Privacy Policy
Last updated: May 2026
Data Controller
The data controller for this Service is Skyblue Soft, reachable at support@skyblue-soft.com. If you are located in the European Economic Area (EEA) or the United Kingdom, this policy describes your rights under the General Data Protection Regulation (GDPR) and the UK GDPR.
Default Behaviour — No Prompt Storage
By default, Sentinel Proxy never stores, logs, or persists your prompt content or LLM responses.
All content flowing through Sentinel is processed entirely in memory for real-time threat analysis and is discarded immediately after the request completes. There is no database table, log file, or queue that holds your prompts unless you explicitly opt into the Community Training Programme described below.
Community Training Programme (Optional)
You may optionally enable the Community Training toggle in your Settings under Privacy & Data. This is strictly opt-in and disabled by default.
When enabled, prompts that Sentinel flags or blocks are captured and stored in a secure review queue. An administrator reviews these entries and may approve them to improve Sentinel’s detection accuracy. Approved entries are converted into anonymised detection signatures; the raw prompt text is not retained after approval.
- What is stored — content of flagged or blocked prompts only (clean prompts are never stored)
- Purpose — improving Sentinel’s threat detection signatures
- Legal basis (GDPR) — your explicit consent (Article 6(1)(a) and Article 9 where applicable)
- Retention — pending entries are held until reviewed; rejected entries are purged monthly. Opting out immediately deletes all your pending entries.
- Withdrawal — toggle off Community Training in Settings at any time; pending queue entries for your account are deleted automatically upon opt-out
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal (GDPR Article 7(3)).
What We Collect
We collect only what is necessary to operate the Service and provide your dashboard analytics:
- Account data — name, email address, and OAuth profile info (managed by Clerk). Legal basis: performance of a contract (GDPR Article 6(1)(b))
- Billing data — payment method and subscription status (managed by Stripe; we never see your full card number). Legal basis: performance of a contract
- Usage metadata — per-request action taken (clean/flagged/neutralized/blocked), threat score, and latency in milliseconds. Legal basis: legitimate interests in operating and improving the Service (GDPR Article 6(1)(f))
- API key metadata — key hint (last 8 characters), optional name label, creation date, and last-used timestamp. Legal basis: performance of a contract
What We Do NOT Store
The following data is never written to disk, logged, or persisted in any form (unless you have enabled Community Training, in which case flagged prompt content may be temporarily stored as described above):
- Prompt content or messages sent through the proxy (when Community Training is off)
- LLM responses returned to your application
- Request or response bodies of any kind
- IP addresses of end users making requests through your integration
Third-Party Processors
The Service relies on the following sub-processors, each with their own privacy policies:
- Clerk — authentication and identity management. Clerk Privacy Policy
- Stripe — payment processing and subscription billing. Stripe Privacy Policy
- Vercel — frontend hosting and edge delivery. Vercel Privacy Policy
- DigitalOcean — cloud infrastructure hosting the Sentinel backend (API, database, processing engine). DigitalOcean Privacy Policy
Cookies
Sentinel Proxy uses only essential cookies required for authentication (Clerk session cookies). We do not use analytics cookies, advertising trackers, or any third-party tracking scripts.
Data Retention
Account and billing data is retained while your account is active and for a reasonable period thereafter to comply with legal obligations. Usage metadata (request counts, threat scores, latency) is retained for dashboard reporting. Community Training queue entries are purged on opt-out, or monthly for rejected entries. If you delete your account, all associated data will be removed within 30 days.
Your Rights (GDPR)
If you are in the EEA or UK, you have the following rights under the GDPR and UK GDPR:
- Access — request a copy of the personal data we hold about you (Article 15)
- Rectification — request correction of inaccurate data (Article 16)
- Erasure — request deletion of your data (“right to be forgotten”) (Article 17)
- Restriction — request that we limit processing of your data in certain circumstances (Article 18)
- Portability — receive your data in a structured, machine-readable format (Article 20)
- Objection — object to processing based on legitimate interests (Article 21)
- Withdraw consent — withdraw consent for Community Training at any time without penalty (Article 7(3))
- Lodge a complaint — you may lodge a complaint with your local supervisory authority (e.g., the ICO in the UK)
To exercise any of these rights, contact us at support@skyblue-soft.com. We will respond within 30 days. Note that since we do not store prompt content by default, most erasure requests relate to account and billing data only.
Contact
Questions about this policy? Reach us at support@skyblue-soft.com. See also our Terms of Service.