Privacy Policy

Effective date: April 1, 2026 · Last updated: April 1, 2026 · Questions: support@sentineltrust.io

Sentinel provides automated sanctions screening for fintech companies. This policy explains what data we collect, how we use it, and how we protect it. We've written it to be readable, not just legally defensible.

1. Who we are

Sentinel is operated by Sentinel Compliance. We provide a compliance screening service that integrates with your Stripe account to flag payments that may involve sanctioned individuals or entities. Our contact email is support@sentineltrust.io.

2. What data we process

When Sentinel screens a payment, the following fields from the Stripe event are processed:

The name associated with the payment (billing name or customer name)
The payment amount and currency
The billing country
The Stripe payment ID (used to link back to your Stripe dashboard)
The customer email address, if present in the Stripe event
The payment description, if provided

What we never see: Sentinel does not receive or store payment card numbers, bank account details, CVV codes, or any other raw financial credentials. Stripe handles all sensitive payment data and does not include it in webhook events.

3. How we use this data

The data above is used exclusively to:

Screen the payment name against the OFAC Specially Designated Nationals (SDN) list and other applicable sanctions lists
Generate a risk score and AI-assisted reasoning for your compliance team to review
Send you an alert (via email and/or Slack) when a potential match is found
Store the result in your audit log so you can demonstrate due diligence

We do not use your customers' data for advertising, profiling, model training, or any purpose outside of providing the compliance screening service you've signed up for.

4. AI processing

When a payment name is a close match to an entry on the OFAC SDN list, Sentinel sends a limited set of data — the payment name, billing country, amount, and the list of candidate matches — to Anthropic's Claude API for entity resolution. This helps reduce false positives before an alert reaches you.

The data sent to Anthropic is used only to generate a one-time determination for that specific screening request. Anthropic's API data usage policy applies; Anthropic does not use API data to train models by default. You can review Anthropic's privacy practices at anthropic.com/privacy.

5. Data storage and retention

Screening results, risk scores, AI reasoning, and case statuses are stored in a secure database (Supabase, hosted on AWS) so you have an ongoing audit trail. This data is stored for as long as you have an active Sentinel account.

If you close your account, you may request deletion of all stored records by emailing support@sentineltrust.io. We will process deletion requests within 30 days.

6. Data sharing

We share data with the following third parties, solely to operate the service:

Stripe — delivers payment event data to us via webhooks. We do not share data back to Stripe beyond the API calls initiated by your account.
Anthropic — receives limited payment context (name, country, amount, SDN candidates) for AI entity resolution on flagged payments only.
Supabase — hosts our database where audit logs and screening results are stored.
Resend — delivers compliance alert emails to the address you configure.

We do not sell, rent, or trade any data to third parties. We do not share data with marketing platforms, data brokers, or analytics providers.

7. Security

All data is transmitted over TLS/HTTPS. API keys and secrets are stored in GCP Secret Manager and are never exposed in logs or responses. Access to production data is restricted to authenticated personnel. We run on Google Cloud Platform infrastructure with no public database exposure.

8. Your customers' rights

Sentinel processes data on your behalf as a data processor. You are the data controller for your customers' information. If one of your customers requests access to or deletion of their data, you should handle that request in accordance with your own privacy policy, and you may request deletion of related Sentinel records by contacting us.

9. OFAC list data

The sanctions list data Sentinel uses is sourced from OFAC (the U.S. Treasury's Office of Foreign Assets Control) and is publicly available. We refresh this list regularly. Sentinel's screening results are informational flags for your compliance review — they are not legal determinations, and a match does not constitute confirmed wrongdoing.

10. Changes to this policy

We may update this policy as the service evolves. If we make material changes, we will notify customers by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent version.

11. Contact

For any privacy questions, data requests, or concerns, contact us at support@sentineltrust.io. We aim to respond within two business days.