Privacy Policy

• Controller: ARD Sentinel (operating in the European Union)
• Contact: privacy@ardsentinel.com
• Supervisory authority: Reviewers may lodge a complaint with the data protection authority of their EU Member State of residence — full list at edpb.europa.eu

Customer (B2B) data — name, email, billing details, Stripe Customer ID. Legal basis: Art.6(1)(b) — performance of contract. Retention: term + 7 years (statutory).

Reviewer data — public profile name, profile ID, review text, profile snapshot, forensic AI analysis signals. Legal basis: Art.6(1)(f) — legitimate interest in protecting customer from cyber-defamation. Retention: 90 days post-resolution; review text + evidence chain 7 years (DSA Art.5(2) accountability).

Dashboard user data — email, role, login logs. Legal basis: Art.6(1)(b) — performance of contract. Retention: duration of role + 12 months for security logs.

ARD Sentinel uses AI ("Sherlock V4") to classify reviews by fake-probability. Customer (controller) manually approves each classification before any takedown notice is generated.

Reviewers have the right to human review of any classification by emailing privacy@ardsentinel.com. We respond within 30 days per Art.12(3).

Full sub-processor list available at ardsentinel.com/sub-processors. Key processors:

• Google Cloud — Firestore + Storage (EU, Frankfurt)
• Anthropic — AI classification (US, EU-US DPF)
• Outscraper / Apify — review scraping (US, SCCs)
• Stripe — payments (US, EU-US DPF + SCCs)
• SendGrid — email (EU, Dublin)

For US-based processors we rely on EU-US Data Privacy Framework (where certified) + Standard Contractual Clauses (Module 2). Supplementary measures: TLS 1.3, AES-256 at rest, contractual obligation to challenge government access requests.

To exercise any right, email privacy@ardsentinel.com — response within 30 days.

• Access (Art.15) — JSON export of all your data
• Rectification (Art.16) — correction of inaccurate data
• Erasure (Art.17) — deletion subject to legal retention obligations
• Restriction (Art.18) — pause processing while disputed
• Portability (Art.20) — JSON export in machine-readable format
• Objection (Art.21) — to legitimate-interest processing
• Human review (Art.22) — of automated classification decisions

You have the right to lodge a complaint with the data protection supervisory authority of your EU Member State of residence. Full list of authorities at edpb.europa.eu.

• Customer billing: 10 years (statutory)
• Customer contract: term + 7 years
• Reviewer ID + signals: 90 days post-resolution
• Review text + evidence: 7 years (DSA Art.5(2))
• Notice PDFs: 7 years
• Audit log: 7 years
• Email logs: 90 days
• Security logs: 12 months

Automated cleanup via daily gdprHardDelete and dsaNoticesRetention cron jobs.

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Role-based access control + multi-factor authentication for admins
• Append-only audit log with 7-year retention
• Daily Firestore backup (EU region) + quarterly DR drills
• Annual security review

We use only essential cookies for authentication and security. No marketing or analytics cookies without explicit opt-in. See Cookie Policy for details.

Material changes are notified by email + dashboard banner 30 days in advance. The latest version is always at https://ardsentinel.com/privacy.

• Privacy inquiries: privacy@ardsentinel.com
• Data subject requests: privacy@ardsentinel.com
• Supervisory authority lookup: edpb.europa.eu (your EU Member State authority)