Privacy Policy — sentinel-os.ca
Effective date: May 11, 2026 Version: 1.0.0 Last reviewed: May 11, 2026 Applies to: sentinel-os.ca (marketing website) and the SENTINEL OS SaaS platform operated at sentinel-trader.vercel.app and successor domains.
This policy is written in plain language so you can make informed choices. If anything is unclear, write to privacy@sentinel-os.ca and we will answer within ten (10) business days.
1. Who we are and how to reach us
SENTINEL OS is a software-as-a-service platform for the North American pre-owned vehicle industry — auctions, dealers, transporters, drivers, and reconditioning shops. The platform is operated by a Montréal-based coalition (the "Company", "we", "us") founded by Yaovi Houndenou.
| Item | Details |
|---|---|
| Legal contact | SENTINEL OS Coalition, Montréal, Québec, Canada |
| Person Responsible for the Protection of Personal Information (Loi 25) | Yaovi Houndenou, Founder |
| Email (privacy matters only) | privacy@sentinel-os.ca |
| Postal mail | We will publish a postal address once our office is registered. In the meantime, electronic service to the address above is the canonical channel. |
| EU/UK representative | Not appointed. EU/UK visitors are rare and we currently rely on Article 27(2)(a) GDPR derogation. We will appoint a representative if cross-border activity grows. |
We are the controller for personal information collected through sentinel-os.ca and for accounts created on the SaaS platform. When a customer (a dealership, carrier, or auction) uses SENTINEL OS to process information about its own drivers, employees or end-customers, we act as processor on that customer's behalf under a Data Processing Addendum.
2. What we collect
We split this into three clear buckets so you know exactly what applies to you.
2.1 Visitors to sentinel-os.ca (marketing site)
| Category | Specific data | Source |
|---|---|---|
| Waitlist submissions | First name, last name, business email, role/title, company name, fleet size (optional), free-form message (optional) | You, via the form |
| Technical telemetry | IP address (truncated after 30 days), user-agent, referring URL, timestamp, country derived from IP | Automatic, server logs |
| Preference cookies | Locale (`en`/`fr`), theme (`light`/`dark`/`system`), Lenis scroll state | Automatic, first-party cookie |
| Error reports (Sentry) | Stack trace, browser type, page URL, anonymous session ID — no form content, no PII payload | Automatic, only on JavaScript exception |
| Future analytics (not yet active) | If enabled, we will use Vercel Analytics and/or Plausible/Pirsch — both cookieless and aggregate-only. We will update this policy and require fresh consent in jurisdictions that require it before turning these on. | N/A today |
We do not use Google Analytics, Meta Pixel, advertising trackers, or session-replay tools.
2.2 Users of the SaaS platform (sentinel-trader.vercel.app)
When you sign in to SENTINEL OS, we additionally process:
- Identity & account: name, business email, hashed password (Argon2id), MFA secret, role, company affiliation.
- Operational data: VINs (Vehicle Identification Numbers), transaction prices, bid history, listings, dispatch assignments.
- Vehicle media: photographs uploaded by users — these may incidentally contain license plates or, very rarely, faces. See §9 for our anonymization commitments.
- Driver & compliance data: HOS (Hours-of-Service) logs under FMCSA Part 395 (USA) and Transport Canada SOR/2005-313, IFTA fuel records, CDL/AZ license metadata.
- Geolocation: GPS positions of dispatch units while a job is active (precision: ~5 meters), plus route history.
- Payment data: handled directly by Stripe Inc. — we store only Stripe customer/charge identifiers, not card numbers.
- Voice & messaging: voice interactions with our "Mira" agent (ElevenLabs synthesis + Anthropic Claude reasoning), Slack and email transcripts when our agents act on your behalf.
- AI agent audit trail: every action taken by an AI agent on your account (append-only, RSA-4096 signed).
2.3 API partners and integrators
If your organization connects to SENTINEL OS through our API, we process: company name, technical contact email, API key identifiers (the secret is hashed), request logs (endpoint, status code, IP, timestamp), and the business payloads you submit.
2.4 What we do not collect
We do not knowingly collect: government identifiers beyond CDL number where legally required, biometric data, health data, religious affiliation, racial or ethnic origin, sexual orientation, trade-union membership, criminal record (unless a dealership specifically uploads a driver background check, in which case it is treated as sensitive — see §4).
3. Why we use it (purposes and legal basis)
| Purpose | Categories used | Legal basis (PIPEDA / Loi 25) | GDPR basis | CCPA business purpose |
|---|---|---|---|---|
| Process your waitlist signup and contact you about the pilot | §2.1 waitlist | Implied consent + Loi 25 art. 12 | Art. 6(1)(b) pre-contractual measures | Providing the requested service |
| Send transactional service emails | §2.2 identity, §2.3 partner | Contractual necessity | Art. 6(1)(b) | Service operation |
| Send commercial electronic messages | Express opt-in consent under CASL s.6 and CAN-SPAM | Art. 6(1)(a) | N/A — not selling | |
| Operate the SaaS (matching loads, computing HOS, planning routes) | §2.2 operational, vehicle, driver, geolocation | Contractual necessity | Art. 6(1)(b) | Service operation |
| Detect fraud and abuse | IP, logs, transaction patterns | Legitimate interest balanced against your rights | Art. 6(1)(f) | Security |
| AI-assisted decisions (rate suggestions, fraud scoring, dispatch ranking) | Operational + historical performance | Loi 25 art. 12.1 — disclosed automated decision-making, with human review on request | Art. 22 with Art. 22(2)(a) contractual + safeguards | Service operation |
| Comply with Canadian, US, and provincial tax, transport, and accounting law | Payment, IFTA, HOS | Legal obligation | Art. 6(1)(c) | Compliance |
| Improve the product (aggregate, de-identified analytics) | De-identified usage data | Loi 25 art. 23 | Art. 6(1)(f) | Service improvement |
We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
4. Who has access — full sub-processor disclosure
We keep this list current. Any addition triggers a 30-day notice to existing customers via email and an updated policy version.
| Sub-processor | Role | Location | Data received | Safeguard |
|---|---|---|---|---|
| Vercel Inc. | Hosting, edge functions, CDN | USA, EU edge | All web traffic | SCCs + DPA, SOC 2 Type II |
| Supabase Inc. | Database, auth, storage | ca-central-1 (Montréal) pinned | All operational and identity data, vehicle photos | SCCs, RLS, AES-256 at rest, TLS 1.3 in transit |
| Stripe Inc. | Payments, Treasury, KYC | USA + Ireland | Card data, billing address, tax ID | PCI-DSS Level 1, SCCs |
| Resend Inc. | Transactional email | USA | Email, name, subject/body | DPA, SCCs |
| Sentry | Error monitoring | USA, EU | Stack traces, browser type, no PII payloads | SCCs, SOC 2 |
| Anthropic PBC | Claude AI reasoning | USA | Operational prompts (redacted) | DPA, zero-retention tier |
| ElevenLabs Inc. | Voice synthesis | USA | Text-to-synthesize | DPA |
| Twilio Inc. | SMS and voice calls | USA | Phone numbers, message/call metadata | SCCs, SOC 2 |
| OpenLane Canada Inc. | Auction inventory API | Canada | VINs, listing IDs, bid intents | Bilateral DSA |
| Mapbox Inc. | Map tiles, geocoding | USA, EU | Approximate location | DPA |
| HERE Technologies | Truck-legal routing | EU | Origin/destination coordinates | EU controller, GDPR-native |
| OpenWeather Ltd. | Weather along route | UK | Lat/long coordinates | UK GDPR |
Internal access at SENTINEL OS is restricted by role, logged in an append-only audit table, and reviewed quarterly.
5. Cross-border transfers
- Quebec to outside Quebec (Loi 25 art. 17 PIA). Before transferring personal information outside Québec, we conduct a written Privacy Impact Assessment that evaluates sensitivity, purpose, protection, and the legal framework of the destination. PIAs are kept on file and available to the Commission d'accès à l'information on request.
- Canada to USA. The OPC permits transfers to US processors provided contractual safeguards. Each US sub-processor is bound by a DPA with confidentiality, security, breach-notification, and audit clauses.
- EU/UK to North America. We rely on the Standard Contractual Clauses (Module 2), supplemented by the UK Addendum where applicable.
- Customer choice. Enterprise customers may request that their workspace data be pinned to `ca-central-1` (Montréal) only — default for Quebec-domiciled customers.
6. How long we keep it
| Data | Retention | Trigger |
|---|---|---|
| Waitlist leads (no account created) | 24 months | Then full deletion |
| Active SaaS account data | Duration of contract + cooldown | — |
| Deleted account — soft delete | 30 days | You can recover during this window |
| Deleted account — full purge | Day 31 after deletion | Personal information destroyed |
| Payment records | 7 years (Income Tax Act s.230) | End of fiscal year |
| HOS logs (FMCSA Part 395.8(k)) | ≥ 6 months on truck; up to 24 months for aggregate analytics in our system | — |
| IFTA fuel records | 4 years | Tax-return filing |
| Audit logs (Loi 25 art. 8.1) | 7 years minimum | Append-only, RSA-4096 signed |
| Automated-decision logs | Lifetime of decision + 5 years | To enable contestation under Loi 25 art. 12.1 |
| Vehicle photos | Until vehicle removed + 90 days | Anonymized 64×64 thumbnail kept only with consent |
| Voice recordings (Mira) | 30 days default; configurable down to 0 | Transcript stripped of PII kept 12 months |
| Server access logs | 90 days | Aggregated |
| Sentry error reports | 90 days | PII scrubbed |
7. Your rights
We honour the highest applicable standard for everyone, regardless of residency.
| Right | What it means | How to exercise |
|---|---|---|
| Access | Receive a copy of the personal information we hold about you | Email privacy@sentinel-os.ca — response within 30 days (PIPEDA / Loi 25), 45 days extendable to 90 (CCPA), 1 month (GDPR) |
| Correction / rectification | Fix inaccurate information | Same email — propagates to sub-processors within 14 days |
| Deletion / erasure | Delete your information unless we have a legal duty to retain it | Same email — soft-deleted in 30 days, purged after |
| Portability | Receive your data in JSON or CSV and transmit it to another provider | Same email — typically delivered within 14 days |
| De-indexation / cessation of dissemination (Loi 25 art. 28.1) | Stop disseminating information and de-index where we have control | Same email |
| Withdraw consent | At any time, for any consent-based processing | Same email or unsubscribe link |
| Object (GDPR) | Object to processing based on legitimate interest | Same email |
| Contest an automated decision (Loi 25 art. 12.1, GDPR art. 22) | Human review within 7 business days | Same email |
| Opt out of "sale" / "share" (CCPA/CPRA) | We do not sell or share, but the link is in the footer | "Do Not Sell or Share" link |
| Non-discrimination | We will not penalize you for exercising your rights | — |
8. Cookies and similar technologies
| Cookie / storage | Type | Purpose | Duration | Consent required |
|---|---|---|---|---|
| `sentinel_locale` | First-party | Remember language | 12 months | No (strictly necessary) |
| `sentinel_theme` | First-party | Remember theme | 12 months | No (strictly necessary) |
| `lenis_scroll` | localStorage | Preserve smooth-scroll | Session | No (strictly necessary) |
| `sb-access-token`, `sb-refresh-token` | HttpOnly first-party | Supabase session | 1h / 30d | No (strictly necessary) |
| Future: `_vercel_analytics` | First-party | Cookieless aggregate | Session | Yes — banner planned |
| Future: `_plausible` | First-party, no PII | Privacy-friendly analytics | 24h | Yes — banner planned |
We do not embed third-party trackers in marketing pages.
9. How we secure your information
- Encryption. TLS 1.3 in transit. AES-256 at rest. Stripe handles cardholder data under PCI-DSS Level 1.
- Row-level security. Every database table enforces RLS tied to `company_id` and role.
- Append-only audit log. Every privileged and AI-agent action is RSA-4096 signed.
- Secrets management. Vault-equivalent encrypted storage; 90-day rotation.
- Vehicle photo anonymization. YOLOv10 + ONNX face/plate blurring on upload.
- MFA. Required internally; required for customer admin roles.
- Vendor diligence. Every sub-processor SOC 2 Type II / ISO 27001 / equivalent.
- Breach response. Loi 25 art. 3.5 — notify CAI and affected individuals within 72 hours of confirmed risk of serious injury.
- Penetration testing. Annual third-party; quarterly red-team starting Q4 2026.
If you believe you have found a vulnerability, please write to security@sentinel-os.ca.
10. Children
SENTINEL OS is a business-to-business service. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided information, write to privacy@sentinel-os.ca and we will delete it.
11. Updates and version history
We use semantic versioning. Material changes are notified by email to all account holders 30 days before they take effect.
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 2026-05-11 | Initial publication for the pre-pilot phase |
12. How to complain
| Authority | Jurisdiction | Online form |
|---|---|---|
| Commission d'accès à l'information du Québec (CAI) | Québec | cai.gouv.qc.ca/plainte |
| Office of the Privacy Commissioner of Canada (OPC) | Canada (federal) | priv.gc.ca/en/report-a-concern |
| California Privacy Protection Agency (CPPA) | California | cppa.ca.gov |
| Federal Trade Commission (FTC) | USA (other states) | reportfraud.ftc.gov |
| Information Commissioner's Office (ICO) | UK | ico.org.uk/make-a-complaint |
| CNIL | France / lead EU | cnil.fr/fr/plaintes |
Plain-language summary: we collect what we need, we keep it as briefly as possible, we tell you exactly who else sees it, and we treat Quebec's Loi 25 as the floor — not the ceiling.