S
Sentinel

Privacy Policy

Last updated: March 2, 2026

1. Information We Collect

We collect the following types of information:

  • Account Information: Email address, name, profile photo (if provided via OAuth), and authentication credentials when you create an account
  • Smart Contract Code: Code you submit for analysis (see Section 4 for our handling practices)
  • Usage Data: Pages visited, features used, scan frequency, API usage patterns, and audit history
  • Payment Information: Processed securely by Stripe — we never store your card details or payment information
  • Device Information: Browser type, IP address, device identifiers, and geolocation data for security and fraud prevention
  • Communications: Support tickets, feedback, and any correspondence you send to us

2. How We Use Your Information

We use your information for the following purposes:

  • Provide, operate, and improve the audit service and user experience
  • Process payments, manage subscriptions, and handle billing inquiries
  • Send transactional emails (receipts, alerts, security notices, service updates)
  • Detect and prevent abuse, fraud, and unauthorized access
  • Improve our AI models and vulnerability detection capabilities (using anonymized data only)
  • Provide customer support and respond to your inquiries
  • Comply with legal obligations and respond to lawful requests
  • Conduct research and analytics to improve our services

3. International Data Transfers

Our services are hosted in the United States. If you are located outside the US, please be aware that information you provide to us will be transferred to and processed in the United States. By using our Service, you consent to this transfer. We implement appropriate safeguards to protect your data in accordance with applicable data protection laws.

4. Smart Contract Code Handling

Your code is yours. We take this seriously:

  • Code submitted for analysis is processed in memory and not permanently stored on our servers for free-tier scans
  • Pro and Enterprise users may opt into saving audit history for their own reference and access
  • We do not share, sell, publish, or use your submitted code for any purpose other than providing the analysis service
  • Code is transmitted using end-to-end encryption and processed in secure environments
  • Anonymized, aggregate vulnerability patterns (without any identifiable code snippets) may be used to improve detection accuracy
  • You retain all intellectual property rights in your submitted code

5. Children's Privacy (COPPA Compliance)

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and you learn that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

6. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to Know: Request information about the personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do not sell personal information, but you may opt out of certain data sharing
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@sentinel.sh

7. GDPR Compliance (EU Users)

If you are in the European Union, you have rights under the General Data Protection Regulation:

  • Lawful Basis: We process your data based on contract performance, legitimate interests, or consent
  • Data Portability: Request your data in a machine-readable format
  • Right to Rectification: Correct inaccurate personal information
  • Right to Erasure: Request deletion of your personal data
  • Right to Object: Object to processing based on legitimate interests
  • Right to Restrict: Limit how we process your data

You may also file a complaint with your local data protection authority.

8. Data Sharing and Third Parties

We do not sell your personal information. We may share data with:

  • Payment Processors: Stripe for secure payment processing
  • Cloud Infrastructure: Railway, Vercel, and other hosting providers for service operation
  • Analytics Services: Privacy-focused analytics tools to understand service usage
  • Law Enforcement: If required by law, court order, or to protect our rights and safety
  • Business Transfers: In case of merger, acquisition, or sale of assets (with notice to users)
  • Service Providers: Third parties who assist in operating our business (under strict confidentiality agreements)

9. Data Breach Notification

In the event of a data breach that poses a risk to your personal information, we will notify affected users within 72 hours of discovering the breach. Notifications will include details about the breach, potential impact, and steps we are taking to address it. We will also notify relevant authorities as required by applicable law.

10. Automated Decision Making

Our AI-powered analysis system makes automated decisions about vulnerability detection in submitted code. These decisions are based solely on technical analysis patterns and do not affect your legal rights or have significant impact beyond the scope of security analysis. You may request human review of any analysis results.

11. Cookie Policy

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and core functionality
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use our service (with your consent)

You can manage cookie preferences in your browser settings. Disabling essential cookies may limit service functionality.

12. Data Sub-processors

We work with the following categories of sub-processors to provide our service:

  • Cloud Hosting: Railway (cloud infrastructure), Vercel (frontend hosting)
  • Payment Processing: Stripe (payment processing and subscription management)
  • Authentication: NextAuth.js providers (Google, GitHub for OAuth)
  • Communication: Email service providers for transactional messages

All sub-processors are bound by appropriate data processing agreements and security standards.

13. Data Security Measures

We implement comprehensive security measures to protect your data:

  • End-to-end encryption for data in transit using TLS 1.3
  • Encryption at rest for stored data using industry-standard algorithms
  • Multi-factor authentication for administrative access
  • Regular security audits and penetration testing
  • Access controls and principle of least privilege
  • Automated monitoring and incident response procedures
  • Employee security training and background checks

14. Data Retention Policies

We retain your information as follows:

  • Account Data: Retained while your account is active and for 30 days after deletion
  • Audit History: Retained for 12 months for paid users, immediately deleted for free users
  • Payment Records: Retained for 7 years as required by financial regulations
  • Support Communications: Retained for 2 years for quality assurance
  • Analytics Data: Aggregated and anonymized data may be retained indefinitely

15. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (subject to legal obligations)
  • Portability: Export your data in a machine-readable format
  • Opt-out: Unsubscribe from non-essential communications
  • Consent Withdrawal: Withdraw consent where processing is based on consent

To exercise these rights, contact us at privacy@sentinel.sh with your request and account information.

16. Privacy Shield and Cross-Border Transfers

While Privacy Shield is no longer active, we continue to implement appropriate safeguards for international data transfers including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. We regularly review and update our transfer mechanisms to ensure compliance with evolving regulations.

17. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Significant changes will be communicated via:

  • Email notification to registered users
  • Prominent notice on our website
  • In-app notifications for material changes

Continued use of our service after notice of changes constitutes acceptance of the updated policy.

18. Contact Information

For privacy-related questions, data requests, or concerns, contact us at:

We will respond to privacy requests within 30 days (or as required by applicable law).