Privacy Policy

1. Who We Are

Sentinel Security System ("Sentinel", "we", "us", "our") is an enterprise device security platform operated from Nairobi, Kenya. We provide remote device management, threat detection, and endpoint control services to organisations across Africa.

This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and the rights you hold over your information.

2. Data We Collect

Account Information

• Username and email address provided at registration
• Hashed password (bcrypt — plaintext is never stored)
• Subscription plan and billing history
• Account creation and last-login timestamps

Device Telemetry (collected from enrolled endpoints)

• GPS coordinates and movement history
• Battery level, network status, and connectivity type
• Device identifiers (device ID, IMEI if provided)
• Device type, label, and operating system
• On-demand photographs and screenshots (Snapshot command only, requires explicit user initiation)
• Command logs and acknowledgement timestamps

Session & Security Data

• Browser session tokens (stored server-side, never in localStorage)
• IP addresses for access logs and geofence enforcement
• CSRF tokens for request integrity verification

3. How We Use Your Data

• To provide and operate the remote device management service
• To authenticate users and verify device identity via JWT tokens
• To execute security commands (lock, wipe, isolate) on enrolled devices
• To deliver real-time threat alerts and telemetry to account holders
• To generate evidence chains for stolen-device recovery
• To process subscription payments via M-Pesa, Stripe, or PayPal
• To send transactional emails (account alerts, billing receipts)
• To investigate and respond to support tickets

We do not sell, rent, or share your personal data or device telemetry with third parties for marketing purposes.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019 and applicable GDPR principles, we process your data on the following bases:

• Contract performance — to deliver the service you subscribed to
• Legitimate interests — security logging, fraud prevention, service integrity
• Consent — for optional features such as snapshot photographs
• Legal obligation — when required by law or court order

5. Data Retention

• Device telemetry — retained for 90 days, then purged automatically
• Command logs — retained for 180 days for audit purposes
• Snapshot photographs — retained for 30 days unless flagged as evidence for a stolen-device case (retained until case resolution)
• Account data — retained for the life of the subscription plus 30 days after cancellation
• Billing records — retained for 7 years per Kenyan financial regulations

6. Data Security

We apply industry-standard security controls to protect your data:

• AES-256 encryption for data at rest
• TLS 1.3 for all data in transit
• JWT-based device authentication with per-device token versioning
• CSRF protection on all state-changing requests
• Role-based access controls limiting admin capabilities to verified administrators
• Regular penetration testing and security reviews

See our Security & Compliance page for full technical details.

7. Cookies & Local Storage

We use server-side sessions only. We do not use third-party tracking cookies, advertising pixels, or cross-site analytics. The only cookies set are:

• Session cookie — authenticates your login session (HttpOnly, Secure, SameSite=Lax)
• CSRF token — prevents cross-site request forgery

8. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request deletion of your account and associated data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we limit how we process your data

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

9. Third-Party Processors

We share data with the following sub-processors only as necessary to deliver the service:

• Vercel — hosting and edge network (United States)
• Safaricom (M-Pesa) — payment processing for KES transactions (Kenya)
• Stripe — payment processing for USD/card transactions (United States)
• PayPal — payment processing (Luxembourg/United States)

Each processor is contractually bound to protect your data and is prohibited from using it for any purpose beyond service delivery.

10. International Transfers

If you are located outside Kenya, your data may be transferred to and processed in countries where our hosting providers operate, including the United States and the European Economic Area. Such transfers are subject to appropriate safeguards including Standard Contractual Clauses.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice in your dashboard. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

12. Contact & Data Controller