, and cross-origin access is restricted to known origins.
- Validated and sanitized. Every API input is validated with Zod, and user content is sanitized with DOMPurify.
- Monitored and backed up. Errors go to self-hosted GlitchTip, and data is backed up daily.
How long we keep things
| Data | Kept for |
|---|---|
| Unclaimed profiles | Cached up to 5 minutes, never written to our database |
| Your profile and activity | Kept until you delete it |
| Server logs | At most 30 days |
| Consent records | 3 years after deletion (legal obligation) |
Sifa also relies on public AT Protocol infrastructure run by others (relays and identity services). Every dependency, dataset, and open-source project is listed on our credits page.
Open where it counts
The schemas that define your Sifa data and the SDK that reads them are open source (MIT), so anyone can check how your data is structured and used. The apps themselves (this website and the backend) aren't open source yet. It all lives on our GitHub.
Your rights and control
- Export everything, any time, for free: download your data.
- Delete your account and the data we hold: account settings.
- Control how discoverable you are: privacy settings.
- Take your profile to another app: it's portable by design, no export-and-reimport needed.
For the full legal detail (legal bases, retention, and how to reach us), see our privacy policy and terms.
Who runs Sifa
Sifa is built by Singi Labs in the Netherlands. Not a faceless brand: you can see who's behind it and what we're building on our about page.
Found a security issue? Email us at security@sifa.id and we'll take a look.
Last updated July 2026.