Sentrya

Privacy Policy

Last updated: February 15, 2025

1. Introduction

Sentrya ("we", "us", "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered AML and compliance investigation platform ("Service").

We process personal data in compliance with the General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) and other applicable EU data protection laws.

2. Data Controller

The data controller responsible for the processing of your personal data is:

Sentrya
Email: contact@sentrya.app

3. Data We Collect

We collect the following categories of data:

3.1 Account Information

  • Name and email address
  • Company name and role
  • Authentication credentials (securely hashed)

3.2 Transaction Data

  • Transaction details submitted for AML analysis (amounts, parties, jurisdictions)
  • Risk assessments and investigation outcomes
  • Case management data (notes, decisions, audit trails)

3.3 Usage Data

  • Log data (IP addresses, browser type, access times)
  • Feature usage and interaction patterns
  • AI analysis request metadata

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — to provide our Service and fulfill our contractual obligations
  • Legitimate interests (Art. 6(1)(f)) — to improve our Service, ensure security, and prevent fraud
  • Legal obligations (Art. 6(1)(c)) — to comply with applicable AML regulations (5AMLD, 6AMLD)
  • Consent (Art. 6(1)(a)) — for marketing communications, where applicable

5. How We Use Your Data

  • Provide and operate the AML compliance platform
  • Perform AI-powered transaction risk analysis
  • Generate investigation briefs and STR/SAR draft reports
  • Maintain audit trails for regulatory compliance
  • Improve our AI models and platform features
  • Communicate with you about your account and service updates
  • Ensure platform security and prevent unauthorized access

6. AI Processing

Our Service uses AI (powered by Anthropic's Claude) for transaction risk analysis and investigation support. When processing transaction data through our AI system:

  • Transaction data is sent to Anthropic's API for analysis
  • Anthropic does not use customer data to train its models (per their data usage policy)
  • AI outputs are advisory only — all final decisions are made by human analysts
  • AI processing is logged for audit and compliance purposes

7. Data Sharing

We do not sell your personal data. We may share data with:

  • Service providers — cloud infrastructure (Railway), AI processing (Anthropic), hosting (Vercel)
  • Legal authorities — when required by law or regulation
  • Your organization — data is accessible to authorized users within your company

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS/HTTPS)
  • Secure password hashing (bcrypt)
  • JWT-based authentication with token expiration
  • Row-level data isolation between organizations (multi-tenant security)
  • Rate limiting to prevent abuse
  • Regular security reviews and updates

9. Data Retention

We retain your data for as long as your account is active or as needed to provide our Service. Transaction and investigation data may be retained for the period required by applicable AML regulations (typically 5 years per 5AMLD Article 40). Upon account termination, personal data will be deleted or anonymized within 30 days, unless retention is required by law.

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — request a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data
  • Right to restrict processing (Art. 18) — limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a structured format
  • Right to object (Art. 21) — object to processing based on legitimate interests

To exercise any of these rights, contact us at contact@sentrya.app. We will respond within 30 days.

11. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). In such cases, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR Chapter V.

12. Cookies

Our landing page uses minimal cookies necessary for the operation of the website. We do not use tracking or advertising cookies. Our dashboard application uses session cookies for authentication purposes only.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: contact@sentrya.app
Website: sentrya.app

You also have the right to lodge a complaint with your local data protection supervisory authority.