LegalLast updated: March 29, 2026

Privacy Policy

SentriesAI ("we", "our", or "us") operates the SentriesAI platform, including the website at sentriesai.com, mobile applications for iOS and Android, and browser extensions for Chrome, Firefox, and Safari (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

TL;DR — We scan content you submit to detect phishing and scam threats. We do not sell your data, do not run ads, and do not share your personal information with third parties for marketing. Your data is encrypted, stored in the EU, and you can delete everything at any time.

1. Data Controller

The data controller responsible for your personal data is SentriesAI, operated by Chiorean Alexandru Ioan, based in Cluj-Napoca, Cluj County, Romania. For any privacy-related inquiries, you can reach us at privacy@sentriesai.com.

2. Information We Collect

We collect information in the following categories, depending on how you interact with our Service:

2.1 Account Information

When you create an account, we collect your email address and, optionally, a display name. If you sign up via Google Single Sign-On (SSO), we receive your name, email, and profile picture URL from Google. Passwords are hashed using scrypt with cryptographically secure random salts and are never stored or transmitted in plaintext.

2.2 Content Submitted for Scanning

When you submit a URL, message, email, image, or QR code for threat analysis, we process that content through our detection pipeline. We apply a privacy-by-design approach:

Input hashing: We store a deterministic SHA-256 hash of your input, not the original content.
Redacted preview: Only the first 200 characters of your input are stored for display in your scan history.
Full content storage is opt-in: Full input content is only stored if you explicitly enable it in Settings for detection improvement purposes.
Image scans: Images uploaded for OCR scanning are processed in memory and are not stored on our servers after analysis is complete.

2.3 Gmail Integration Data

If you connect your Gmail account, we access your emails using Google's OAuth 2.0 with read-only scope (gmail.readonly). We scan email content for phishing and scam indicators. We do not store the full content of your emails — only scan metadata (verdict, score, extracted signals) is retained. You can disconnect Gmail at any time from Settings, which immediately revokes our access.

2.4 Browser Extension Data

The SentriesAI browser extension for Chrome, Firefox, and Safari processes data locally on your device and communicates with our API:

The extension stores your authentication token in chrome.storage.local to keep you signed in.
On Gmail and Outlook web pages, the extension reads email content in real-time to detect threats. Email content is sent to our API for analysis and is not stored after processing.
On all websites, the extension may analyze links you hover over to warn about phishing URLs. Only the link URL is sent to our API.
The extension does not collect browsing history, keystrokes, form data, passwords, or any information from pages other than Gmail and Outlook (unless you explicitly trigger a scan).

2.5 Mobile Application Data

The SentriesAI mobile app stores your authentication token securely using the device's secure enclave (iOS Keychain / Android Keystore). If you enable push notifications, we store your device push token (Expo Push Token) to deliver threat alerts. Camera access is requested only when you use the QR code scanner feature and is not used for any other purpose.

2.6 Usage and Technical Data

IP address — used for rate limiting, abuse detection, and approximate geolocation (country level only).
User agent string — used to identify the platform (web, mobile, extension) and optimize the experience.
Scan metadata — timestamps, verdict, score, and detection signals for each scan you perform.
Session data — session creation time, expiry, and last activity (for security purposes).

We do not use third-party analytics services (Google Analytics, Mixpanel, Amplitude, etc.). We do not use tracking pixels, browser fingerprinting, or cross-site tracking of any kind.

2.7 Payment Information

Payments are processed entirely by Stripe, Inc. We never receive, store, or have access to your full credit card number, CVC, or banking details. Stripe provides us with a tokenized reference, the last four digits of your card, card brand, and subscription status.

2.8 User Feedback and Training Data

When you provide feedback on a scan result (e.g., "this was a false positive"), we store that feedback alongside the scan hash to improve our detection models. This feedback is associated with your user ID internally but is anonymized before being used for model training. You may opt out of contributing training data in Settings.

3. How We Use Your Information

Purpose	Legal Basis (GDPR Art. 6)
Threat detection and scan analysis	Legitimate interest (Art. 6(1)(f))
Account creation and authentication	Contract performance (Art. 6(1)(b))
Email verification and password reset	Contract performance (Art. 6(1)(b))
Subscription billing via Stripe	Contract performance (Art. 6(1)(b))
Push notifications for threat alerts	Consent (Art. 6(1)(a))
Gmail email scanning	Consent (Art. 6(1)(a))
Detection model improvement (anonymized)	Legitimate interest (Art. 6(1)(f))
Rate limiting and abuse prevention	Legitimate interest (Art. 6(1)(f))
Security incident investigation	Legitimate interest (Art. 6(1)(f))
Transactional emails	Contract performance (Art. 6(1)(b))

We do not use your personal data for profiling, automated decision-making that produces legal effects, behavioral advertising, or any purpose unrelated to the cybersecurity services described above.

4. AI and Machine Learning Processing

Our threat detection pipeline uses multiple layers of analysis, including artificial intelligence:

Heuristic engine — Rule-based pattern matching that runs locally on our servers. No data is shared externally.
Machine learning (XGBoost) — A statistical model that runs locally on our servers. No data is shared externally.
Claude AI (Anthropic) — Content submitted for scanning may be sent to Anthropic's Claude API for advanced threat analysis. Anthropic processes this data under their Privacy Policy. Anthropic does not use API inputs to train their models.
Claude Vision (OCR) — Images uploaded for scanning are sent to Anthropic's Claude API for text extraction. Images are processed in real-time and are not stored by us or Anthropic for training.

We plan to develop proprietary AI models ("Sentinel AI") trained exclusively on anonymized, aggregated threat data. When available, these models will process data entirely on our infrastructure, eliminating the need for external AI providers for most scan operations.

We do not sell, rent, lease, or trade your personal data to any third party. We share data only with the following service providers, strictly for the purposes described:

Provider	Purpose	Data Shared	Location
Anthropic	AI threat analysis, OCR	Content submitted for scanning	USA
Stripe	Payment processing	Email, subscription details	USA
Resend	Transactional emails	Email address only	USA
Neon	Database hosting	All account and scan data (encrypted)	EU (Frankfurt)
Google	Gmail integration	OAuth token (read-only)	USA
Expo	Mobile push notifications	Device push token only	USA

For service providers located outside the EEA, data transfers are protected by Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable. We may also disclose information if required by law, court order, or to protect the rights, safety, or property of SentriesAI, our users, or the public.

6. Data Storage and Security

6.1 Infrastructure

Database: Neon PostgreSQL, hosted in EU (eu-central-1, Frankfurt). All data at rest encrypted with AES-256.
Application server: Dedicated VPS in Europe with encrypted disk storage.
Cache: Redis, running in a private network. Not accessible from the internet.
Transport: All connections use TLS 1.2+. HSTS is enabled with a 1-year max-age.

6.2 Authentication Security

Passwords hashed with scrypt (per-user random salt, configurable work factor).
Session tokens are 256-bit cryptographically random values. Only SHA-256 hashes are stored.
Multi-factor authentication (TOTP) available with backup codes.
Login rate limiting: 5 failed attempts triggers a 15-minute lockout.
Session cookies: HttpOnly, Secure, SameSite=Lax attributes.
Audit logging for all authentication and sensitive operations.

6.3 Application Security

Server-side request forgery (SSRF) protection on all outbound requests.
API rate limiting per user and per IP address via Redis.
Input validation and sanitization on all API endpoints.
No database credentials or API keys exposed to client-side code.
Regular dependency audits and security patches.

7. Cookies and Local Storage

Cookie / Storage	Purpose	Duration	Type
sid	Session authentication	30 days	Essential (HttpOnly, Secure)
rid	Refresh token	90 days	Essential (HttpOnly, Secure)
locale	Language preference	1 year	Functional (localStorage)

We do not use advertising, analytics, or tracking cookies. We do not use Google Analytics, Facebook Pixel, or any third-party tracking technology. The browser extension uses chrome.storage.local to store your authentication token — this data never leaves your device except as part of authenticated API requests.

8. Data Retention

Data Type	Retention Period	Notes
Account information	Until account deletion	Permanently deleted within 30 days of request
Scan history	12 months	Automatically purged after 12 months
Session data	30 days after last activity	Expired sessions automatically cleaned
Audit logs	90 days	Security investigation purposes
Anonymized training data	Indefinite	Cannot be linked to individual users
Payment records	Per Stripe's policy	We do not store card data
Push notification tokens	Until deregistration	Cleaned on logout
Gmail connection data	Until disconnection	OAuth token revoked immediately on disconnect

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights:

Right of Access (Art. 15) — Request a copy of all personal data we hold about you. Provided in JSON format within 30 days.
Right to Rectification (Art. 16) — Correct inaccurate personal data. Update email and display name in Settings.
Right to Erasure (Art. 17) — Request deletion of your account and all associated data. Completed within 30 days.
Right to Data Portability (Art. 20) — Export your data in a structured, machine-readable format.
Right to Restrict Processing (Art. 18) — Restrict processing while a complaint is being resolved.
Right to Object (Art. 21) — Object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time for consent-based processing (Gmail, push notifications).

Contact privacy@sentriesai.com to exercise any right. We respond within 30 days. You may also lodge a complaint with the ANSPDCP (Romanian Data Protection Authority) or your local supervisory authority.

10. International Data Transfers

Your primary data is stored in the EU (Frankfurt, Germany). Some service providers are in the United States. We ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) — approved by the European Commission.
EU-US Data Privacy Framework — where the recipient is certified.
Adequacy decisions — where the Commission has determined adequate protection.

11. Collective Intelligence

SentriesAI operates a collective threat intelligence system. When a threat is detected, the following anonymized information may be shared across the network:

The domain or URL pattern identified as malicious.
The type of threat detected (phishing, scam, suspicious).
Aggregate statistics (e.g., "347 users protected from this campaign").

No personally identifiable information (email content, user identity, IP address) is included in collective intelligence data.

12. Family Plans and Organizations

If you create or join a Family plan or Organization, the administrator can see:

Member email addresses and roles.
Aggregate scan statistics per member (scan count, not scan content).
Membership status (active, pending invitation).

Administrators cannot see the content of individual scans, chat messages, or scan history of other members. Each member's scan data is private to their own account.

13. Children's Privacy

SentriesAI is not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided personal data, contact privacy@sentriesai.com and we will promptly delete that information.

14. Do Not Track

We do not track users across third-party websites and do not respond to Do Not Track (DNT) signals. We do not engage in cross-site tracking or behavioral advertising.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights:

Right to Know — Request disclosure of categories and specific personal information collected.
Right to Delete — Request deletion of personal information.
Right to Non-Discrimination — No discrimination for exercising privacy rights.
No Sale of Personal Information — We do not sell personal information as defined by the CCPA.
No Sharing for Behavioral Advertising — We do not share data for cross-context behavioral advertising as defined by the CPRA.

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33). If the breach is likely to result in high risk to you, we will notify you directly via email without undue delay (GDPR Art. 34).

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send an email notification to all registered users for significant changes.
Display an in-app notification for 30 days after the change.

Continued use of the Service after changes constitutes acceptance. If you disagree, you may delete your account at any time.

18. Contact Information

For questions, requests, or concerns regarding this Privacy Policy:

Email: privacy@sentriesai.com
Website: sentriesai.com
Data Protection Authority: ANSPDCP (Romania)

← Back to SentriesAI Terms of Service →