Privacy Policy

Last updated: 9 March 2026

1. Who We Are

Sentinel Agents (“we”, “us”, “our”) operates the Sentinel prompt injection defence service. We are based in the United Kingdom. For data protection purposes, we are the data controller. You can reach us at support@sentinel-agents.com.

2. What Data We Collect

We collect the minimum data necessary to provide the Service:

Account data

When you subscribe, we collect your email address and billing information. Payment is processed by Stripe — we do not store your full card number, CVV, or bank details. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

Licence verification

When the Sentinel software verifies your licence key, it sends the key to our API for validation. No content, filenames, or scan results are transmitted during verification.

Optional telemetry

If telemetry is enabled (the default), Sentinel sends anonymous usage statistics: scan counts by file type, threat detection counts by category, tool call counts, and plugin version. We never collect file contents, filenames, prompts, conversation history, IP addresses, or personal data through telemetry. You can disable telemetry at any time by setting SENTINEL_SHARE_LOGS=false.

Email communications

We use Resend to send transactional emails (purchase confirmations, licence keys). Your email address is stored in our Supabase database (hosted in the EU) for account management and support purposes.

3. What We Do Not Collect

Sentinel runs entirely on your infrastructure. The scanning engine never sends your data to us. We do not collect:

  • File contents, documents, or scanned text
  • System prompts or AI conversation history
  • Filenames or file paths
  • IP addresses (beyond what Stripe and infrastructure providers log)
  • API keys, credentials, or secrets
  • Browsing behaviour or tracking across third-party sites

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance — processing your email and payment data to deliver the Service you subscribed to
  • Legitimate interests — anonymous telemetry to improve detection quality (you can opt out at any time)
  • Legal obligation — retaining transaction records as required by UK tax law

5. How We Store Your Data

Account data (email, licence key, subscription status) is stored in Supabase, hosted in the EU (Frankfurt). Data is encrypted at rest and in transit.

Payment data is processed and stored by Stripe under their PCI-DSS compliant infrastructure. We only store a Stripe customer ID and subscription ID for reference.

6. Data Retention

  • Account data — retained while your subscription is active, plus 90 days after cancellation to allow reactivation
  • Transaction records — retained for 7 years as required by UK tax regulations
  • Telemetry data — aggregated and anonymised; raw telemetry is deleted after 90 days
  • Support emails — retained for 2 years for quality and continuity purposes

7. Your Rights

Under GDPR and UK data protection law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct any inaccurate personal data
  • Erasure — request deletion of your personal data (subject to legal retention requirements)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email support@sentinel-agents.com. We will respond within 30 days.

8. Cookies

We use one functional cookie:

CookiePurposeDuration
sentinel-regionStores your detected region (UK/international) to display the correct currency on the pricing pageSession

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

9. Third-Party Services

We use the following third-party services:

  • Stripe — payment processing (PCI-DSS compliant, US/EU)
  • Supabase — database and authentication (EU, Frankfurt)
  • Resend — transactional email delivery
  • Vercel — website hosting

Each provider processes data in accordance with their own privacy policies. We have selected providers that offer EU data residency or equivalent protections where possible.

10. International Transfers

Your account data is stored in the EU (Supabase, Frankfurt). Payment processing via Stripe may involve transfers to the US under Stripe's Data Processing Agreement and Standard Contractual Clauses. We do not transfer personal data to countries without adequate protection except through approved mechanisms (SCCs, adequacy decisions).

11. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The “last updated” date at the top of this page indicates when the policy was last revised.

13. Contact and Complaints

For privacy-related questions or to exercise your rights, contact us at support@sentinel-agents.com.

If you are unsatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.