BETA Launching April 2026 — 25% off for early access! Request Demo

Privacy Policy

Last updated: 2026-02-10

1. Introduction

This Privacy Policy explains how Denis Sota, operating as SentriKat ("we", "us", or "the Data Controller"), collects, uses, stores, and protects personal data in connection with the SentriKat website (sentrikat.com), the SentriKat customer portal, and the SentriKat software product.

This policy is designed to comply with the Swiss Federal Act on Data Protection (nDSG / FADP). Where we process personal data of individuals located in the European Economic Area (EEA), the EU General Data Protection Regulation (GDPR) also applies pursuant to its extraterritorial scope (Art. 3(2) GDPR).

2. Data Controller

The data controller responsible for processing your personal data is:

Denis Sota
Via Lucomagno 97, 6715 Dongio, Switzerland
Email: [email protected]

3. What Personal Data We Collect and Why

We only collect personal data that is necessary for the purposes described below.

Data Source Purpose Legal Basis
Name, email, company name Customer at purchase Contract fulfillment, license delivery Contract performance (nDSG Art. 6(3); GDPR Art. 6(1)(b))
Payment data (card details, billing address) Stripe checkout Payment processing Contract performance (nDSG Art. 6(3); GDPR Art. 6(1)(b))
License key, software version, agent/asset count SentriKat installation (heartbeat) License validation Contract performance (nDSG Art. 6(3); GDPR Art. 6(1)(b))
IP address, HTTP user-agent Automatic on connection (server logs) Security, abuse prevention, rate limiting Overriding legitimate interest (nDSG Art. 6(3); GDPR Art. 6(1)(f))
Hostname, operating system info SentriKat installation (at activation) License binding, support diagnostics Contract performance (nDSG Art. 6(3); GDPR Art. 6(1)(b))
CPE mapping contributions (vendor/product patterns, pseudonymized installation ID) PRO installations (KB Sync, opt-in) Community knowledge base for improved vulnerability matching Overriding legitimate interest (nDSG Art. 6(3); GDPR Art. 6(1)(f))
Email address (newsletter) Voluntary signup Marketing communications Consent (nDSG Art. 6(6); GDPR Art. 6(1)(a))

4. What We Do NOT Collect

SentriKat is 100% on-premises software. All customer operational data remains entirely within the customer's own infrastructure. Specifically:

  • We do NOT collect or process any data from the customer's SentriKat installation beyond the data listed in Section 3 above (license heartbeat, activation metadata, and optional KB contributions).
  • We do NOT have access to vulnerability data, user accounts, LDAP/SSO data, agent data, configuration, or any other data stored in the customer's SentriKat instance.
  • Customer operational data (vulnerability scans, software inventories, alerts) never leaves the customer's infrastructure.

License heartbeat: The SentriKat instance sends a periodic heartbeat (approximately every 24 hours) to our license server (license.sentrikat.com) containing: the license key, installation ID, the SentriKat version installed, and the number of active agents/assets. The server IP address, hostname, and HTTP user-agent are recorded in connection logs. No personal data of end-users is transmitted.

KB Sync (PRO only): PRO installations may push locally discovered CPE vendor/product mapping patterns to the central knowledge base. These contributions contain only standardized software identifiers (e.g., "apache" → "http_server"), the pseudonymized installation ID, and a confidence score. No vulnerability data, scan results, or customer infrastructure details are included. Contributions are published to other users only after 3 or more independent installations confirm the same mapping.

5. Third-Party Data Processors

We use the following third-party service providers to process personal data on our behalf:

Processor Purpose Data Shared Privacy Policy
Stripe, Inc. (US) Payment processing Billing data (name, email, payment method, billing address) stripe.com/privacy
Cloudflare, Inc. (US) Spam / bot protection (Turnstile) IP address, browser fingerprint (on pages with forms only) cloudflare.com/privacy
Google LLC (US) Web font delivery (Google Fonts) IP address (font file requests) policies.google.com/privacy
Hetzner Online GmbH (DE) License server hosting Heartbeat data, IP address hetzner.com/privacy

6. International Data Transfers

SentriKat is operated from Switzerland. The European Commission has recognized Switzerland as providing an adequate level of data protection (adequacy decision pursuant to Art. 45 GDPR). Data transfers between Switzerland and the EEA do not require additional safeguards.

  • Stripe: Stripe, Inc. is based in the United States and is certified under the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework, providing an adequate level of data protection.
  • Cloudflare: Cloudflare, Inc. is based in the United States and is certified under the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework.
  • Google Fonts: Google LLC is based in the United States and is certified under the EU-US Data Privacy Framework. Font files are requested from Google servers when you load our pages; your IP address is transmitted in the process.
  • Hetzner: All data processed by Hetzner is stored in German data centers within the European Union. No transfer outside the EEA/Switzerland occurs.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Customer and billing data: Retained for the duration of the license relationship plus 10 years, as required by Swiss statutory retention obligations for invoices and commercial records (OR Art. 958f).
  • License heartbeat and activation logs: 90 days rolling retention, then automatically deleted.
  • Server access logs (IP addresses, user-agents): 30 days rolling retention, then automatically deleted.
  • Activation metadata (hostname, OS info): Retained for the duration of the license activation. Deleted when the activation is removed or the license expires.
  • KB mapping contributions: Retained indefinitely as part of the community knowledge base. Contributions are pseudonymized (installation ID only, not linked to personal identity).
  • Newsletter subscription data: Retained until you unsubscribe or withdraw consent.

8. Your Rights

8.1 Under Swiss nDSG

Under the Swiss Federal Act on Data Protection (nDSG), you have the following rights:

  • Right of access (Art. 25 nDSG) — obtain information about whether and how we process your data
  • Right to data portability (Art. 28 nDSG) — receive your data in a commonly used electronic format
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion of your data where processing is no longer justified
  • Right to object — object to processing in certain circumstances
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

8.2 Under EU GDPR

If you are located in the European Economic Area, the GDPR grants you additional rights (Art. 15–22), including the right to restriction of processing (Art. 18 GDPR) and the right to lodge a complaint with your local supervisory authority.

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days of receiving your request.

8.4 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority. For Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC / EDÖB). If you are located in the EEA, you may also lodge a complaint with your local data protection authority.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • TLS encryption for all connections to sentrikat.com and license.sentrikat.com
  • Encryption at rest for data stored on the license server
  • Access control — access to personal data is limited to the Data Controller only
  • Secure payment processing — payment data is handled entirely by Stripe and never stored on our servers

10. Cookies

We use only essential cookies that are strictly necessary for the functioning and security of the website. Under Art. 5(3) of the ePrivacy Directive and Swiss nDSG, strictly necessary cookies do not require user consent.

Cookie Set by Purpose When
cf_clearance, __cf_bm Cloudflare (Turnstile) Bot / spam protection for form submissions Pages with forms only
Stripe session cookie Stripe Payment processing During checkout flow only

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No analytics or user-behavior tracking is present on this website.

11. Children's Privacy

Our services are intended for business use and are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the revised policy on this page and update the "Last updated" date. For material changes, we will notify affected customers by email. We encourage you to review this page periodically.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Denis Sota
Via Lucomagno 97, 6715 Dongio, Switzerland
Email: [email protected]