GDPR Compliance Statement

Effective Date: July 2, 2026

This statement outlines how Event Sentinel AI, Inc. ("Event Sentinel," "we," "us," or "our") complies with the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR (together, the "GDPR") when processing personal data of individuals in the European Economic Area (EEA) and the United Kingdom. This statement supplements our Privacy Policy.

1. Data Controller and Data Processor

Event Sentinel acts as a Data Controller for personal data collected directly from users (e.g., account information, billing details, usage data). Event Sentinel acts as a Data Processorfor monitoring data (hardware and network metrics) that customers upload from their monitored devices, where the customer organization acts as the Data Controller.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Consent (Art. 6(1)(a)): For marketing communications and non-essential cookies.
  • Contractual Necessity (Art. 6(1)(b)): For account creation, service delivery, and subscription management.
  • Legal Obligation (Art. 6(1)(c)): For tax records, legal compliance, and regulatory requirements.
  • Legitimate Interests (Art. 6(1)(f)): For fraud prevention, security monitoring, and service improvement.

3. Data Protection Officer (DPO)

We have designated a contact person for data protection matters. While not formally required to appoint a DPO under Art. 37, we voluntarily provide a dedicated contact for all GDPR-related inquiries:

Email: contact@eventsentinel.ai

4. Data Subject Rights

We facilitate the following rights for data subjects in the EEA and UK:

  • Right of Access (Art. 15): Obtain confirmation and a copy of personal data processed.
  • Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of personal data, subject to legal exceptions.
  • Right to Restriction (Art. 18): Limit processing in certain circumstances.
  • Right to Portability (Art. 20): Receive data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
  • Right to Lodge a Complaint (Art. 77): Lodge a complaint with a supervisory authority.

To exercise these rights, contact contact@eventsentinel.ai. We respond within one month, extendable by two months for complex requests (Art. 12(3)).

5. International Data Transfers

Personal data may be transferred to the United States and other countries outside the EEA/UK. We ensure appropriate safeguards under Art. 44-49 GDPR, including:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Supplementary measures where required (e.g., encryption, pseudonymization).
  • Data Processing Agreements (DPAs) with all sub-processors.

6. Sub-Processors

We use the following sub-processors to deliver the Services:

  • Stripe, Inc.: Payment processing (PCI-DSS compliant).
  • Supabase: Database hosting and authentication.
  • Google Cloud Platform: Cloud infrastructure and hosting.

All sub-processors are bound by written agreements providing equivalent GDPR protections.

7. Data Protection by Design and Default (Art. 25)

  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • Access Control: Role-based access, least-privilege principle.
  • Data Minimization: We collect only data necessary for the Services.
  • Pseudonymization: Where feasible, data is pseudonymized to reduce risk.

8. Breach Notification (Art. 33-34)

In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay.

9. Data Retention

Personal data is retained only as long as necessary for the purposes described in our Privacy Policy. Monitoring data is retained according to the customer's subscription plan and deleted upon account termination, subject to legal retention obligations.

10. Data Processing Agreement (DPA)

Enterprise customers may request a signed Data Processing Agreement. Contact us at contact@eventsentinel.aito initiate the DPA process.

11. Supervisory Authority

Data subjects have the right to lodge a complaint with their local supervisory authority. For reference:

12. Contact Us

Event Sentinel AI, Inc.
191 Continental Dr, Suite 305, Newark, DE 19713, United States
Email: contact@eventsentinel.ai