Sentinel42Last reviewed: 4 July 2026

Privacy Notice

This notice explains how Sentinel42 Ltd (“we”, “us”) handles personal data when you visit our website, sign up for a trial, or use the ISMS27001 platform (the “Service”). We are the data controller for the personal data described here.

Where our customers upload personal data to the Service in the course of their own information-security programme, they are the controller of that data and we act as their processor under the Data Processing Agreement. This notice does not cover that customer-uploaded data.

Who we are

Sentinel42 Ltd, registered in England & Wales, company number 17286468, registered office 66 Paul Street, London EC2A 4NA. We are registered with the UK Information Commissioner’s Office as a data controller, registration number C1974552. Contact for privacy and data-protection queries: DPO@sentinel42.com.

Personal data we collect

  • Account data. Name, work email, organisation, role, hashed password, MFA factors, and profile settings.
  • Authentication metadata. Sign-in timestamps, IP address, user-agent, session identifiers, and audit-log entries for security-relevant actions.
  • Communications. Emails and support tickets you send us, and our replies.
  • Billing contact. For paid customers, the name and email of the person who receives invoices. We do not store payment card details; invoicing is by BACS.
  • Website usage. Basic request logs (timestamp, path, IP, user-agent) and, where enabled, privacy-friendly analytics that do not identify individuals.

How we use it and our lawful basis

PurposeLawful basis (UK GDPR Art. 6)
Provide and operate the Service; authenticate usersContract (6(1)(b))
Security monitoring, audit logging, fraud preventionLegitimate interests (6(1)(f)) — protecting the Service and its users
Send transactional emails (sign-in, password reset, notifications)Contract (6(1)(b))
Billing, invoicing and financial record-keepingContract and legal obligation (6(1)(b), 6(1)(c))
Respond to enquiries and support requestsLegitimate interests (6(1)(f))
Marketing emails to business contacts (soft opt-in)Legitimate interests (6(1)(f)); unsubscribe honoured

Who we share it with

We share personal data only with the sub-processors listed on our Security page — hosting, database, edge and email providers — and with professional advisors, or where required by law. We do not sell personal data.

International transfers

Our primary hosting is in the EU. Where personal data is transferred outside the UK, we rely on UK adequacy regulations or, where these do not apply, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or the IDTA), together with any additional safeguards required.

Retention

  • Account data: for the life of the account, then deleted within 90 days of account closure (subject to legal retention).
  • Security audit log: 2 years, per the platform’s audit retention policy.
  • Invoices and financial records: 6 years, to meet HMRC and Companies Act requirements.
  • Support communications: up to 3 years after last contact.

Your rights

Under UK GDPR you have the right to:

  • ask for a copy of the personal data we hold about you;
  • ask us to correct or delete it;
  • ask us to restrict or object to processing;
  • ask for portability of data you provided to us;
  • withdraw consent where processing is based on consent; and
  • complain to the UK Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email DPO@sentinel42.com. We will respond within one month.

Security

Details of the technical and organisational measures we operate are on the Security page.

Cookies

The Service uses only cookies and local storage strictly necessary to keep you signed in and to remember your interface preferences. We do not use advertising cookies or cross-site trackers. The public website uses privacy- friendly analytics that do not set identifying cookies.

Changes to this notice

We will update this notice when our practices change. Material changes are notified to account holders by email or in-app notice at least 14 days before they take effect.