Privacy Policy — Sentinel Labs, Inc.

01

Introduction

This Privacy Policy describes how Sentinel Labs, Inc. ("Sentinel," "we," "us," or "our") collects, uses, discloses, and protects information about you when you access or use our wallet security analysis platform and related services (the "Service").

We are committed to handling your information responsibly and transparently. This Policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), and other applicable state and national privacy laws.

Please read this Policy carefully. By using the Service, you acknowledge that you have read and understood this Policy. If you disagree with any part of this Policy, please do not use the Service.

02

Data Controller

The data controller responsible for your personal data is:

Sentinel Labs, Inc.
548 Market Street, Suite 14512
San Francisco, CA 94104, USA
Delaware File Number: 7842901

For data protection inquiries, including exercise of GDPR rights or appointment of a Data Protection Officer (DPO) contact, please contact our privacy team at [email protected].

03

Information We Collect

Information you provide directly

Email address (if you register for an account or subscribe to notifications)
Feedback messages submitted through the Service
Support ticket content and communication history
Any other information you choose to provide when contacting us

Information collected automatically

IP address and approximate geographic location (country/region level)
Browser type, version, and language
Device type and operating system
Referring URL and pages visited within the Service
Date and time of access
Usage analytics (features used, scan frequency, session duration)

On-chain data you submit for scanning

Wallet addresses you submit for security analysis
Publicly available blockchain data associated with submitted addresses (approval history, transaction patterns, token balances)

Important: what we do with wallet addresses

Wallet addresses are public on-chain identifiers. Scan results derived from submitted addresses are cached for up to 30 days for performance purposes, then automatically purged. We do not build persistent profiles linking wallet addresses to individual identities. We do not cross-reference wallet addresses with account email addresses unless you explicitly provide both in a connected context.

What we never collect

NEVER Private keys or secret recovery phrases (seed phrases)

NEVER Transaction signatures or signing authorizations

NEVER Custody or control of any digital assets

NEVER Biometric data of any kind

NEVER Government identification documents

04

How We Use Your Information

We use the information we collect for the following purposes:

Service delivery: To perform wallet security scans, display results, and enable approval revocation workflows.
Account management: To create and maintain your account, verify identity, and manage preferences.
Security and abuse prevention: To detect, investigate, and prevent fraudulent or abusive use of the Service, including rate limiting, IP reputation checks, and anomaly detection on usage patterns.
Product improvement: To analyze aggregated, anonymized usage data to understand how the Service is used and improve features, performance, and reliability.
Communications: To send transactional emails (account confirmation, password reset, security alerts) and, where you have opted in, product update notifications.
Legal compliance: To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Use.
Support: To respond to your inquiries and resolve technical issues.

05

Legal Bases (GDPR)

For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we rely on the following legal bases under GDPR Article 6:

Processing purpose	Legal basis
Providing the core scan and security analysis	Performance of a contract (Art. 6(1)(b)) — necessary to deliver the Service you requested
Account management	Performance of a contract (Art. 6(1)(b))
Security and abuse prevention	Legitimate interests (Art. 6(1)(f)) — we have a legitimate interest in protecting our platform and users
Product improvement via analytics	Legitimate interests (Art. 6(1)(f)) — improving the Service benefits all users; analytics are aggregated and anonymized
Marketing communications	Consent (Art. 6(1)(a)) — we send marketing only where you have opted in; you may withdraw consent at any time
Legal compliance and responding to authority requests	Legal obligation (Art. 6(1)(c))
Support communications	Legitimate interests (Art. 6(1)(f)) / contract performance (Art. 6(1)(b))

06

Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate the Service. The following categories apply:

Strictly Necessary

These cookies are required for the Service to function and cannot be disabled.

Cookie	Purpose	Duration
sentinel_session	Session authentication and CSRF protection	Session
sentinel_lang	Stores your language preference	1 year

Analytics (Optional)

These cookies help us understand how the Service is used. You may opt out of analytics cookies via your browser settings or by contacting us.

Cookie	Purpose	Duration
_ga	Google Analytics — distinguishes users (anonymized, IP anonymization enabled)	2 years
_ga_*	Google Analytics — session state	2 years
sentinel_anon_id	First-party anonymous session identifier for usage analytics	90 days

You have the right to refuse non-essential cookies. Most browsers allow you to refuse or delete cookies through their settings. Refusing analytics cookies will not affect your ability to use the core features of the Service.

07

Sharing Your Information

We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We may share your information in the following limited circumstances:

Service providers: We engage third-party companies to assist in providing the Service, including cloud infrastructure (Amazon Web Services, Google Cloud Platform), email delivery, analytics, and threat intelligence database providers. These providers are contractually bound to process your data only as instructed by us and in accordance with applicable data protection law.
Legal compliance: We may disclose your information if required to do so by applicable law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
Business transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or substantially all of Sentinel's assets, your information may be transferred to the acquiring entity. We will notify you of such a transfer and any material changes to this Policy that may result.
With your consent: We may share your information for any other purpose with your explicit, informed consent.

08

International Data Transfers

Sentinel is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country of residence.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on applicable transfer mechanisms, including Standard Contractual Clauses (SCCs) as approved by the European Commission, and where applicable, the EU-U.S. Data Privacy Framework (DPF) and the UK Extension thereto. A copy of the relevant safeguards is available on request by contacting [email protected].

By using the Service from outside the United States, you acknowledge and understand that your information will be processed in the United States. We take reasonable steps to ensure that any transfer is subject to appropriate safeguards consistent with applicable data protection law.

09

Data Retention

Data type	Retention period
Wallet scan results (cached)	30 days from scan, then automatically purged
Account data (email, preferences)	Duration of active account, plus 12 months after deletion request or account closure
Support tickets and correspondence	24 months from resolution
Analytics data	Up to 26 months (anonymized aggregates may be retained indefinitely)
Server access logs	90 days
Legal and compliance records	As required by applicable law (typically 7 years for financial records)

When retention periods expire, data is securely deleted or irreversibly anonymized. You may request earlier deletion of your personal data, subject to our legal obligations to retain certain records.

10

Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

Rights under GDPR (EEA / UK / Switzerland)

Access: You may request a copy of the personal data we hold about you.
Rectification: You may request correction of inaccurate or incomplete personal data.
Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to legal retention obligations.
Restriction: You may request that we restrict processing of your personal data in certain circumstances.
Data portability: Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.
Object: You may object to processing based on legitimate interests. You may also object at any time to processing for direct marketing purposes.
Withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint: You have the right to lodge a complaint with your national supervisory authority. For EU residents, a list of supervisory authorities is available at edpb.europa.eu. For UK residents, the relevant authority is the Information Commissioner's Office (ICO).

To exercise any of these rights, please submit your request to [email protected]. We will respond within 30 days. We may require identity verification before processing requests.

11

Security

Sentinel implements technical and organizational measures designed to protect your personal data against unauthorized access, disclosure, alteration, or destruction, including:

Encryption of data in transit using TLS 1.3
Encryption of data at rest using AES-256
Role-based access controls limiting data access to personnel with a need-to-know
Regular penetration testing and vulnerability assessments
Security incident response procedures
Employee security training and access review processes

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.

To report a security vulnerability, please contact [email protected]. Responsible disclosure is appreciated and will be handled in confidence.

12

Children's Privacy

The Service is not directed to or intended for children under the age of 18. Sentinel does not knowingly collect personal data from children under 18. If you are under 18, you may not use the Service.

If we become aware that we have inadvertently collected personal data from a child under 18, we will take prompt steps to delete such information from our records. If you believe we may have collected data from a child under 18, please contact us immediately at [email protected].

13

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information: identifiers (email address, IP address); internet or other network activity (usage data, device information); geolocation data (approximate); and inferences drawn from usage patterns to assess Service quality.

Purposes for collection

Personal information is collected for the business purposes described in Section 4 above.

Sale or sharing of personal information

We do not sell your personal information, as that term is defined under the CCPA. We do not share your personal information with third parties for cross-context behavioral advertising.

Your California rights

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, and the categories of sources, business purposes, and third parties involved.
Right to delete: You may request deletion of personal information we have collected, subject to certain exceptions.
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale/sharing: As noted, we do not sell or share personal information for advertising purposes; however, you may still submit an opt-out request to [email protected].
Right of non-discrimination: We will not discriminate against you for exercising your CCPA rights.
Authorized agent: You may designate an authorized agent to submit requests on your behalf. We will require verification of the agent's authorization before processing such requests.

To submit a California privacy request, contact us at [email protected] with the subject line "California Privacy Request." We will verify your identity before processing your request.

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the "Last updated" date at the top of this Policy and, where required by applicable law or where we determine it is appropriate, notify you by email (at the address associated with your account) or through a prominent notice within the Service.

We encourage you to review this Policy periodically. Your continued use of the Service following the posting of a revised Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

15

Contact

For questions about this Privacy Policy, to exercise your rights, or to raise a privacy concern, please contact:

Sentinel Labs, Inc. — Privacy Team
548 Market Street, Suite 14512
San Francisco, CA 94104, USA
Email: [email protected]

For GDPR-related inquiries from the EEA or UK, you may alternatively contact our Data Protection representative at the same email address. We aim to acknowledge all privacy requests within 72 hours and provide a substantive response within 30 days.