Testing & Evaluation Phase Notice

Sentinel FinCrime is currently in a testing and evaluation phase. During this period, some features may be incomplete, subject to change, or not yet available to all users. We collect limited data as described in this policy to operate and improve the platform. By using the platform in its current state, you acknowledge its testing status.

Legal

Privacy Policy

Last updated: 2 June 2026

Privacy-first by design

Your transaction files are processed entirely within your browser and are never transmitted to or stored on our servers.

1. Who We Are

Sentinel FinCrime ("we", "us", "our") is an independent financial crime technology platform founded by Kiruthika Nithyanand. We provide browser-based transaction monitoring and compliance screening tools designed to support compliance teams, fintechs, law firms, accountants, and other regulated entities worldwide.

Our platform is accessible at sentinelfincrime.com. This Privacy Policy governs all personal information we collect when you use our website or platform. It has been prepared in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the General Data Protection Regulation (GDPR) for users in the European Economic Area.

For any privacy-related questions or concerns, contact us at: support@sentinelfincrime.com

2. Our Testing Phase Status

Sentinel FinCrime is currently operating in a testing and evaluation phase. This means the platform is being actively developed and refined. During this phase:

  • Features may change or be withdrawn without notice
  • The platform may not be fully optimised for production compliance use
  • We encourage users to provide feedback via support@sentinelfincrime.com
  • Results generated by the platform should be independently verified before any reliance

This privacy policy applies in full regardless of testing status. Your personal information will be handled consistently with these principles throughout the testing period and beyond.

3. What Information We Collect

We collect limited categories of personal information to operate and improve the platform:

Account information: When you register, we collect your name, email address, company name (optional), and the country you are based in. This information is used to create and manage your account and to communicate with you about the service.

Usage statistics: We collect aggregate, anonymised data about how the platform is used — such as which features are accessed, how many scans are completed, and general usage patterns. This data does not identify you individually and is used solely to improve the product.

Payment tokens: If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We receive only a tokenised reference — we never receive, see, or store your full card number, expiry date, or CVV. We store your Stripe customer ID, subscription status, and the last four digits of your card for billing reference purposes only.

Support communications: If you contact us via the contact form or by email, we retain the contents of those communications to respond to your enquiry and improve our service.

4. What We Do NOT Collect

We are committed to transparency about the limits of our data collection. In particular:

  • Transaction file contents: The CSV or Excel files you upload for AML screening are never transmitted to our servers. All processing occurs locally within your browser. We do not receive, store, or have any access to the contents of your transaction files.
  • Client PII from uploaded files: Any personal information belonging to your clients, customers, or counterparties that appears in your uploaded files is never seen by us. That data never leaves your device during the screening process.
  • Behavioural tracking data: We do not use advertising trackers, cross-site tracking cookies, Google Analytics, or similar services that profile your online behaviour.
  • Sensitive personal information: We do not intentionally collect sensitive information such as health data, biometric data, racial or ethnic origin, political opinions, or criminal record information.

5. How We Use Your Information

We use the personal information we collect only for legitimate purposes directly connected to operating and improving Sentinel FinCrime:

  • To create and maintain your account and verify your identity
  • To process subscription payments via Stripe
  • To send transactional emails (account confirmation, billing receipts, subscription notices)
  • To respond to support requests and user feedback
  • To improve and develop the platform using aggregated, anonymised usage data
  • To comply with applicable legal obligations

We do not use your personal information for third-party marketing, sell your data to any party, or use it for automated decision-making that produces legal or similarly significant effects on you.

6. Transaction Data & Client-Side Processing

Your transaction files never leave your device.

All AML screening — including rule execution, anomaly detection, sanctions screening, and report generation — occurs entirely within your browser using client-side JavaScript. When you load a CSV or Excel file into the platform:

  • The file is parsed in your browser's local memory
  • All detection rules run entirely on your device
  • Transaction records are never transmitted to our servers
  • Transaction records are never written to our database
  • No transaction content appears in our server-side logs

The only information we record server-side relates to aggregate scan statistics (for example: that a scan was completed, and how many transactions and alerts were produced) — never the individual transaction records or the identities contained within them.

If you choose to save specific alert or case records to your account for workflow purposes, that data is stored under your Supabase-backed account with row-level security enforced — meaning only your authenticated session can access it.

7. Payment Processing (Stripe)

All subscription payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. When you enter payment details on the platform:

  • Card details are entered directly into a Stripe-hosted secure iframe — they are never handled by our servers
  • We never receive or store your full card number, expiry date, or security code
  • We store only your Stripe customer ID, subscription plan identifier, and billing status
  • Stripe processes payment data under their own Privacy Policy available at stripe.com/privacy

8. Data Security

We implement the following security measures to protect your personal information:

  • Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted using AES-256
  • Encryption in transit: All network connections use TLS 1.3
  • Row-Level Security: Database access is enforced at the row level — your data is only accessible by your authenticated session
  • Password security: Passwords are hashed using bcrypt before storage; we never store plaintext passwords
  • Infrastructure: Hosted on Vercel (global edge network) and Supabase (AWS-backed infrastructure in Sydney, Australia)
  • API key security: API keys are hashed with SHA-256 before storage — once issued, we cannot retrieve the original key value

Despite these precautions, no internet-connected system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

9. Cookies

We use only essential cookies required for the platform to function. We do not use advertising, tracking, analytics, or social media cookies of any kind.

The only cookies we use are:

  • Supabase authentication cookies (sb-access-token, sb-refresh-token): Set when you log in and required to maintain your session. They expire after one hour and refresh automatically while you are active. These cookies are strictly necessary — the platform cannot function without them.

We do not use Google Analytics, Meta Pixel, advertising networks, or any third-party tracking services. For full details, see our Cookie Policy.

10. Third-Party Services

We use the following third-party services to operate the platform. We share personal information only to the minimum extent necessary for each service:

Supabase (Supabase, Inc.)

Database, authentication, and storage. Data is processed in AWS ap-southeast-2 (Sydney, Australia). Privacy policy: supabase.com/privacy

Vercel (Vercel, Inc.)

Web hosting and global edge network. Privacy policy: vercel.com/legal/privacy-policy

Stripe (Stripe, Inc.)

Payment processing. PCI-DSS Level 1 certified. We share only the minimum data required to process payments. Privacy policy: stripe.com/privacy

Anthropic (Anthropic, PBC)

Powers optional AI-assisted features such as SAR narrative drafting and the investigation copilot. If you use these features, relevant data you choose to submit is transmitted to Anthropic. Privacy policy: anthropic.com/privacy

We do not sell, rent, or trade your personal information to any third party under any circumstances.

11. Data Retention & Deletion

We retain your personal information only for as long as necessary for the purposes outlined in this policy:

  • Account data: Retained for the duration of your active account
  • Scan statistics: Retained for up to 24 months after your last activity
  • Alerts and case records: Retained until you delete them or close your account
  • Billing records: Retained for 7 years as required under Australian tax law
  • Support communications: Retained for up to 2 years

When you delete your account, all associated personal data is permanently deleted within 30 days of the deletion request. During this 30-day window, your data remains available for export. After deletion is complete, it is irreversible. Billing records required by law are retained even after account closure.

12. Your Rights

Under the Australian Privacy Act 1988 and the GDPR, you have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your account and all associated personal data
  • Data portability: Request your personal data in a machine-readable format (JSON or CSV) via the account export feature in Settings
  • Objection: Object to the processing of your personal data in certain circumstances
  • Withdraw consent: Cancel your subscription and delete your account at any time via the Settings page

To exercise any of these rights, please contact us at support@sentinelfincrime.com. We will respond within 30 days. Australian users who are unsatisfied with our response may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. EEA users may contact their local Data Protection Authority.

13. Children's Privacy

Sentinel FinCrime is a professional compliance platform intended for use by businesses and their employees. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a minor has created an account or provided us with personal information, please contact us at support@sentinelfincrime.com and we will take prompt steps to remove that information.

14. Changes to This Policy

We may update this Privacy Policy as the platform evolves or as legal requirements change. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The current version of this policy will always be available at sentinelfincrime.com/privacy. Continued use of the platform after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information, please reach out to us:

Sentinel FinCrime

support@sentinelfincrime.com

Australia

We aim to respond to all privacy-related enquiries within 30 days.