1. Introduction
Welcome to Sentinel ("we", "our", "us"). We are committed to protecting your privacy and ensuring
the security of your personal data. This Privacy Policy explains how we collect, use, and protect
your information when you use our browser extension for AI-powered phishing detection.
Sentinel is operated by Explore Nebula. As the data controller, we determine
the purposes and means of processing your personal data in compliance with the General Data
Protection Regulation (GDPR - EU Regulation 2016/679) and other applicable data protection laws.
đ Our Core Privacy Principle: Your email content is NEVER stored.
We process emails in memory only for real-time phishing analysis, and all content is
immediately discarded after the scan is complete.
2. What Data We Collect
2.1 Account Information (Optional)
When you create an account, we collect:
- Email address: Used for authentication and account communications
- Password: Securely hashed, never stored in plain text
- GDPR consent timestamp: Record of your consent to data processing
2.2 Anonymous Usage (For Non-Registered Users)
If you use Sentinel without an account, we collect:
- Browser fingerprint: A unique identifier generated from your browser configuration (canvas, screen size, timezone, etc.) used solely to track your monthly scan limit
- Scan count: Number of scans performed in the current month
This fingerprint does not identify you personally and is used only to enforce the anonymous limit of 3 one-time scans. Registered users receive 10 scans per month.
2.3 Email Content (Temporary Processing with PII Masking)
When you scan an email, we temporarily process:
- Sender address (From field)
- Email subject line
- Email body content (truncated to 2000 characters)
- Links contained in the email (up to 10 links)
đ Enhanced Privacy Protection: Before sending data to AI for analysis,
we automatically mask all personally identifiable information (PII):
- Email addresses â Replaced with [EMAIL_MASKED]
- Names in signatures â Replaced with [NAME_MASKED]
- Phone numbers â Replaced with [PHONE_MASKED]
- Email signatures â Automatically removed
âšī¸ Important: After PII masking, data is processed in memory only and is
immediately discarded after the AI analysis is complete. We do NOT:
- Store email content in any database
- Log email content in server logs
- Use email content for any purpose other than phishing detection
- Send unmasked personal data to AI services
2.4 Subscription Data
When you subscribe to Premium, we store:
- Subscription status and plan type
- Stripe customer and subscription IDs
- Current billing period dates
- Monthly scan usage
We do NOT store your payment card details. All payments are processed securely by Stripe.
3. How We Use Your Data
| Purpose |
Data Used |
Legal Basis |
| User authentication |
Email, password |
Contract performance |
| Phishing detection |
Email content (temporary) |
Explicit consent |
| Scan limit enforcement |
Browser fingerprint, scan count |
Legitimate interest |
| Subscription management |
User ID, subscription data |
Contract performance |
| Payment processing |
Transaction data |
Contract performance |
4. Data Processors (Sub-processors)
We use the following third-party services to provide our service:
4.1 Microsoft Azure OpenAI (AI Analysis - EU Region)
- Purpose: AI-powered phishing detection analysis (classification only)
- Data shared: Masked email content (all PII removed before transmission)
- Region: European Union (Sweden Central or France Central data centers)
- Data Processing Addendum: Microsoft DPA compliant with GDPR, Standard Contractual Clauses (SCCs)
- EU Data Boundary: Customer data processed in EU stays in EU (Microsoft EU Data Boundary commitment)
- Retention: Azure OpenAI does NOT store prompts or responses after processing
- Training: Customer data is NOT used to train or improve models
- Compliance: ISO 27001, SOC 2, GDPR certified
- Privacy Policy: Microsoft Azure OpenAI Privacy
â
GDPR-Compliant AI Processing:
- PII Masking: All personal data is masked BEFORE being sent to AI
- EU Processing: Data is processed exclusively in European Union data centers
- No Storage: Azure OpenAI does not store your data after analysis
- Classification Only: AI is used solely for phishing classification, not profiling or other purposes
- Transfer Impact Assessment (TIA): We have conducted a full TIA documenting GDPR compliance
4.2 Supabase (Authentication & Database)
- Purpose: User authentication and profile storage
- Data shared: Email, hashed password, account metadata
- Location: EU data centers available
- Compliance: SOC 2 Type II, GDPR compliant
- Privacy Policy: supabase.com/privacy
4.3 Stripe (Payment Processing)
- Purpose: Secure subscription and payment processing
- Data shared: Payment information (handled directly by Stripe)
- Compliance: PCI DSS Level 1, GDPR compliant
- Privacy Policy: stripe.com/privacy
5. Data Minimization & Privacy by Design
We follow the principle of data minimization as required by GDPR Article 5(1)(c) and
Privacy by Design (Article 25):
5.1 Pre-Processing (Before AI Analysis)
- PII Masking: Email addresses, names, phone numbers automatically masked
- Signature Removal: Email signatures are removed before analysis
- Content Truncation: Email body limited to 2,000 characters maximum
- Link Limitation: Only up to 10 links analyzed per email
- Relevant Headers Only: Only essential headers (From, Subject) are extracted
5.2 Additional Protections
- No attachments are processed or stored
- Email content is never persisted to any database
- Analysis results contain no identifying information from the original email
- All processing happens in memory only
6. Data Retention
| Data Type |
Retention Period |
| Email content |
0 seconds - Immediately discarded after analysis |
| Account information |
Until account deletion or 3 years of inactivity |
| Browser fingerprint |
Reset monthly, deleted after 6 months of inactivity |
| Subscription records |
Duration of subscription + 7 years (legal requirement) |
| GDPR consent records |
Duration of account + 3 years |
7. Your Rights Under GDPR
As a data subject, you have the following rights:
7.1 Right of Access (Article 15)
You can request a copy of all personal data we hold about you.
7.2 Right to Rectification (Article 16)
You can request correction of inaccurate personal data.
7.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your account and all associated data. This can be done directly
through the extension or by contacting us.
7.4 Right to Data Portability (Article 20)
You can request your data in a machine-readable format.
7.5 Right to Object (Article 21)
You can object to processing based on legitimate interest.
7.6 Right to Withdraw Consent (Article 7)
You can withdraw your consent at any time. This does not affect the lawfulness of processing
based on consent before withdrawal.
đ§ To exercise any of these rights: Contact us at
info@explorenebula.com. We will respond within
30 days as required by GDPR.
8. International Data Transfers
EU Data Processing: We use Microsoft Azure OpenAI with data centers located
in the European Union (Sweden Central or France Central). This ensures that
your email data (already masked) is processed within the EU and benefits from GDPR protections.
8.1 Safeguards for International Transfers
For any data that may be transferred outside the EEA (such as account data to US-based services),
we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with all sub-processors
- Microsoft EU Data Boundary: Commitment that EU customer data stays in EU
- Transfer Impact Assessment (TIA): We have assessed and documented transfer risks
- Selection of providers with adequate security certifications (ISO 27001, SOC 2)
8.2 Schrems II Compliance
Following the Schrems II ruling (CJEU Case C-311/18), we have:
- Chosen EU-based data centers for sensitive data processing (email analysis)
- Implemented PII masking to minimize transfer risks
- Documented safeguards in our Transfer Impact Assessment
- Ensured Microsoft's legal challenges to unlawful government data requests
9. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest
- Authentication: Secure JWT-based authentication with token refresh
- Access Control: Strict access controls and authentication requirements
- No Logging: Email content is never written to logs
- Secure Payments: PCI DSS compliant payment processing through Stripe
10. Refund Policy (Digital Services)
Sentinel provides digital content and services that are delivered immediately upon subscription.
In accordance with EU Consumer Rights Directive 2011/83/EU and Italian Legislative Decree 206/2005
(Consumer Code), the following refund policy applies:
10.1 No Refunds for Digital Services
By subscribing to Sentinel Premium, you explicitly agree to the following:
- The service begins immediately upon successful payment
- You receive instant access to all premium features
- You waive your 14-day right of withdrawal as provided by EU Directive 2011/83/EU Article 16(m)
- You acknowledge that no refunds will be issued once you have accessed the service
10.2 Legal Basis (EU & Italian Law)
Under Article 16(m) of the EU Consumer Rights Directive 2011/83/EU and
Article 59, paragraph 1, letter o) of the Italian Consumer Code (Legislative Decree 206/2005),
the right of withdrawal does NOT apply to:
"The supply of digital content which is not supplied on a tangible medium if the performance has begun
with the consumer's prior express consent and his acknowledgment that he thereby loses his right of withdrawal."
By completing your subscription purchase, you provide this explicit consent and acknowledgment.
10.3 Cancellation Policy
While we do not offer refunds, you may cancel your subscription at any time:
- Access remains active until the end of the current billing period
- No further charges will be applied after cancellation
- You can cancel through Settings â Cancel Subscription, or via Stripe Customer Portal
- Partial month refunds are not available
10.4 Service Issues
If you experience technical issues preventing service use:
- Contact us immediately at info@explorenebula.com
- We will work to resolve technical issues within 48 hours
- Service credits may be provided at our discretion for extended outages
- Refunds remain unavailable except where required by law
10.5 Exceptions
Refunds may be issued only in the following cases:
- Unauthorized charges: If your payment was made without your authorization
- Duplicate charges: If you were accidentally charged multiple times
- Technical errors: If you were charged but never received access to the service
- Legal requirement: Where a refund is mandated by applicable law
Claims must be submitted within 30 days of the charge with supporting documentation.
10.6 Free Trial Policy
We encourage users to:
- Use the Free tier (10 scans/month) to evaluate the service
- Test the service functionality before subscribing to Premium
- Review all features and limitations before purchase
â ī¸ Important: By clicking "Subscribe" or "Unlock Premium", you confirm that:
- You have read and understood this Refund Policy
- You agree to immediate access to the digital service
- You waive your 14-day right of withdrawal
- You accept that no refunds will be provided
11. Children's Privacy
Sentinel is not intended for use by individuals under the age of 16. We do not knowingly
collect personal data from children. If you believe a child has provided us with personal data,
please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
13. Supervisory Authority
If you believe we have not handled your personal data properly, you have the right to lodge a
complaint with your local data protection supervisory authority. For users in Italy, this is the
Garante per la protezione dei dati personali (garanteprivacy.it).
14. Dispute Resolution
For users in the European Union and Italy:
- Disputes may be submitted to the Online Dispute Resolution (ODR) platform at
ec.europa.eu/consumers/odr
- Italian consumers may also contact their local Consumer Protection Association (Associazione Consumatori)
- Any disputes shall be governed by Italian law and the jurisdiction of Italian courts