Privacy Policy
Last updated: 12 May 2026
1. Who We Are
ReferenceSentinel is a product of SentinelHQ Limited (SentinelHQ Limited, company registration number 17242389, registered in England and Wales), North East England. We operate the reference checking platform at referencesentinel.co.uk ("the Platform").
For the purposes of UK GDPR, SentinelHQ Limited is the data controller for data relating to registered organisation users. For candidate and referee data submitted by your organisation, we act as your data processor — your organisation is the data controller for that data.
For data protection enquiries, contact us at hello@sentinelhq.co.uk.
2. Data We Collect
Organisation users
- Name and email address (used for account authentication)
- Organisation name and contact details
- Billing and transaction records
- Usage activity (logins, actions taken within the platform)
Candidates
- Full name and email address
- Job title and role applied for
- Nominated referee contact details provided by the candidate
Referees
- Full name and email address
- Job title, employer, and relationship to the candidate
- Employment dates (month and year)
- Reference responses submitted via the platform
- Submission timestamp and IP address (for audit purposes)
Automatically collected
- Browser type and operating system (from user-agent headers)
- IP address (logged on referee form submission for fraud detection)
- Session and authentication tokens (managed via Supabase Auth)
3. Why We Collect It
We process personal data for the following purposes and on the following lawful bases:
Providing the reference checking service
Lawful basis: Contract (organisation users); Legitimate interests (candidates and referees — employment vetting is an established practice with a recognised legitimate purpose).
Fraud detection and platform integrity
Lawful basis: Legitimate interests. We use stylometric analysis on reference responses to detect AI-generated or fraudulent submissions.
Billing and financial records
Lawful basis: Legal obligation. Transaction records are retained for seven years.
Service communications (transactional emails)
Lawful basis: Contract / Legitimate interests. We send emails to candidates and referees only in connection with active reference requests.
4. How Long We Keep It
| Data type | Retention period |
|---|---|
| Candidate and referee records | 3 years from submission |
| Reference responses | 3 years from submission |
| Organisation user accounts | Duration of account + 1 year after closure |
| Billing and transaction records | 7 years (legal requirement) |
| Audit logs | 3 years |
You may request early deletion of candidate or referee records at any time. See Section 6 for how to exercise your rights.
5. Data Processors We Use
We share data with the following sub-processors to operate the platform:
Supabase
Database, authentication, and file storage
Data stored in eu-west-1 (Ireland) — within the UK GDPR adequacy zone.
Resend
Transactional email delivery (reference invitations, reminders)
Emails contain candidate name, referee name, and a unique reference link only.
Anthropic
AI-powered stylometric analysis for fraud detection on submitted references
Reference response text is sent to Anthropic's API for analysis. Anthropic's zero-data-retention API policy applies — data is not used for model training.
Stripe
Payment processing for credit purchases
Card data is handled entirely by Stripe and never touches our servers.
Vercel
Platform hosting and content delivery
Hosting infrastructure; standard server logs may include IP addresses.
For US-based processors, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under UK GDPR Article 46.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
Right of access
Request a copy of the personal data we hold about you.
Right to erasure ("right to be forgotten")
Request deletion of your personal data, subject to our legal retention obligations.
Right to rectification
Request correction of inaccurate data we hold about you.
Right to data portability
Request your data in a structured, machine-readable format (where technically feasible).
Right to restrict processing
Request that we limit how we use your data in certain circumstances.
Right to object
Object to processing based on legitimate interests.
To exercise any of these rights, email hello@sentinelhq.co.uk with your request. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
We use only functional cookies necessary for authentication and session management. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on the platform.
8. Security
All data is transmitted over TLS (HTTPS). Data at rest is encrypted by our infrastructure provider (Supabase, hosted on AWS eu-west-1). Access to personal data is restricted to authenticated organisation users and our internal team on a need-to-know basis. Row-level security policies enforce tenant isolation at the database level.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the platform. The "Last updated" date at the top of this page reflects the most recent revision.
10. Contact
For any data protection or privacy queries, contact us at hello@sentinelhq.co.uk.
