Privacybeleid
Laatst bijgewerkt: April 2026
Document beschikbaar in het Engels
De juridische documenten van Sentinellis zijn momenteel alleen in het Engels beschikbaar. De Engelse versie is de gezaghebbende referentie.
Vragen? contact@sentinellis.com
Summary
We take privacy seriously. This page explains exactly what data we collect, why, where it's stored, who we share it with (spoiler: the absolute minimum), and how you can get it back or delete it. Questions? Email contact@sentinellis.com.
1. Data controller
Sentinellis is operated by a Romanian limited liability company (SRL). We are the "data controller" under the EU General Data Protection Regulation (GDPR) for any personal data you provide through this website or app. For data protection matters, contact us at contact@sentinellis.com.
2. What data we collect
- Account data — email address, hashed password (bcrypt), account tier, account creation date. Required to give you access.
- Sign-in identifiers — if you sign in with Google, we receive your email address and a stable Google user ID. We do not receive your Google password, contacts, or any other Google data.
- Report data— companies you've analyzed, timestamps, quota usage, and the generated reports themselves. Needed to show your history and enforce plan quotas.
- Payment data — processed by Stripe. We store your Stripe customer ID and subscription status; we never see or store your card number, CVC, or full card details.
- Technical data — IP address, user agent, browser type, device info. Collected in short-lived logs for security, fraud prevention, and debugging.
- Usage analytics — anonymous or pseudonymous metrics (pages visited, actions taken) when analytics are enabled. We use privacy-friendly tools that do not set tracking cookies.
- Support correspondence — emails you send to us (contact@sentinellis.com) and any attachments.
3. Legal basis for processing (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — account data, report data, payment data. We need these to provide the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — technical data, abuse prevention, server logs.
- Consent (Art. 6(1)(a)) — analytics cookies (where applicable), marketing emails beyond transactional.
- Legal obligation (Art. 6(1)(c)) — invoices and tax records (kept for 5 years under Romanian law).
4. How we use your data
- To deliver the service (run reports, show history, enforce quotas).
- To process payments and send invoices via Stripe.
- To send transactional emails (verification, password reset, payment receipts).
- To notify you about material changes to the service or to this policy.
- To prevent abuse, fraud, and unauthorized access.
- To improve the product (aggregated, non-identifying analytics).
We do not sell your personal data. We do not use your data to train AI models. We do not run behavioural ads.
5. Sub-processors and third parties
We rely on a small set of vetted service providers to run the product. All have signed Data Processing Agreements (DPAs) with us and process data only on our instructions.
| Provider | Purpose | Location |
|---|---|---|
| Railway | Backend hosting, PostgreSQL database | EU / US |
| Vercel | Frontend hosting, CDN | Global CDN / US |
| Stripe | Payment processing, subscriptions | EU / US |
| Brevo (Sendinblue) | Transactional email (verification, password reset, drip) | EU (France) |
| Twilio | WhatsApp report delivery (opt-in only) | EU / US |
| PostHog | Product analytics (consent-gated, no PII) | EU / US |
| Anthropic | Claude API — generates the report text from public data | US |
| Google (OAuth) | Sign-in with Google (optional) | US / EU |
| Sentry | Error tracking (no PII sent) | EU (Germany) |
| Cloudflare R2 | Encrypted database backups (off-Railway DR) | EU (Eastern Europe) |
| Cloudflare Turnstile | CAPTCHA (login / register) | Global |
Data sources for the analysis itself (Yahoo Finance, NewsData.io, GDELT, Google News, SEC EDGAR) receive the company name you typed — not your personal information.
The full sub-processors list, with signed DPAs and our notification commitment, lives at /sub-processors.
6. International transfers
Some sub-processors (Anthropic, Stripe, Cloudflare) are based in the United States. When personal data is transferred outside the European Economic Area, we rely on the legal mechanisms approved by the European Commission:
- EU-US Data Privacy Framework — for providers certified under the Framework.
- Standard Contractual Clauses (SCCs) — for providers that are not, in combination with supplementary measures.
Email us if you want to see a copy of a specific DPA or SCC.
7. Data retention
- Account data — kept while your account is active; deleted within 30 days of account closure.
- Reports — kept while your account is active; deleted with the account.
- Payment records and invoices — kept for 5 years under Romanian tax law, even after account deletion.
- Server logs — rotated and anonymized within 30 days.
- Waitlist emails — kept until you unsubscribe; one-click unsubscribe in every email.
- Support correspondence — kept for 2 years then archived or deleted.
8. Your rights (GDPR Arts. 15–22)
If you are in the EU, UK, or EEA, you have the following rights:
- Access — get a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — delete your account and associated data.
- Portability — receive your data in a machine-readable format.
- Restriction — pause our processing while a dispute is resolved.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, for processing based on consent.
- Not be subject to automated decisions — we do not make automated decisions with legal effects on you.
To exercise any of these rights, email contact@sentinellis.com. We respond within 30 days (this may be extended by up to 60 days for complex requests, with notice).
You also have the right to lodge a complaint with your local data protection authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP).
9. Cookies and analytics
We use essential cookies for session management (keeping you signed in) and, where enabled, privacy-friendly analytics that do not set tracking cookies or profile you. If we ever add non-essential cookies, we will ask for your consent via the cookie banner first.
10. Security
- Passwords are hashed with bcrypt, never stored in plain text.
- All traffic is encrypted in transit via HTTPS (TLS 1.2+).
- Databases are encrypted at rest by our hosting providers.
- Access to production data is limited to founders and gated by MFA where supported.
- We use rate limiting, timing-attack-resistant authentication, and monitor for abnormal activity.
No system is perfectly secure. If you discover a vulnerability, please report it to contact@sentinellis.com — responsible disclosure is appreciated.
11. Children
Sentinellis is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has given us their data, contact us and we will delete it.
12. Changes to this policy
We may update this policy as our product evolves or regulations change. Material changes will be announced at the top of this page ("Last updated") and, where appropriate, emailed to registered users. Continued use after a change constitutes acceptance.
13. Contact
Privacy questions, data requests, or security reports: contact@sentinellis.com
Sentinellis is operated by a Romanian limited liability company (SRL). This policy was drafted internally and is not a substitute for legal advice tailored to your situation.