Sentyra Legal

Privacy Policy

This Privacy Policy explains how Sentyra collects, uses, shares, and protects personal data when you use our website and platform. As a compliance company, we aim to hold ourselves to the standards we help our customers meet. This policy is drafted to align with India's Digital Personal Data Protection Act, 2023 and the EU/UK General Data Protection Regulation.

Status: Draft · Effective date: [[effective date]] · Provider: [[Company legal name]]

1. Introduction & scope

This policy applies to personal data we handle as a data fiduciary/controller in the operation of the Sentyra platform and website — for example account, billing, and usage data of our customers and their users, and data of website visitors.

Where we process personal data on behalf of a customer to provide the Service (for example evidence and content in a customer’s compliance workspace), we act as a data processor and that processing is governed by our agreement with the customer, including any Data Processing Agreement. In that role the customer is the data fiduciary/controller and is responsible for the notices and lawful grounds for that data.

2. Who we are

The data fiduciary/controller responsible for personal data described in this policy is [[Company legal name]], located at [[registered address]]. You can reach us regarding privacy at [[contact email]].

3. Data we collect

Data you provide

  • Account data: name, work email, organisation name, and role.
  • Authentication data: credentials managed through our identity provider (passwords are not stored by us in readable form).
  • Billing and business contact data where applicable.
  • Support and communications: messages you send us and their contents.

Data we collect automatically

  • Usage and log data: actions taken in the platform, timestamps, and audit-trail entries used to secure and operate the Service.
  • Device and connection data: IP address, browser type, and similar technical information.
  • Cookies and similar technologies strictly necessary to authenticate sessions and keep the Service secure (see the Cookies section).

Integration and evidence metadata

When a customer connects a third-party system, we process the configuration and the evidence returned by that system on the customer’s instruction. This may incidentally contain personal data (for example a user email in an access-review export). We handle such data as a processor for the customer, not for our own purposes.

4. How we use data

  • to provide, maintain, and secure the Service and your account;
  • to authenticate users and enforce access controls and tenant isolation;
  • to provide support and respond to your requests;
  • to maintain audit trails and the integrity of evidence and decision records;
  • to send service and administrative communications;
  • to improve reliability, safety, and performance of the Service in aggregate;
  • to comply with legal obligations and to establish, exercise, or defend legal claims.

We do not sell personal data. We do not use customer content to train general-purpose models for unrelated purposes.

6. Sharing & sub-processors

We share personal data only as needed to operate the Service and as described here:

  • Sub-processors: vetted service providers that host or support the Service (for example cloud infrastructure, database, authentication, and email delivery providers). We maintain a list of sub-processors and impose data-protection obligations on them by contract.
  • Professional advisers and authorities: where required to comply with law, enforce our terms, or protect rights and safety.
  • Business transfers: in connection with a merger, acquisition, or asset sale, subject to this policy.

A current list of sub-processors is available at [[sub-processor list URL]]. We will provide a mechanism to be notified of changes.

7. International transfers

We may process and store personal data in countries other than your own, including where our sub-processors operate. Where we transfer personal data across borders, we do so in accordance with applicable law and use appropriate safeguards (for example standard contractual clauses under the GDPR, and transfers only to jurisdictions not restricted under the DPDP Act). Details of hosting locations are available on request at [[contact email]].

8. Data retention

We retain personal data for as long as needed to provide the Service and for the purposes described in this policy, and thereafter only as required to comply with legal obligations, resolve disputes, and enforce agreements. Account data is retained for the life of the account and then deleted or anonymised within a defined period after closure ([[retention period]]), subject to legal holds. Audit-trail records may be retained longer where required for security and accountability.

9. Security

We apply technical and organisational measures designed to protect personal data. Current measures include:

  • row-level security (RLS) in our database to enforce strict tenant isolation between customer organisations;
  • encryption in transit (TLS) and encryption at rest for sensitive credentials, protected by a dedicated encryption key (SENTYRA_CREDENTIAL_KEY);
  • Ed25519 digital signatures and SHA-256 hashing of evidence artifacts so their integrity can be independently verified, with hash-chained decision traces;
  • authentication via a managed identity provider with short-lived sessions and role-based access controls;
  • least-privilege access for personnel and audit logging of privileged actions.

A note on certifications. The measures above describe controls we operate. Sentyra does not currently hold, and this policy does not claim, any third-party certification or attestation (such as SOC 2 or ISO 27001) unless and until we publish such a report in writing. No security measure is perfectly secure, and we cannot guarantee absolute security.

10. Your rights

Subject to applicable law and verification of your identity, you have rights over your personal data. Under the DPDP Act, as a Data Principal you may:

  • access a summary of the personal data we process about you and the processing activities;
  • seek correction, completion, updating, or erasure of your personal data;
  • nominate another individual to exercise your rights in the event of death or incapacity;
  • readily withdraw consent where processing is based on consent;
  • have your grievances addressed through our grievance redressal mechanism (below).

Under the GDPR, where it applies, you may additionally have rights to object to or restrict processing, to data portability, and to lodge a complaint with your supervisory authority.

To exercise any right, contact [[contact email]]. If you are a user within a customer’s workspace, we may direct your request to that customer, who acts as the fiduciary/controller for that data.

11. Grievance redressal

If you have a concern or complaint about how we handle personal data, you may contact our grievance officer / data protection contact:

Grievance Officer: [[grievance officer name]]

Email: [[grievance / DPO email]]

Address: [[registered address]]

We will acknowledge and address grievances within the timeframes required by applicable law. If you remain unsatisfied, you may escalate to the Data Protection Board of India or your relevant supervisory authority.

12. Children's data

The Service is intended for business use and is not directed to children. We do not knowingly collect personal data of children without the consent of a parent or lawful guardian as required by the DPDP Act and other applicable law. If you believe a child’s data has been provided to us, contact us so we can address it.

13. Cookies

We use cookies and similar technologies that are strictly necessary to operate the Service — principally to authenticate sessions and protect against fraud and abuse. Where we use any non-essential cookies, we will obtain consent as required by applicable law and provide controls to manage them.

14. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new effective date and, for material changes, provide additional notice as required by law. Your continued use of the Service after changes take effect indicates acceptance of the updated policy where permitted.

15. Contact

For any privacy question, contact [[contact email]], or write to [[Company legal name]], [[registered address]].