Privacy Policy

This Privacy Policy describes how Sentinelle Labs ("Sentinelle", "we", "us") processes personal information when you visit our website, create an account, or use the Sentinelle platform, agent and APIs (collectively, the "Service").

We are the data controller for the personal information we process about visitors to our website and individual users of the Service. Where the Service is used by an organisation, that organisation is typically the controller of the data submitted through the Service, and we act as a processor on its behalf.

Account information

When you sign up, we collect identifiers such as your name, work email, organisation, role and password (stored as a salted hash).

Mission and target information

To run a mission, you provide scope information (domains, IP ranges, URLs, credentials, rules of engagement). We process this information to plan, execute and report on the mission you authorised.

Findings and outputs

The Service generates findings, evidence captures, agent thinking traces, terminal output and reports about your scoped targets. We store these securely so you can review, export and act on them.

Mission forensic snapshot

Each time you launch a mission, we capture the source network address, the approximate country, the user-agent string of the client used, the target as you declared it, the public name resolution observed at that instant, and the verbatim text of the authorisation you attested to (with its timestamp). Every action the agent takes on your behalf during the mission is appended to a per-mission, tamper-evident chain of records. This is the “forensic snapshot” described in the Terms of Service.

Usage and device data

We automatically collect log data when you use the Service, including IP address, browser type, device identifiers, pages visited, features used, performance metrics and crash diagnostics.

Billing information

If you subscribe to a paid plan, we collect billing details through our payment processor. We do not store full card numbers on our infrastructure.

We use personal information to:

• provide, operate, secure and improve the Service;
• authenticate users and prevent fraud, abuse and unauthorised access;
• execute the missions you authorise and produce findings, evidence and reports;
• communicate with you about your account, billing, support, security and product updates;
• monitor and analyse trends, usage and effectiveness of the Service;
• comply with legal obligations and enforce our Terms of Service.

We do not sell personal information, and we do not use Customer Data submitted through the Service to train foundation models that are made available to other customers.

If you are based in the European Economic Area or the United Kingdom, we process personal information on the following legal bases:

• performance of a contract — to provide the Service you or your organisation contracted for;
• legitimate interests — to secure the Service, prevent abuse, develop new features, and run our business, balanced against your rights;
• compliance with a legal obligation — where we are required to retain or disclose information;
• consent — where we ask for it (for example, optional marketing communications), which you may withdraw at any time.

We share personal information only as described below:

• Sub-processors — vetted vendors that help us run the Service (cloud hosting, telemetry, customer support, payment processing). A current list is available on request.
• Within your organisation — administrators of your organisation may have visibility into account, mission and billing information.
• Legal and safety — if we believe in good faith that disclosure is required to comply with law, enforce our Terms, or protect the rights, property or safety of Sentinelle, our customers or the public.
• Business transfers — in connection with a merger, acquisition, financing or sale of assets, subject to standard confidentiality protections.

Personal information may be processed in countries other than the one in which you reside. Where transfers occur to a country that has not been recognised by the relevant authority as offering an adequate level of data protection, we rely on appropriate safeguards — such as standard contractual clauses or equivalent mechanisms — supplemented by the technical and organisational measures described in our security documentation.

Where offered in your Order or enterprise plan, you may select a supported data-hosting region for mission data and findings. Even where a regional option is selected, limited account, billing, telemetry, support or security-response data may be processed in other locations as necessary to operate, secure and support the Service.

We retain personal information only as long as necessary for the purposes set out in this Policy. Account data is retained while your account is active and for a reasonable period afterwards to support reactivation, dispute resolution or legal obligations.

Mission data, findings and evidence are retained for the term of the subscription and then for the export window set out in the Terms of Service. After that, they are deleted or anonymised in accordance with our retention schedule.

The mission forensic snapshot and the platform-wide security event log are retained for the period required by applicable law and by our anti-abuse, security-incident and provider-disclosure obligations. When you delete your account (or when we delete it for breach), we erase the personal information that identifies you — your email, display name, profile fields and billing details — in line with this Policy. The forensic snapshot and the security event log are not erased: the link between those records and your personal identity is broken (we replace the identifier with a one-way pseudonym), but the records themselves remain so we can still answer abuse complaints, regulator queries and law-enforcement requests concerning a mission you launched before deletion. We may also rely on these records to defend or prosecute claims in connection with that activity.

We use technical and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure or destruction. These include encryption in transit and at rest, role-based access controls, audit logging, segregation of duties, vendor due diligence and security awareness training.

We maintain internal vulnerability-management and incident-response processes for the Service. Reported or discovered platform vulnerabilities are triaged according to severity, with critical issues prioritised for urgent containment and remediation under our security operations procedures.

Where required by law or where we determine it is appropriate under the circumstances, we will notify affected customers of confirmed security incidents involving personal information in accordance with our contractual and regulatory obligations.

No security control is perfect. If you believe your account or data has been compromised, please contact us immediately at security@sentinelle.ai.

Depending on where you live, you may have the right to access, correct, delete, export, restrict or object to our processing of your personal information, and to withdraw consent where processing is based on consent.

You can exercise most of these rights from your account settings. Otherwise, write to privacy@sentinelle.ai. We respond within the timelines set by applicable law (typically one month under the GDPR).

Your right to erasure is not absolute. Where we are required to retain certain records to comply with a legal obligation, to defend or prosecute a legal claim, or to investigate misuse of the Service, we may keep those records — pseudonymised where appropriate — for the period strictly necessary to meet that obligation. The mission forensic snapshot and the security event log described in this Policy fall in that category.

You also have the right to lodge a complaint with the supervisory authority for data protection in your country.

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Service and understand how it is used. For details about the categories of cookies we set and how to manage them, see our Cookie Policy.

The Service is not directed to children under sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@sentinelle.ai and we will delete it.

We may update this Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The current version is always available at this page, with the effective date shown above.

For questions about this Policy or to exercise your rights, write to privacy@sentinelle.ai.