Plain-English Summary
Sentry is a security tool. We collect only what's needed to run your account and deliver scan results. We don't sell your data, we don't scan sites you don't own, and we don't store your scanned site's content longer than needed to display results. Full details below.
1. Information We Collect
We collect information you provide directly when you create an account and use the Service:
- Account Information: Your email address and a hashed password when you register.
- Scan Targets: The URLs you submit for scanning. These are stored so you can view your scan history.
- Domain Verification Records: The domain names you register and verify ownership of, along with the verification token used to confirm control.
- Scan Results: The security findings generated by the engine, stored in your scan history (JSON format).
- Usage Metadata: Number of scans performed, your plan tier, and timestamps of activity. Used for billing and rate-limiting.
- Session Tokens: Hashed session tokens stored in our database and in your browser's
localStorage to keep you logged in.
We do not collect payment card details directly. Billing (if applicable) is processed through a third-party payment processor.
2. How We Use Your Information
We use collected information solely to provide and improve the Service:
- To authenticate you and maintain your session.
- To queue, run, and store the results of security scans you initiate.
- To enforce plan limits (scan quotas, domain limits, priority tiers).
- To send security alert emails if you are on the Sentinel plan and critical issues are discovered in auto-scans.
- To detect abuse (e.g., scanning domains you do not own) and enforce the authorization gate.
- To improve scan accuracy and add new detection checks.
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
3. Scan Data & Security
Sentry is a security tool, so we hold ourselves to a higher standard:
- Authorization Gate: You must verify domain ownership before any scan runs. We record this confirmation as an audit trail.
- Non-Destructive Scanning: The engine only performs read-only probes. It does not submit state-changing forms, send PUT/DELETE/TRACE requests, or exploit vulnerabilities it discovers.
- No Full Content Storage: We store findings (e.g., "Missing security header on /login") — not the full HTML content of your pages.
- Secret Redaction: If a check discovers a leaked secret or token, only a partial, redacted version is stored in the findings. Full values are never logged or saved.
- Worker Isolation: Scanning runs in isolated worker processes separate from the web interface and database.
- Private Network Protection: The scanner is configured to block requests to private IP ranges (10.x.x.x, 192.168.x.x, 127.x.x.x), cloud provider metadata endpoints (169.254.169.254), and other internal addresses.
4. Data Retention
- Scan History: Your scan results are stored indefinitely until you delete them or close your account.
- Sessions: Session tokens expire after 30 days of inactivity.
- Account Data: Account information is retained until you request deletion.
- Closed Accounts: Upon account deletion request, your personal data (email, scan targets, results) will be deleted within 30 days, except where retention is required for legal compliance.
5. Third-Party Services
Sentry relies on the following third parties to operate:
- Convex (convex.dev): Our backend database and serverless functions provider. All account data, session tokens, and scan results are stored on Convex's infrastructure. See Convex's Privacy Policy.
- Render (render.com): The cloud platform that hosts the scanning worker process. See Render's Privacy Policy.
- Google Fonts: We load the "Inter" typeface from Google Fonts. This involves a request to Google's CDN when you load the page. See Google's Privacy Policy.
We do not use advertising networks, social media trackers, or analytics platforms that profile users.
6. Cookies & Local Storage
- Session Token (
localStorage): We store your session token in localStorage so you remain logged in between visits. This is strictly necessary for the Service to function.
- No Tracking Cookies: We do not use tracking cookies, advertising cookies, or third-party cookies of any kind.
- No Analytics: We do not embed Google Analytics, Mixpanel, or any other behavioral analytics service.
You can clear your session at any time by logging out (which removes the token from both localStorage and our database) or by clearing your browser's local storage.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and all associated personal data.
- Portability: Request your scan results in JSON format (available through the Export feature in the app).
- Objection: Object to processing of your personal data in certain circumstances.
To exercise any of these rights, contact us at the email address below. We will respond within 30 days.
8. Children's Privacy
Sentry is a professional security tool intended for use by developers and security professionals. The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make material changes, we will update the "Last Updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
10. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us: