Privacy Policy

Sentinel ("we," "our," or "us") builds audit and accountability tooling for AI agents. This policy explains what data we collect when you use Sentinel, why we collect it, and how we protect it.

We do not sell your data. We do not use your agent event data to train models. The audit trail you generate belongs to you.

Account data. When you sign up, we collect your email address and, if provided, your name and company. This is managed through Clerk and used solely for authentication and account management.

Agent event data. When your AI agents are instrumented with the Sentinel SDK, we store the event payloads you send — agent ID, action type, timestamps, duration, and any metadata you include. Sentinel automatically strips fields named prompt, completion, content, messages, and text from the top-level of input and output payloads before storage.

Usage data. We log standard server-side request metadata (timestamps, response codes, latency) for reliability monitoring. We do not use third-party analytics scripts on the dashboard.

API keys. API keys are stored as SHA-256 hashes. We cannot recover a plaintext key after it is issued — if you lose it, you must rotate it.

We use the data we collect to:

• —Provide and operate the Sentinel service
• —Maintain the cryptographic chain integrity of your audit log
• —Generate PDF audit reports on request
• —Send transactional emails (account creation, API key rotation)
• —Diagnose errors and improve reliability

We do not use your agent event data for advertising, model training, or benchmarking.

Event data is retained for as long as your account is active. You can request deletion of your account and all associated event data at any time by emailing hello@usesentinel.dev.

Because Sentinel's audit log is cryptographically chained, individual records cannot be selectively deleted — deletion removes the full account data set. This is by design: selective deletion would break the tamper-evident chain.

We share your data with the following sub-processors to operate the service:

We do not sell or rent your data to third parties for any purpose.

All data is transmitted over TLS. Event data is stored in a dedicated Supabase project with row-level security enforced — your events are only accessible with your API key or through your authenticated dashboard session.

API keys are hashed on receipt using SHA-256. The plaintext key is never stored. The chain hash on each event is computed server-side and cannot be modified after write.

You have the right to access, correct, or delete the personal data we hold about you. To exercise these rights, email hello@usesentinel.dev. We will respond within 30 days.

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to data portability and the right to lodge a complaint with a supervisory authority.

Sentinel uses session cookies for authentication (managed by Clerk). We do not use tracking cookies, advertising cookies, or third-party analytics. The dashboard does not load any scripts from advertising networks.

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The "last updated" date at the top of this page reflects the current version.

Questions about this policy? Email us at hello@usesentinel.dev.