D
DiffiWeb
DocsPrivacyDashboard →
Legal

Privacy Policy

Last updated: April 11, 2026

This policy describes how DiffiWeb collects, uses, and protects your personal information. We are committed to transparency and your right to privacy.

1. Introduction

DiffiWeb ("we", "our", or "us") operates the website diffiweb.com and provides an agentic intelligence platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our Service.

Please read this policy carefully. By using DiffiWeb you agree to the practices described here. If you do not agree, please discontinue use of the Service.

2. Information We Collect

Account Information

When you register, we collect your email address and a hashed version of your password. We never store your password in plain text. We do not collect your full name, phone number, or payment details unless explicitly required for a feature.

Usage Data

We automatically collect information about how you interact with the Service, including: pages visited, features used, agent run configurations (target URLs and queries), items extracted and saved, and timestamps of activity. This data is associated with your user account.

Intelligence Data You Create

When you run agents, the extracted data (tender records, stock signals, research papers, vulnerability findings, etc.) is stored in our vector database under your unique user ID. This data is fully isolated — no other user can view or query it.

Cookies & Session Tokens

We use a single HTTP-only session cookie ("auth_session") to keep you logged in. This cookie is encrypted, scoped to diffiweb.com, and expires after 7 days of inactivity. We do not use third-party advertising cookies.

Analytics

We use Vercel Speed Insights (a first-party analytics tool) to collect aggregated, anonymised performance metrics. No personally identifiable information is sent to Vercel via this tool.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service — authenticate your session, run intelligence agents on your behalf, store and retrieve your extracted data.
  • Improve the Service — analyse aggregated usage patterns to identify bugs, optimise agent performance, and develop new features.
  • Communicate with you — send password reset emails and, where you have opted in, product update notifications.
  • Security and fraud prevention — detect and prevent unauthorised access, abuse, and violations of our Terms of Service.
  • Legal compliance — fulfil our obligations under applicable law.

We do not sell your personal data to third parties. We do not use your data to train AI models without your explicit consent.

4. Data Storage & Security

Storage Infrastructure All user data is stored in: • Upstash Redis — session tokens, watchlist data, and key-value cache. Data is encrypted at rest and in transit. • Upstash Vector — intelligence items extracted by your agents, indexed by semantic embedding for search. Data is partitioned by user ID.

Both services are SOC 2 compliant and host data in secure cloud infrastructure.

Retention

Account data is retained as long as your account is active. Intelligence items in your Vault are retained indefinitely until you delete them or close your account. Session tokens expire after 7 days of inactivity.

Security Measures We implement the following security controls: • HTTP-only, Secure cookies with CSRF synchronisation tokens • HTTPS enforced across all routes (HSTS with 1-year max-age) • Content Security Policy (CSP) headers on all responses • SSRF protection on all agent stream endpoints • X-Frame-Options and X-Content-Type-Options headers • All API endpoints require authentication where applicable

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

5. Third-Party Services

DiffiWeb integrates with the following third-party services to operate the platform:

ServicePurposeData Shared
UpstashVector database and Redis cacheUser ID, extracted intelligence data
VercelHosting and edge deploymentServer logs, anonymised analytics
ResendTransactional email deliveryEmail address (for password resets only)
Yahoo Finance APIReal-time stock quote dataNo personal data sent

Each of these providers has their own privacy policy and security practices. We encourage you to review them if you have concerns about data handling.

DiffiWeb agents may visit third-party websites on your behalf to extract publicly available information. We do not share your personal information with the websites our agents visit.

6. Cookies

We use a minimal cookie policy:

Strictly Necessary Cookiesauth_session — HTTP-only session cookie. Required to keep you authenticated. Cannot be disabled while using the Service. • csrf_token — CSRF protection token. Synced with a request header to prevent cross-site request forgery.

Analytics

• Vercel Speed Insights uses a privacy-preserving, cookieless analytics approach. No tracking cookies are set by this tool.

We do not use advertising cookies, retargeting pixels, or third-party tracking scripts. You can disable non-essential cookies in your browser settings without losing Service functionality, as we do not set any non-essential cookies.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you.
  • Correction — Request correction of inaccurate personal data.
  • Deletion — Request deletion of your account and all associated data. Note: intelligence items in The Vault can be deleted at any time from within the dashboard.
  • Data Portability — Request an export of your intelligence data in a structured format.
  • Withdraw Consent — Where processing is based on consent, you may withdraw it at any time.
  • Objection — Object to processing of your personal data for certain purposes.

To exercise any of these rights, email us at swapwarick@diffiweb.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

GDPR (EU/EEA Users): We process personal data on the legal basis of contract performance (operating the Service for registered users) and legitimate interests (security and fraud prevention).

CCPA (California Residents): You have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

8. Children's Privacy

DiffiWeb is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at swapwarick@diffiweb.com and we will delete the information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify registered users by email.

Your continued use of the Service after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: swapwarick@diffiweb.com Support: swapwarick@diffiweb.com Website: https://www.diffiweb.com

We aim to respond to all privacy-related enquiries within 5 business days.

Questions about your privacy?

We are happy to clarify anything in this policy or assist with data requests.

swapwarick@diffiweb.com