Privacy Notice
This notice explains how Sentinel42 Ltd (“we”, “us”) handles personal data when you visit our website, sign up for a trial, or use the ISMS27001 platform (the “Service”). We are the data controller for the personal data described here.
Where our customers upload personal data to the Service in the course of their own information-security programme, they are the controller of that data and we act as their processor under the Data Processing Agreement. This notice does not cover that customer-uploaded data.
Who we are
Sentinel42 Ltd, registered in England & Wales, company number 17286468, registered office 66 Paul Street, London EC2A 4NA. We are registered with the UK Information Commissioner’s Office as a data controller, registration number C1974552. Contact for privacy and data-protection queries: DPO@sentinel42.com.
Personal data we collect
- Account data. Name, work email, organisation, role, hashed password, MFA factors, and profile settings.
- Authentication metadata. Sign-in timestamps, IP address, user-agent, session identifiers, and audit-log entries for security-relevant actions.
- Communications. Emails and support tickets you send us, and our replies.
- Billing contact. For paid customers, the name and email of the person who receives invoices. We do not store payment card details; invoicing is by BACS.
- Website usage. Basic request logs (timestamp, path, IP, user-agent) and, where enabled, privacy-friendly analytics that do not identify individuals.
How we use it and our lawful basis
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Provide and operate the Service; authenticate users | Contract (6(1)(b)) |
| Security monitoring, audit logging, fraud prevention | Legitimate interests (6(1)(f)) — protecting the Service and its users |
| Send transactional emails (sign-in, password reset, notifications) | Contract (6(1)(b)) |
| Billing, invoicing and financial record-keeping | Contract and legal obligation (6(1)(b), 6(1)(c)) |
| Respond to enquiries and support requests | Legitimate interests (6(1)(f)) |
| Marketing emails to business contacts (soft opt-in) | Legitimate interests (6(1)(f)); unsubscribe honoured |
International transfers
Our primary hosting is in the EU. Where personal data is transferred outside the UK, we rely on UK adequacy regulations or, where these do not apply, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or the IDTA), together with any additional safeguards required.
Retention
- Account data: for the life of the account, then deleted within 90 days of account closure (subject to legal retention).
- Security audit log: 2 years, per the platform’s audit retention policy.
- Invoices and financial records: 6 years, to meet HMRC and Companies Act requirements.
- Support communications: up to 3 years after last contact.
Your rights
Under UK GDPR you have the right to:
- ask for a copy of the personal data we hold about you;
- ask us to correct or delete it;
- ask us to restrict or object to processing;
- ask for portability of data you provided to us;
- withdraw consent where processing is based on consent; and
- complain to the UK Information Commissioner’s Office (ico.org.uk).
To exercise any of these rights, email DPO@sentinel42.com. We will respond within one month.
Security
Details of the technical and organisational measures we operate are on the Security page.
Changes to this notice
We will update this notice when our practices change. Material changes are notified to account holders by email or in-app notice at least 14 days before they take effect.