Skip to main content

Privacy Policy

Last updated: March 8, 2026

This Privacy Policy describes how CMTOC ("Company", "we", "us", "our"), operating the Sentinel platform, collects, uses, stores, and protects your personal information when you use our uptime monitoring platform and related services (the "Service").

1. Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Password (stored as a bcrypt salted hash, never in plain text)
  • OAuth profile data if you sign in via GitHub or Google (name, email, avatar URL)
  • Two-factor authentication configuration (TOTP secrets, encrypted with AES-256-GCM)

Usage Data

We automatically collect:

  • Monitor configurations (URLs, check intervals, alert rules)
  • Check results (response times, status codes, SSL certificate data)
  • Incident records and status page configurations
  • IP address and browser user-agent for security, rate limiting, and abuse prevention
  • Timestamps of account activity (logins, API requests, configuration changes)

Billing Information

Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card numbers, CVV, or bank account details on our servers. We receive from Stripe only: card type, last four digits, expiration date, and billing address for display and invoice purposes. Stripe's privacy policy governs their handling of payment data.

Contact and Support

When you contact us through the contact form or email, we collect the name, email address, and message content you provide.

2. How We Use Your Information

We use your information to:

  • Provide, operate, maintain, and improve the Service
  • Execute uptime checks and deliver alerts and notifications
  • Process billing, manage subscriptions, and send invoices
  • Communicate with you about your account, service updates, and support requests
  • Detect, prevent, and address security issues, fraud, and abuse
  • Enforce our Terms of Service and Acceptable Use policy
  • Comply with legal obligations

We do not use your personal data for advertising, profiling, or behavioral targeting. We do not sell, rent, or trade your personal information.

3. AI-Powered Features

Sentinel uses AI to analyze incidents and generate root cause analyses. When AI features are used:

  • Check data, error logs, and incident context may be sent to third-party AI providers (such as OpenAI) for analysis.
  • We send only the minimum data necessary for analysis — no personal account information, passwords, or credentials are shared with AI providers.
  • AI-generated reports are stored within your account and are not shared with other users.
  • AI outputs are informational only and may be inaccurate. Do not rely on AI features for critical decision-making.
  • Self-hosted deployments using local AI models (e.g., Ollama) process data entirely on your own infrastructure.

4. Data Sharing

We do not sell your personal data. We may share information only in the following circumstances:

  • Service providers — Third-party services that help us operate the Service, including: Stripe (payments), Gmail/Google Workspace (transactional emails), Cloudflare (CDN, DNS, tunnel, bot protection), and AI providers (incident analysis). Each provider processes data only as necessary to perform their service.
  • Public status pages — If you create a public status page, the monitor names, status, uptime data, and incident information you configure as public will be visible to anyone with the status page URL. No personal account information is exposed on public status pages.
  • Legal requirements — When required by law, valid subpoena, court order, or governmental authority.
  • Safety and enforcement — To protect the rights, property, or safety of the Company, our users, or the public; to enforce our Terms of Service; or to prevent fraud or abuse.
  • Business transfers — In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets. We will notify you via email or prominent notice on the Service before your personal data is transferred and becomes subject to a different privacy policy.

5. Data Retention

  • Monitor check data is retained according to your subscription tier: Free (30 days), Pro (90 days), Business (1 year), Enterprise (2 years).
  • Account data is retained for the duration of your active account.
  • Upon account termination or deletion, we will delete your personal data within 30 days. Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely.
  • Backup data may persist for up to 90 days after deletion for disaster recovery purposes.
  • We may retain data longer if required by law or to resolve disputes.
  • You may request data export or deletion at any time by contacting us (see Section 9).

6. Data Security

We implement security measures including:

  • Encryption in transit via TLS for all connections
  • AES-256-GCM encryption for sensitive data (TOTP secrets)
  • Secure password hashing with bcrypt (salted)
  • JWT authentication with short-lived tokens (4-hour expiry)
  • Account lockout protection after failed login attempts
  • Bot protection via Cloudflare Turnstile, honeypot fields, and rate limiting
  • SSRF protection blocking private IP ranges on monitored URLs
  • Non-root Docker container execution
  • Regular dependency updates and security audits

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Investigate and take steps to contain and remediate the breach
  • Notify affected users via email within 72 hours of becoming aware of the breach, where feasible
  • Provide details about the nature of the breach, the data affected, and recommended protective steps
  • Notify relevant authorities as required by applicable law

8. Cookies and Local Storage

We use cookies and browser storage for:

  • Authentication — JWT tokens stored in localStorage for session management
  • Security — HttpOnly cookies for OAuth state validation and CSRF protection
  • Preferences — Theme and display preferences stored locally

We do not use third-party tracking cookies, analytics cookies, or advertising cookies. We do not use any third-party analytics services (no Google Analytics, no Mixpanel, etc.).

9. Your Rights

Regardless of your location, we provide all users with the following rights:

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Deletion — Request deletion of your personal data and account
  • Export — Request your data in a portable, machine-readable format
  • Objection — Object to specific data processing activities

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may request identity verification before processing your request.

California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale of personal information (we do not sell personal information); and not be discriminated against for exercising your rights. To submit a request, email [email protected].

European Residents (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, our legal basis for processing your personal data is: (a) performance of our contract with you (providing the Service); (b) our legitimate interests (security, fraud prevention, service improvement); and (c) your consent (where applicable). You have the additional right to lodge a complaint with your local data protection authority.

10. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to the transfer of your data to the United States. We process data in accordance with the privacy protections described in this Policy regardless of where the data originates.

12. Self-Hosted Deployments

Sentinel is available as a self-hosted solution. If you deploy Sentinel on your own infrastructure:

  • You are the data controller for all data processed by your self-hosted instance.
  • We have no access to, and bear no responsibility for, data stored on your self-hosted deployment.
  • You are solely responsible for the security, backup, and compliance of your self-hosted instance.
  • This Privacy Policy applies only to data processed by our hosted Service (cmtoc.io), not self-hosted instances.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 15 days before they take effect. The "Last updated" date at the top indicates when the policy was last revised. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

14. Contact

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us at [email protected].

CMTOC · Texas, United States