Seentrix

Privacy Policy

Last updated: 2026-05-11

1. Who we are

Seentrix Ltd (company number 17169165, registered in England and Wales at 167-169 Great Portland Street, London, England, W1W 5PF) is the data controller for personal data processed through Seentrix. You can reach our privacy team at support@seentrix.com.

2. Data we collect

  • Account data: name, email, role, avatar, password (hashed by Supabase Auth, never stored in plain text).
  • Organisation data: company legal name, registration number, address, signatory, product information — provided by you during onboarding and product creation.
  • Compliance artefacts: SBOMs, vulnerability reports, incident records, Declarations of Conformity, Academy completions.
  • Usage data: activity log entries (who did what, when) retained to meet CRA Article 13 evidence requirements.
  • Technical data: IP address, user agent, device type — used for security (rate-limiting, audit) and to improve the Service.

3. Legal bases for processing

  • Contract (GDPR Art. 6(1)(b)): to provide the Service you subscribed to.
  • Legal obligation (Art. 6(1)(c)): tax records, CRA-mandated retention of Declarations of Conformity and technical documentation (10 years).
  • Legitimate interest (Art. 6(1)(f)): product analytics, fraud prevention, security monitoring.
  • Consent (Art. 6(1)(a)): marketing newsletter — explicit opt-in, revocable any time.

4. Where your data lives

Your data never leaves the EU. Both the application database and the web application itself are hosted in EU datacentres.

  • Supabase (database, auth, file storage): region eu-west-2, London, United Kingdom. Stores all application data — organisations, products, SBOMs, vulnerabilities, incidents, generated PDFs.
  • Vercel (web hosting): region fra1, Frankfurt, Germany. Serves the Seentrix web application. Keeps request + IP logs for 30 days for anti-abuse and diagnostics.
  • Sentry (error tracking): region de.sentry.io (Germany). Receives masked error traces; session replays have all text + media blocked so CRA form data never leaves the browser.
  • Stripe (billing): global infrastructure under PCI-DSS compliance. Card numbers are tokenised by Stripe — we never see them.
  • Resend (transactional email): delivers password resets, invitations, and notifications.
  • Mistral AI (Seentrix AI): region Paris, France. Processes your Seentrix AI prompts and returns the assistant's replies. Mistral AI is a French-incorporated company and does not train on your data (zero-retention agreement) — your prompts stay on European infrastructure throughout.
  • Upstash (Seentrix AI rate-limit store): region Ireland. Stores only a per-user message counter used to enforce plan quotas. No message content is written here.

Each processor has signed a data-processing agreement. Details and transfer mechanisms are listed in our Data Processing Agreement.

5. International transfers

All data is stored in the EU. Where a sub-processor transfers data outside the EEA, we rely on the European Commission's Standard Contractual Clauses and conduct transfer-impact assessments.

6. Retention

  • Account + organisation data: for the life of your account + 90 days after deletion (backups).
  • Activity log: 10 years (CRA + audit).
  • Declarations of Conformity + technical documentation: 10 years after the last product unit was placed on the market (CRA requirement).
  • Backups: 30 days rolling.
  • Sentry error traces: 90 days.
  • Seentrix AI chat transcripts: retained in our EU database on a plan-tiered schedule — Free 7 days, Professional 90 days, Business 180 days, Enterprise 365 days. A scheduled daily job deletes conversations older than the tier's window. Users can also clear their own history at any time from the Copilot drawer. Mistral AI does not retain any of your prompt content under our zero-retention agreement.

7. Your rights (GDPR)

  • Access: request a copy of your data.
  • Rectification: correct inaccurate data.
  • Erasure: delete your account and associated data (subject to legal retention periods).
  • Portability: export your data in a machine-readable format.
  • Restriction / objection: pause or stop specific processing.
  • Withdraw consent: any time, with no impact on past processing.
  • Complain: to the UK Information Commissioner's Office (ico.org.uk) or to the data-protection authority in your EU country of residence (e.g. the BfDI in Germany, the CNIL in France).

Exercise any right by emailing support@seentrix.com. We respond within 30 days.

8. Security

Data is encrypted in transit (TLS 1.3) and at rest. Access is role-based with principle-of-least-privilege controls. Admin access to the production database is logged and periodically reviewed. We maintain an incident response process and will notify affected users of any personal-data breach within 72 hours, per Article 33 GDPR.

9. Cookies

See our Cookie Policy for the list of cookies we set and how to manage them.

10. Children

Seentrix is a B2B platform and is not intended for children under 16. We do not knowingly collect data from children.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in the law, new features, or new sub-processors. Material changes will be notified to the email address on file at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision; minor edits (typos, clarifications) are made silently.

Seentrix Ltd · Company number 17169165 · Registered in England and Wales · 167-169 Great Portland Street, London W1W 5PF, United Kingdom