Skip to main content

Privacy Policy

Last updated: 12 May 2026

1. Who We Are

ReferenceSentinel is a product of SentinelHQ Limited (SentinelHQ Limited, company registration number 17242389, registered in England and Wales), North East England. We operate the reference checking platform at referencesentinel.co.uk ("the Platform").

For the purposes of UK GDPR, SentinelHQ Limited is the data controller for data relating to registered organisation users. For candidate and referee data submitted by your organisation, we act as your data processor — your organisation is the data controller for that data.

For data protection enquiries, contact us at hello@sentinelhq.co.uk.

2. Data We Collect

Organisation users

  • Name and email address (used for account authentication)
  • Organisation name and contact details
  • Billing and transaction records
  • Usage activity (logins, actions taken within the platform)

Candidates

  • Full name and email address
  • Job title and role applied for
  • Nominated referee contact details provided by the candidate

Referees

  • Full name and email address
  • Job title, employer, and relationship to the candidate
  • Employment dates (month and year)
  • Reference responses submitted via the platform
  • Submission timestamp and IP address (for audit purposes)

Automatically collected

  • Browser type and operating system (from user-agent headers)
  • IP address (logged on referee form submission for fraud detection)
  • Session and authentication tokens (managed via Supabase Auth)

3. Why We Collect It

We process personal data for the following purposes and on the following lawful bases:

Providing the reference checking service

Lawful basis: Contract (organisation users); Legitimate interests (candidates and referees — employment vetting is an established practice with a recognised legitimate purpose).

Fraud detection and platform integrity

Lawful basis: Legitimate interests. We use stylometric analysis on reference responses to detect AI-generated or fraudulent submissions.

Billing and financial records

Lawful basis: Legal obligation. Transaction records are retained for seven years.

Service communications (transactional emails)

Lawful basis: Contract / Legitimate interests. We send emails to candidates and referees only in connection with active reference requests.

4. How Long We Keep It

Data typeRetention period
Candidate and referee records3 years from submission
Reference responses3 years from submission
Organisation user accountsDuration of account + 1 year after closure
Billing and transaction records7 years (legal requirement)
Audit logs3 years

You may request early deletion of candidate or referee records at any time. See Section 6 for how to exercise your rights.

5. Data Processors We Use

We share data with the following sub-processors to operate the platform:

Supabase

Database, authentication, and file storage

Data stored in eu-west-1 (Ireland) — within the UK GDPR adequacy zone.

EU

Resend

Transactional email delivery (reference invitations, reminders)

Emails contain candidate name, referee name, and a unique reference link only.

US

Anthropic

AI-powered stylometric analysis for fraud detection on submitted references

Reference response text is sent to Anthropic's API for analysis. Anthropic's zero-data-retention API policy applies — data is not used for model training.

US

Stripe

Payment processing for credit purchases

Card data is handled entirely by Stripe and never touches our servers.

US

Vercel

Platform hosting and content delivery

Hosting infrastructure; standard server logs may include IP addresses.

US

For US-based processors, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under UK GDPR Article 46.

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access

Request a copy of the personal data we hold about you.

Right to erasure ("right to be forgotten")

Request deletion of your personal data, subject to our legal retention obligations.

Right to rectification

Request correction of inaccurate data we hold about you.

Right to data portability

Request your data in a structured, machine-readable format (where technically feasible).

Right to restrict processing

Request that we limit how we use your data in certain circumstances.

Right to object

Object to processing based on legitimate interests.

To exercise any of these rights, email hello@sentinelhq.co.uk with your request. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

We use only functional cookies necessary for authentication and session management. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on the platform.

8. Security

All data is transmitted over TLS (HTTPS). Data at rest is encrypted by our infrastructure provider (Supabase, hosted on AWS eu-west-1). Access to personal data is restricted to authenticated organisation users and our internal team on a need-to-know basis. Row-level security policies enforce tenant isolation at the database level.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice within the platform. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For any data protection or privacy queries, contact us at hello@sentinelhq.co.uk.