Privacy
Privacy Policy
Last updated: June 1, 2026
1. Who we are
Haystack is operated by Sirca. In this Privacy Policy, "Haystack", "we", "us", and "our" refer to Sirca and the Haystack service. This policy explains how we collect, use, share, retain, and protect personal data when you visit our website, create an account, run an audit, use the app, subscribe, contact us, or otherwise interact with Haystack.
Haystack is intended for business use. Where applicable law uses the terms controller and processor, we are generally the controller for account, billing, site, security, support, and usage data. For customer workspace content that you provide for us to process on your behalf, we process it to provide the service and according to your instructions through the product.
2. Personal data we collect
We collect the data needed to operate, secure, bill for, improve, and support Haystack.
- Account data, such as your name, work email address, password hash, email verification status, session data, team membership, and account settings.
- Workspace and business data, such as company name, website, category, description, competitors, prompts, optional LinkedIn profile, copied AI context, onboarding answers, deal size band, and team details.
- Product data, such as audit results, AI scans, answers, citations, source URLs, gaps, page drafts, page update guidance, story angles, journalist matches, pitch drafts, placements, reports, notes, activity events, and related metadata.
- Billing data, such as payment processor customer ID, subscription ID, subscription status, plan, invoices, tax information, and payment status. We do not receive or store full payment card numbers.
- Communications data, such as support emails, feedback, requests, and messages you send to us.
- Technical and usage data, such as IP address, browser, device, approximate location, pages viewed, buttons clicked, referrers, UTM parameters, error logs, security logs, timestamps, and other analytics or diagnostic information.
- Public and third-party data, such as information from your website, public web pages, search results, AI answer engines, publications, source pages, and publicly available journalist or outlet information.
3. Data you should not provide
Haystack is not designed for sensitive personal data or regulated data. Please do not provide health data, financial account numbers, full payment card numbers, government identifiers, precise location data, criminal offence data, children's data, passwords, private keys, trade secrets you are not allowed to disclose, or special-category data unless we have agreed in writing.
We may delete or restrict content that appears sensitive, unlawful, unsafe, abusive, or outside the intended business use of the service.
4. How we use personal data
- To create accounts, authenticate users, manage sessions, and verify email addresses.
- To run audits, generate prompts, scan AI engines, diagnose sources, identify gaps, and create reports.
- To generate page drafts, page update guidance, story angles, journalist matches, pitch drafts, placement attribution, and product recommendations.
- To operate workspaces, team access, plan limits, subscription status, billing, trials, upgrades, downgrades, and cancellations.
- To send transactional emails, such as verification, password reset, billing, security, and product notices.
- To provide support, troubleshoot bugs, prevent abuse, enforce usage limits, secure the service, and detect fraud.
- To understand product usage, measure conversion, improve performance, improve onboarding, and develop new features.
- To create aggregated, anonymised, or de-identified information that does not identify you.
- To comply with law, tax, accounting, sanctions, security, legal process, and regulatory obligations.
5. Automated processing
Haystack uses automated analysis and specialist data-processing providers to deliver core features. This may include processing workspace data, prompts, source text, public website content, onboarding context, competitor information, and related metadata through systems that help us provide audits, scans, source analysis, and generated outputs.
AI outputs are automated, probabilistic, and may be incomplete or inaccurate. We use automated processing to provide audits, scans, scoring, source diagnosis, gap analysis, page drafts, page update guidance, story angles, journalist matching, pitch drafts, and reports. You should review outputs before relying on them, publishing them, or sending them externally.
We do not use your Customer Content to train our own foundation models. Third-party providers may process data according to their own terms, data-processing settings, and retention practices. Do not submit sensitive, confidential, or regulated information unless you are comfortable with it being processed by the service and its providers.
We do not use automated processing to make legal, credit, employment, housing, insurance, health, or similarly significant decisions about you.
6. Legal bases for UK and European users
Where UK or European data protection law applies, we rely on the following legal bases:
- Contract, to provide the service, account, billing, audits, reports, and support.
- Legitimate interests, to secure, improve, analyse, prevent abuse, and operate Haystack.
- Legal obligation, to keep required records and respond to lawful requests.
- Consent, where we ask for consent for optional processing or where law requires it.
7. How we share personal data
We share personal data only as needed for the purposes described in this policy.
- Hosting, infrastructure, and database providers.
- Transactional email providers.
- Payment processors for checkout, subscription, billing, tax, fraud, and payment management.
- AI, search, and data-processing providers needed to run audits, scans, source analysis, and generated outputs.
- Analytics and observability providers that help us measure traffic, product usage, performance, and errors.
- Professional advisers, such as lawyers, accountants, auditors, insurers, and security advisers.
- Authorities, courts, regulators, or third parties where required by law or necessary to protect rights, safety, security, or the service.
- Parties involved in a merger, acquisition, financing, reorganisation, sale of assets, or similar business transaction.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising as those terms are commonly used under US state privacy laws.
8. Aggregated and de-identified data
We may use aggregated, anonymised, or de-identified information for analytics, benchmarking, security, product improvement, research, marketing, and business purposes. We take reasonable steps designed to prevent this information from identifying you or your users.
9. Cookies and analytics
We use essential cookies and similar technologies for authentication, sessions, security, and product functionality. We also use analytics to understand page views, traffic sources, device information, conversion, and product usage. We do not use third-party advertising cookies in the app.
Browser settings, privacy tools, and content blockers may limit cookies or analytics. If you block essential cookies, some parts of Haystack may not work.
10. Retention
We keep personal data for as long as reasonably needed to provide Haystack, maintain accounts, support customers, comply with law, resolve disputes, prevent abuse, enforce agreements, and keep business records.
- Account and workspace data is generally retained while the account or workspace is active.
- Audit, scan, report, source, prompt, and product history may be retained so the service can show trends and attribution over time.
- Billing and transaction records may be retained for tax, accounting, audit, and legal requirements.
- Security logs, analytics, backups, and diagnostic data may remain for a limited period after deletion requests.
- Email verification and password reset tokens expire and may be deleted or invalidated after use.
If you ask us to delete data, we will take reasonable steps to delete or anonymise it unless we need to retain it for legal, security, billing, dispute, backup, or legitimate business reasons.
Deleted data may remain in backups, logs, caches, and archives for a limited period before being overwritten or removed according to our normal retention processes.
11. Security
We use reasonable technical and organisational measures designed to protect personal data, including access controls, environment-variable secrets, hashed passwords, session controls, provider security features, and operational monitoring. No internet service is perfectly secure, and we cannot guarantee that unauthorised access, loss, misuse, or interruption will never occur.
If we become aware of a security incident affecting personal data, we will take reasonable steps to investigate, contain, and respond to it, and we will notify affected users or authorities where required by law.
12. International transfers
Haystack and its providers may process personal data in the United Kingdom, European Economic Area, United States, and other countries. Where required, we rely on appropriate safeguards, such as contractual protections, provider transfer mechanisms, and other measures recognised by applicable law.
13. Your rights
Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data, and to withdraw consent where processing is based on consent. You may also have the right to complain to a data protection authority, such as the UK Information Commissioner's Office.
California and other US state residents may have additional rights to know, access, correct, delete, and opt out of certain uses of personal information. We do not sell personal data or share it for cross-context behavioural advertising.
To make a request, contact info@sirca.io. We may need to verify your identity and may decline or limit requests where allowed by law.
14. Business customer responsibilities
If you provide personal data about teammates, competitors, journalists, customers, prospects, contractors, or other people, you are responsible for making sure you have the right to do so and for providing any required notices or obtaining any required consents. You are responsible for your own outreach, contact lists, email compliance, claims, and use of Haystack outputs.
15. Children
Haystack is not intended for children or anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps.
16. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify you, such as posting the updated policy, sending an email, or showing an in-product notice. The updated policy applies from the date shown above unless stated otherwise.
17. Contact
Questions or requests about privacy can be sent to info@sirca.io. The terms that govern use of the service are available in our Terms of Service.