Privacy Policy
Last updated: February 20, 2026
1. Data Controller
Valentin Lionel Weinert
Sentra (Sole Proprietorship / Einzelunternehmen)
Dr.-Rohmer-Weg 11
65719 Hofheim am Taunus
Germany
Email: hello@sentra.so
The appointment of a Data Protection Officer is not required pursuant to § 38 BDSG, as fewer than 20 persons are regularly involved in the automated processing of personal data.
2. Server Log Files
When you visit our website, the following data is automatically collected in server log files:
- IP address of the requesting device
- Date and time of access
- Name and URL of the retrieved file
- Referring website (referrer URL)
- Browser and operating system used
Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in ensuring system security, preventing abuse, and diagnosing technical errors. Log files are deleted after 30 days.
3. App Usage (Registration and Data Processing)
When you register and use our app, the following data is processed:
- Email address and password (encrypted) for authentication
- Files and text you upload (e.g., interview transcripts, support tickets)
- System-generated analyses, patterns, and specifications
Legal basis: Art. 6(1)(b) GDPR (contract performance). Providing your email address is necessary to create an account. Without it, we cannot provide our service.
Retention: for the duration of your account plus 30 days after deletion.
4. AI Processing
Sentra uses AI models from multiple providers to analyze your uploaded data. Your content is transmitted to the following AI services solely for the purpose of providing our service. Your data is never used to train AI models.
- Google (Gemini 2.5 Flash) — via Google Ireland Limited (USA/Global). Used for evidence extraction from sources, pattern discovery, chat responses, and title generation. Your uploaded text content is transmitted for analysis.
- Anthropic (Claude Sonnet 4) — via Anthropic, PBC (USA). Used for generating feature specifications (specs) from discovered patterns. Pattern summaries and associated evidence are transmitted for spec generation.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention: Google API logs are retained according to Google's data retention policies. Anthropic API logs are deleted after 7 days.
5. Audio Transcription
If you upload audio files, they are transmitted to AssemblyAI, Inc. (USA) for transcription. Transcription is performed solely to provide our service. Audio files are deleted by AssemblyAI after processing.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
6. Hosting and Sub-Processors
Your data is stored and processed by the following sub-processors:
| Provider | Purpose | Data Location |
|---|---|---|
| Supabase, Inc. (USA) | Database, authentication, file storage, transactional emails | AWS eu-central-1, Frankfurt |
| Vercel, Inc. (USA) | Web hosting, CDN, serverless functions, web analytics, performance monitoring (Speed Insights) | Global edge network, EU regions |
| Google Ireland Limited (USA/Global) | AI analysis of user content (evidence extraction, pattern discovery, chat, title generation) | USA/Global |
| Anthropic, PBC (USA) | AI generation of feature specifications | USA |
| AssemblyAI, Inc. (USA) | Audio transcription | USA |
| PostHog, Inc. (USA) | Product analytics, session tracking | AWS eu-central-1, Frankfurt |
| Stripe, Inc. (USA) | Payment processing, subscription management | USA |
| Linear, Inc. (USA) | Project management integration (spec export) | USA |
| Atlassian, Inc. (USA) | Project management integration (Jira spec export) | USA/Global |
Data processing agreements (Art. 28 GDPR) are in place with all sub-processors. A Data Processing Agreement (DPA) for Sentra is available at /dpa.
7. Third-Country Transfers
Some of our sub-processors are based in the USA. The transfer of personal data to the USA is carried out on the basis of the EU-U.S. Data Privacy Framework (DPF) where applicable, and additionally on the basis of EU Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914. We also rely on encryption in transit and at rest as supplementary safeguards.
Your primary data (database, files, authentication) is stored by Supabase in Frankfurt, Germany (EU).
8. Cookies and Tracking Technologies
We use technically necessary cookies for authentication and session management. These cookies are required for the operation of the website and cannot be disabled.
Analytics cookies (e.g., PostHog) are only set with your explicit consent (§ 25 TDDDG). Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time via the cookie settings in the footer.
In addition, we use cookie-less tracking technologies (Vercel Web Analytics, Vercel Speed Insights) that do not store information on your device but transmit usage and performance data to Vercel's servers. These tools are only activated with your consent. Legal basis: Art. 6(1)(a) GDPR (consent).
We also use first-party cookies to store campaign parameters (UTM parameters such as utm_source, utm_medium, utm_campaign) across our subdomains (sentra.so, app.sentra.so). These cookies record which marketing campaign brought you to our website (first-touch and last-touch attribution) and are retained for 90 days. The campaign data stored in these cookies is only transmitted to PostHog when you have given your consent to analytics tracking. Legal basis: Art. 6(1)(a) GDPR (consent).
9. Analytics and Performance Monitoring
We use the following tools for website analysis, all of which are only activated when you consent to tracking via our cookie banner. Legal basis: Art. 6(1)(a) GDPR (consent).
- PostHog — website usage analysis (page views, sessions, feature usage). PostHog uses cookies for session tracking. Data is processed on PostHog's EU infrastructure (Frankfurt, Germany).
- Vercel Web Analytics — privacy-focused, cookie-less page view tracking (pages visited, referrers, country, browser/OS, device type). No personally identifiable information is collected. Data is processed by Vercel, Inc. (USA).
- Vercel Speed Insights — cookie-less performance monitoring collecting Web Vitals metrics (Largest Contentful Paint, First Input Delay, Cumulative Layout Shift, Time to First Byte, Interaction to Next Paint) along with page URL, browser, and connection type. Data is processed by Vercel, Inc. (USA).
You may withdraw your consent at any time via the cookie settings, which will deactivate all analytics and performance monitoring tools.
10. Email Communications
Transactional emails (e.g., account confirmation, password reset) are sent via the built-in email service of Supabase, Inc. (USA). Your email address is processed by Supabase for this purpose. No separate email service provider is used.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
11. Automated Decision-Making
Automated decision-making including profiling within the meaning of Art. 22 GDPR does not take place. AI-generated analyses and recommendations serve as support tools and do not make automated decisions with legal or similarly significant effect.
12. Retention Periods
| Data Category | Retention Period |
|---|---|
| Server log files | 30 days |
| Account data | Duration of account + 30 days after deletion |
| Uploaded content and AI results | Duration of account + 30 days after deletion |
| Google API logs | Per Google's data retention policy |
| Anthropic API logs | 7 days |
| Vercel Analytics / Speed Insights data | Aggregated, no personal data retained |
| Payment records (Stripe) | 8 years (§ 147 AO) |
| Campaign parameter cookies (UTM) | 90 days |
13. Your Rights
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing based on legitimate interests (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR), without affecting the lawfulness of processing based on consent before its withdrawal
To exercise your rights, please contact: hello@sentra.so
14. Right to Complain
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. The supervisory authority responsible for us is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Postfach 3163, 65021 Wiesbaden, Germany
https://datenschutz.hessen.de
15. Data Security
We use SSL/TLS encryption for all data transfers. Stored data is encrypted at rest. Passwords are hashed and never stored in plain text.