Privacy Policy
1. Introduction
Sentinel ("we", "us", "our") operates the website at sentinelofficial.co.uk and provides daily quantitative intelligence briefings via email and web dashboard. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, receive our emails, interact with our Telegram bot, or otherwise engage with our services.
The data controller responsible for your personal data is Sentinel, contactable at william@sentinelofficial.co.uk.
2. Information We Collect
2.1 Information You Provide
- Account information: email address and password (stored as a one-way bcrypt hash; we never store your password in plaintext)
- Company watchlist: the companies you choose to track (up to 10 on the free tier, up to 25 on the paid tier)
- Portfolio preferences: portfolio tickers, position sizes, display currency (GBP/USD/EUR), and pinned ticker — if you choose to configure these
- Email preferences: your chosen email cadence (weekdays or off)
- Support correspondence: any emails or messages you send us
2.2 Billing Information
If you subscribe to a paid plan, payments are processed entirely by Stripe. We never see, receive, or store your card number, bank details, or full payment credentials. We store only:
- Stripe customer ID and subscription ID (opaque identifiers)
- Subscription status (active, past due, cancelled)
- Plan identifier and current billing period end date
2.3 Authentication Data
If third-party authentication is enabled (currently Clerk), we may receive and store:
- Your Clerk user ID and email verification status
- Clerk sets its own cookies (
__session,__client_uat) on your browser to manage authentication sessions
2.4 Automatically Collected Information
- Session cookies: we set a session cookie with a 30-day lifetime to keep you logged in. This cookie is HttpOnly (not accessible to JavaScript), Secure (HTTPS only in production), and SameSite=Lax
- CSRF tokens: a per-session unique identifier stored in your session to protect against cross-site request forgery
- Email engagement data: our email provider (SendGrid) uses an invisible tracking pixel to detect email opens and rewrites links to track clicks. This data is processed by SendGrid and linked to your email address
- Error and diagnostic data: we use Sentry for error monitoring. When an error occurs, Sentry may capture request context including your email address, IP address, browser user agent, and the URL you were visiting
3. How We Use Your Information
- Deliver personalised daily intelligence briefings to your email, filtered to your watchlist
- Display your personalised dashboard and report views on the website
- Process payments and manage your subscription via Stripe
- Verify your email address and authenticate your sessions
- Track email delivery status (sent, bounced, failed) and engagement (opens, clicks)
- Monitor, diagnose, and fix errors and performance issues via Sentry
- Respond to support requests and correspondence
- Enforce our Terms of Service and prevent abuse
- Send service-related communications (e.g., billing alerts, material policy changes)
4. AI and Large Language Model Processing
Sentinel uses large language models (LLMs) to generate analytical narratives in our reports:
- Anthropic Claude (Haiku 4.5 for section narratives, Sonnet 4.6 for synthesis and investigative analysis) — our primary provider
- OpenAI GPT (GPT-4o-mini) — fallback provider for narrative generation and text embeddings
The data sent to these LLMs consists of company-level financial and market data only: stock prices, financial metrics, sentiment scores, news headlines, insider trade records, and similar public-domain information. Your personal data (email, password, watchlist, billing information) is not sent to any LLM provider.
If you use the Simon AI assistant (via the dashboard or Telegram), your natural-language queries are sent to an LLM to generate responses. These queries may be processed and temporarily stored by the LLM provider in accordance with their own privacy policies.
5. Third-Party Data Processors
We share personal data with the following third-party service providers, each acting as a data processor on our behalf:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email address, subscriber ID, payment events |
| SendGrid (Twilio) | Email delivery & tracking | Email address, full email HTML content, open/click engagement events |
| Sentry | Error monitoring | Error context (may include email, IP address, request data, user agent) |
| Clerk | Authentication (if enabled) | Email address, user ID, email verification status |
| Anthropic | AI narrative generation | Company financial/market data only — no user PII |
| OpenAI | AI fallback & embeddings | Company financial/market data only — no user PII |
| Railway.app | Application hosting | All data transits through Railway infrastructure |
| Neon | PostgreSQL database hosting | All stored data (encrypted at rest) |
Each processor is bound by their own privacy policies and, where applicable, data processing agreements. We do not sell your personal data to any third party.
6. External Data Sources
Sentinel aggregates publicly available and licensed data from 25+ external sources to produce company intelligence. These include SEC EDGAR, GDELT, Yahoo Finance, Financial Modeling Prep, Finnhub, Ortex, Polymarket, Kalshi, Reddit, Bluesky, StockTwits, FRED, Adzuna, Google Trends, Wikipedia, FINRA, UK FCA, UK Parliament RNS, and others.
This data relates to public companies and financial markets, not to our users. Where third-party platform content is cached (e.g., Bluesky posts mentioning tracked companies), it is retained for up to 90 days and then automatically deleted.
7. Cookies and Tracking Technologies
| Cookie / Technology | Purpose | Duration |
|---|---|---|
| Session cookie (Flask) | Keeps you logged in, stores CSRF token | 30 days |
| __session (Clerk) | Authentication JWT (if Clerk enabled) | Session |
| __client_uat (Clerk) | Client auth timestamp (if Clerk enabled) | Session |
| SendGrid tracking pixel | Detects email opens | N/A (in-email) |
| SendGrid link rewriting | Tracks link clicks in emails | N/A (in-email) |
We do not use any third-party analytics cookies (no Google Analytics, no Facebook Pixel, no advertising trackers).
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (email, preferences, watchlist) | Until you deactivate your account, plus 30 days |
| Password hash | Deleted upon account deletion |
| Email delivery logs | Retained indefinitely for audit and deliverability purposes |
| Stripe billing identifiers | Per Stripe's own retention policy |
| Cached social media mentions (Bluesky) | 90 days (automatically pruned) |
| Sentry error logs | Per Sentry's retention policy (default 90 days) |
| Company market and financial data | Retained indefinitely |
When you deactivate your account, your personal data is scheduled for deletion. Your email, watchlist, and preferences are removed. Email delivery logs are retained in anonymised form for operational auditing.
9. Data Security
- Passwords are bcrypt-hashed and never stored or transmitted in plaintext
- HTTPS is enforced in production; session cookies are marked Secure
- Session cookies are HttpOnly (inaccessible to client-side JavaScript)
- CSRF protection is applied to all state-changing routes (login, signup, settings, billing)
- Our database is hosted on Neon with encryption at rest and in transit
- API keys and secrets are stored as environment variables, never committed to source code
- Access to production systems is restricted to authorised personnel only
No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
10. International Data Transfers
Our application is hosted on Railway.app (United States). Our database is hosted on Neon (United States). Third-party processors including Stripe, SendGrid, Sentry, Anthropic, and OpenAI operate primarily in the United States.
If you are located in the UK, EU, or EEA, your personal data may be transferred to and processed in countries outside your jurisdiction. These transfers are safeguarded by standard contractual clauses maintained by each processor, or other appropriate transfer mechanisms recognised under UK GDPR and EU GDPR.
11. Your Rights
Under the UK GDPR, EU GDPR, and applicable data protection laws, you have the following rights:
- Right of access: request a copy of all personal data we hold about you
- Right to rectification: correct inaccurate or incomplete data — you can update most information directly via the Settings page
- Right to erasure: request deletion of your account and all associated personal data
- Right to restriction: request that we limit the processing of your data in certain circumstances
- Right to data portability: request your personal data in a structured, commonly used, machine-readable format
- Right to object: object to processing based on our legitimate interests
- Right to withdraw consent: where processing is based on consent (e.g., email communications), you may withdraw consent at any time via the Settings page or the unsubscribe link in any email
- Right to lodge a complaint: you have the right to complain to the Information Commissioner's Office (ICO) in the UK or the relevant supervisory authority in your jurisdiction
To exercise any of these rights, contact us at william@sentinelofficial.co.uk. We will respond within 30 days of receiving your request.
12. Legal Basis for Processing
We process your personal data on the following legal grounds under UK GDPR / EU GDPR:
- Performance of a contract: account creation, delivering intelligence briefings, managing your subscription, processing payments
- Legitimate interests: error monitoring and diagnostics (Sentry), service security, fraud prevention, improving the service. We have assessed that these interests do not override your fundamental rights and freedoms
- Consent: email open and click tracking. You can withdraw consent to email communications at any time by adjusting your email cadence in Settings or clicking the unsubscribe link in any email
13. Children's Privacy
Sentinel is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at william@sentinelofficial.co.uk and we will promptly delete such data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use of the service after the effective date constitutes acceptance of the updated policy.
The "Last updated" date at the top of this page indicates when this policy was last revised.
15. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: