Privacy Policy
Last updated: 20 May 2026
SentrAI (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect information when you use our website security intelligence platform at sentrai.co.uk (the “Service”).
1. Data Controller
SentrAI is the data controller for personal data processed through the Service. Registered address: SentrAI, 71-75 Shelton Street, London, WC2H 9JQ. Contact us at: hello@sentrai.co.uk.
We do not currently have a Data Protection Officer (DPO) appointed. For all data protection enquiries, please contact hello@sentrai.co.uk.
2. What Data We Collect
Account data
When you create an account: name, email address, and authentication credentials (managed by Clerk).
Scan data
Domain names you submit for scanning, scan results, risk scores, findings, and AI-generated summaries. Scans only analyse publicly available information (DNS records, HTTP headers, SSL certificates, publicly loaded scripts).
Lead data
If you provide your email to unlock scan findings: email address, domain scanned, and consent record.
Outreach data (Article 14 — data not obtained directly from you)
We may scan publicly accessible websites and collect publicly available contact information for the purpose of sending B2B security assessment reports. Specifically, we may collect:
- Business contact email addresses displayed on public websites
- Company names, registered addresses, SIC codes, and director details from the Companies House register
- Domain names and publicly accessible technical information (DNS records, HTTP headers, SSL certificates)
- Industry sector and company size estimates derived from public records
The lawful basis for this processing is legitimate interest (Article 6(1)(f) UK GDPR) — we have a documented Legitimate Interest Assessment available on request. You have the right to object to this processing at any time by contacting us at hello@sentrai.co.uk or using the unsubscribe link in any communication. Unsubscribe records are retained permanently to ensure we honour your opt-out preference.
Billing data
Payment information is processed by Stripe. We store your Stripe customer ID and subscription status but never your card details.
Usage data
IP addresses, browser user agent, pages visited, and actions taken (stored in audit logs for security purposes).
3. How We Use Your Data
We process your data for the following purposes and lawful bases:
- Providing the Service (contract performance): running scans, generating reports, managing your account
- Billing (contract performance): processing payments via Stripe
- Security monitoring (contract performance): automated re-scans for subscribed websites
- Communications (consent): sending scan reports and security alerts to your email
- Security and fraud prevention (legitimate interest): audit logging, abuse detection
- Service improvement (legitimate interest): aggregated, anonymised analytics
4. Data Sharing
We share data with the following sub-processors to operate the Service:
- Vercel (US) — hosting and serverless functions
- Neon (US) — PostgreSQL database
- Clerk (US) — authentication
- Stripe (US) — payment processing
- Resend (US) — transactional email delivery
- Anthropic (US) — AI-powered finding interpretation
- Upstash (US) — rate limiting and distributed caching (Redis)
- Cloudflare (US/Global) — bot protection (Turnstile CAPTCHA)
- Sentry (US) — error monitoring and performance tracking
- Plausible (EU) — privacy-first website analytics (no cookies, no personal data stored)
Most of our sub-processors are based in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the UK Extension to the EU-US Data Privacy Framework. Your data is not exclusively stored in the EU.
We do not sell your personal data to third parties.
5. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account deletion
- Scan data: retained for the duration of your subscription plus 90 days
- Lead data: retained for 12 months from collection, then deleted unless you become a customer
- Audit logs: retained for 12 months for security purposes
- Shared report links: expire after 30 days
- Outreach data: retained for 6 months after the outreach sequence completes, then deleted. Unsubscribe records are retained permanently to prevent re-contact.
6. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Restrict processing
- Data portability — receive your data in a structured format
- Object to processing based on legitimate interest
- Withdraw consent at any time for consent-based processing
To exercise any of these rights, email hello@sentrai.co.uk. We will respond within 30 days.
7. Cookies
We use strictly necessary cookies for authentication. Third-party services (Calendly) are only loaded after you consent via our cookie banner. See our Cookie Policy for details.
8. Automated Decision-Making
Our Service uses AI (Anthropic Claude) to interpret scan findings and generate risk scores. These scores are advisory only and do not have legal or similarly significant effects. The underlying scan data and evidence are always provided alongside AI-generated interpretations.
9. Security
We implement appropriate technical measures including encryption in transit (TLS), encrypted database connections, role-based access controls, and audit logging. Scans are passive and non-intrusive — we never attempt to exploit vulnerabilities.
10. Complaints
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
11. Changes to This Policy
We may update this policy from time to time. We will notify registered users by email of any material changes. The “last updated” date at the top indicates the most recent revision.