Privacy Policy — SentrAI

SentrAI (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect information when you use our website security intelligence platform at sentrai.co.uk (the “Service”).

1. Data Controller

SentrAI is the data controller for personal data processed through the Service. Contact us at: hello@sentrai.co.uk

2. What Data We Collect

Account data

When you create an account: name, email address, and authentication credentials (managed by Clerk).

Scan data

Domain names you submit for scanning, scan results, risk scores, findings, and AI-generated summaries. Scans only analyse publicly available information (DNS records, HTTP headers, SSL certificates, publicly loaded scripts).

Lead data

If you provide your email to unlock scan findings: email address, domain scanned, and consent record.

Billing data

Payment information is processed by Stripe. We store your Stripe customer ID and subscription status but never your card details.

Usage data

IP addresses, browser user agent, pages visited, and actions taken (stored in audit logs for security purposes).

3. How We Use Your Data

We process your data for the following purposes and lawful bases:

Providing the Service (contract performance): running scans, generating reports, managing your account
Billing (contract performance): processing payments via Stripe
Security monitoring (contract performance): automated re-scans for subscribed websites
Communications (consent): sending scan reports and security alerts to your email
Security and fraud prevention (legitimate interest): audit logging, abuse detection
Service improvement (legitimate interest): aggregated, anonymised analytics

4. Data Sharing

We share data with the following sub-processors to operate the Service:

Vercel (US) — hosting and serverless functions
Neon (US) — PostgreSQL database
Clerk (US) — authentication
Stripe (US) — payment processing
Resend (US) — transactional email delivery
Anthropic (US) — AI-powered finding interpretation

These transfers to the United States are protected by Standard Contractual Clauses (SCCs) and, where applicable, the UK Extension to the EU-US Data Privacy Framework.

We do not sell your personal data to third parties.

5. Data Retention

Account data: retained while your account is active, deleted within 30 days of account deletion
Scan data: retained for the duration of your subscription plus 90 days
Lead data: retained for 12 months from collection, then deleted unless you become a customer
Audit logs: retained for 12 months for security purposes
Shared report links: expire after 30 days

6. Your Rights

Under UK GDPR, you have the right to:

Access your personal data
Rectify inaccurate data
Erase your data (“right to be forgotten”)
Restrict processing
Data portability — receive your data in a structured format
Object to processing based on legitimate interest
Withdraw consent at any time for consent-based processing

To exercise any of these rights, email hello@sentrai.co.uk. We will respond within 30 days.

7. Cookies

We use strictly necessary cookies for authentication. Third-party services (Calendly) are only loaded after you consent via our cookie banner. See our Cookie Policy for details.

8. Automated Decision-Making

Our Service uses AI (Anthropic Claude) to interpret scan findings and generate risk scores. These scores are advisory only and do not have legal or similarly significant effects. The underlying scan data and evidence are always provided alongside AI-generated interpretations.

9. Security

We implement appropriate technical measures including encryption in transit (TLS), encrypted database connections, role-based access controls, and audit logging. Scans are passive and non-intrusive — we never attempt to exploit vulnerabilities.

10. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of any material changes. The “last updated” date at the top indicates the most recent revision.