Privacy First

Privacy Policy

Effective: February 24, 2026 · Last updated: February 24, 2026

We are an AI security and governance firm. Our own data practices are held to the same standard we set for our clients — strict, transparent, and GDPR-compliant by design, not by checkbox.

TL;DR — The Short Version

✓ We collect only what we need to respond to you (name, email, optional phone).
✓ We never sell, rent, or broker your data. Ever.
✓ Our analytics are self-hosted, cookieless, and collect no personal data.
✓ No third-party ad networks, tracking pixels, or fingerprinting.
✓ We use Google Fonts — we disclose this and what it means below.
✓ Contact us at privacy@sentinel-nexus.com to exercise any GDPR right, any time.

1 Data Controller

The data controller for this website is:

Sentinel Nexus
Email: privacy@sentinel-nexus.com
Website: https://sentinel-nexus.com

Under the EU General Data Protection Regulation (GDPR) and applicable data protection laws, Sentinel Nexus is the controller of personal data collected through this website.

2 What We Collect and Why

2.1 Contact Form Submissions

When you submit a contact inquiry through our website, we collect:

Field	Required	Purpose
Full name	Yes	To address you correctly in our response
Email address	Yes	To reply to your inquiry
Phone number	No	Alternative contact method if you prefer a call

This data is transmitted via an encrypted connection (HTTPS) to our self-hosted automation infrastructure (n8n.sentinel-nexus.com) for routing and response management. It is not transmitted to any third-party CRM or marketing platform.

2.2 Analytics Data

We use Umami Analytics, a self-hosted, open-source analytics platform. Umami is specifically designed to be GDPR-compliant without requiring a cookie consent banner because:

It does not use cookies or local storage.
It does not collect personal data or persistent identifiers.
IP addresses are never stored — they are used only transiently to derive an approximate country, then discarded.
All analytics data is hosted on our own infrastructure within the EU.

The data collected includes: page views, referrer domain (not full URL), browser type, device type, OS type, and country. None of this constitutes personal data under GDPR.

2.3 Server Logs

Our web server infrastructure may retain standard access logs (IP address, request path, timestamp, user agent) for up to 7 days for security and abuse-prevention purposes. These logs are not linked to any other personal data and are not used for profiling.

3 Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases:

Legitimate Interest (Art. 6(1)(f))

Processing contact form submissions to respond to business inquiries. We have conducted a legitimate interest assessment (LIA) and determined that our interest in responding to inbound inquiries is not overridden by your fundamental rights, given the minimal data involved and your direct initiation of the contact.

Legitimate Interest (Art. 6(1)(f))

Anonymised analytics for understanding website performance. No personal data is involved; this basis is noted for completeness only.

Legitimate Interest (Art. 6(1)(f))

Server log retention for security monitoring and abuse prevention, limited to 7 days.

Note: We do not rely on consent as a basis for any current processing. We do not operate email marketing lists and will never add you to one without explicit opt-in consent collected separately.

4 Data Retention

Data Type	Retention Period	Rationale
Contact form submissions (name, email, phone)	12 months from last contact	Standard business correspondence cycle; deleted upon request at any time
Analytics data (aggregate, non-personal)	24 months rolling	Trend analysis; not personal data, but we apply retention limits as a matter of principle
Server access logs	7 days	Security monitoring only; auto-purged

5 Third Parties and Data Processors

We do not sell, rent, trade, or broker your personal data to any third party. Below is a complete inventory of external services this site interacts with:

Google Fonts API External — Google LLC

What it does: Loads the Inter typeface from Google's CDN (fonts.googleapis.com and fonts.gstatic.com). When your browser requests the font, Google's servers receive your IP address and a User-Agent header.

What Google says it does with this: According to Google's own documentation, IP addresses from Font API requests are not stored beyond the immediate request and are not used for profiling. However, as an external third party we cannot independently verify this.

Legal basis: Legitimate interest in providing a consistent visual experience. We acknowledge this constitutes a transfer of technical metadata to a US-based processor.

Safeguard: Google LLC participates in the EU-U.S. Data Privacy Framework (DPF). Standard Contractual Clauses also apply via Google's terms.

Our stance: We are evaluating self-hosting the Inter font to eliminate this external dependency entirely. We disclose it now in the spirit of full transparency.

Umami Analytics Self-Hosted — sentinel-nexus.com infrastructure

What it does: Collects anonymised, aggregate page view data. No personal data, no cookies, no cross-site tracking. All data stays on our own servers.

n8n Workflow Automation Self-Hosted — sentinel-nexus.com infrastructure

What it does: Receives contact form submissions and routes them to our team. Self-hosted on our own infrastructure; your data does not leave our control.

There are no advertising networks, retargeting pixels, social media SDKs, session recording tools, heatmap services, or third-party chat widgets on this site.

6 Cookies and Tracking

This website does not use cookies.

Umami Analytics is specifically engineered to operate without cookies or any form of persistent browser storage. We do not set first-party cookies for analytics, session tracking, personalisation, or any other purpose.

Google Fonts may cause your browser to cache font files locally — this is standard browser caching behaviour and is not a cookie or tracking mechanism.

Because we do not use cookies, no cookie consent banner is required or shown. This is an intentional design decision.

7 International Data Transfers

Our primary infrastructure is hosted within the EU/EEA. The only transfer of any data outside the EEA occurs when your browser loads fonts from Google's CDN (see Section 5 above).

This transfer is covered by:

Google LLC's participation in the EU-U.S. Data Privacy Framework (DPF), certified July 2023.
Standard Contractual Clauses (SCCs) incorporated into Google's service terms.

Contact form data and analytics data remain on EU-hosted infrastructure and are not transferred internationally.

8 Your Rights Under GDPR

You have the following rights with respect to any personal data we hold about you. These are not caveated, conditional, or subject to commercial qualification — they are your legal rights and we honour them unconditionally.

Right of Access

Request a copy of all personal data we hold about you and information about how it is processed.

Right to Rectification

Request correction of any inaccurate personal data we hold.

Right to Erasure

Request deletion of your personal data. We will comply promptly unless a legal obligation requires us to retain it.

Right to Restriction

Request that we restrict processing of your data while a dispute is resolved.

Right to Portability

Receive your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another controller.

Right to Object

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

You also have the right to withdraw consent at any time (where consent is the legal basis) and the right to lodge a complaint with your national supervisory authority. In the EU, the lead authority for cross-border matters is determined by where you reside. A list of EU supervisory authorities is available at edpb.europa.eu.

9 How to Exercise Your Rights

Email privacy@sentinel-nexus.com with the subject line "GDPR Rights Request" and describe the right you wish to exercise. Include sufficient information to identify the personal data concerned (e.g., the email address you submitted via the contact form).

1 month Response time commitment (GDPR Article 12 requires this; we target faster)

Free No charge for rights requests unless they are manifestly unfounded or excessive

No ID required We will verify identity using the email address on file — we will not request government ID for standard inquiries

10 Children's Privacy

This website is directed at business professionals and is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, contact privacy@sentinel-nexus.com and we will delete it immediately.

11 Changes to This Policy

We will update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by updating the "Last updated" date at the top of this page. We will not retroactively weaken the protections in this policy without clear notification.

Continued use of the website following a policy update does not constitute consent to the updated terms — we rely on legitimate interest, not consent, for processing described here.

12 Contact and Data Protection Enquiries

Privacy enquiries and rights requests:
privacy@sentinel-nexus.com

General contact:
info@sentinel-nexus.com

We do not have a formal Data Protection Officer (DPO) requirement under Article 37 GDPR as we do not engage in large-scale, systematic processing of special category data. However, privacy enquiries are treated with priority and handled by a named member of our team.