SentinelSentinel

Privacy Policy

Last updated: March 27, 2026

Sentinel is operated by Invicta Media("Sentinel", "we", "our", "us"), a company based in the United States. This Privacy Policy explains what information we collect, how we use it, and the rights you have under U.S. privacy laws (including the California Consumer Privacy Act / CPRA) and — where applicable — the EU General Data Protection Regulation (GDPR) for visitors from the European Economic Area and UK.

1. Information we collect

  • Account data — email address, username, encrypted password hash, and account preferences.
  • Connected store data — Shopify shop domain, orders, products, variants, inventory, sessions, refunds. Shopify Admin API access token, stored encrypted.
  • Connected ad-platform data — Google Ads customer ID, OAuth refresh/access tokens (encrypted), campaign and conversion metrics.
  • Usage data — pages visited, actions taken, IP address, browser and OS. Used for security and product improvement.

2. How we use this information

  • Provide, operate, and secure the Sentinel dashboard.
  • Synchronize data from Shopify and Google Ads you have authorized.
  • Show you aggregated analytics and recommendations.
  • Send service emails (sign-up confirmation, password reset, incident notices).
  • Detect, prevent, and respond to abuse or security incidents.

We do not sell your personal information, and we do not share it with third parties for advertising or profiling purposes.

3. Where your data is stored

  • Database — Supabase (Postgres), hosted in regions appropriate to the customer base. Customer data is logically separated per account.
  • Application hosting — Vercel; edge functions may execute globally.
  • Email delivery — Resend for transactional email.

Sensitive credentials (Shopify Admin tokens, Google Ads OAuth tokens) are encrypted at rest with AES-256-CBC. TLS 1.2+ is enforced in transit.

4. Data retention

We retain account and store data for as long as your account is active. When you delete an account or disconnect a store, related data is removed within 30 days, except where retention is required by law (tax records, fraud prevention, or similar obligations).

5. Your rights under U.S. state laws (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose.
  • Request deletion of your personal information.
  • Correct inaccurate personal information.
  • Opt-out of the "sale" or "sharing" of personal information — we do not sell or share your data in the first place.
  • Limit the use of sensitive personal information — we only use it to provide the service.
  • Non-discrimination — we will not penalize you for exercising any of these rights.

Similar rights exist for residents of Virginia (VCDPA), Colorado (CPA), Connecticut, Utah, and other states with comprehensive consumer-privacy laws. To exercise any right, email support@invicta-media.co. We will respond within 45 days.

6. Rights for EU / UK visitors (GDPR)

If you are in the European Economic Area or the UK, you additionally have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data.
  • Export your data in a machine-readable format.
  • Object to or restrict processing.
  • Lodge a complaint with your local data protection authority.

Because our servers and company are based in the United States, data of EU/UK visitors may be transferred to the U.S. We rely on the EU Standard Contractual Clauses and supplementary technical safeguards (encryption, access controls) for such transfers.

7. Subprocessors

We rely on trusted providers to operate Sentinel:

  • Supabase — database, authentication.
  • Vercel — hosting, edge compute.
  • Resend — transactional email.
  • Shopify, Google Ads — platforms we integrate with on your behalf.

Each subprocessor is contractually bound to appropriate security measures.

8. Google API Services User Data Policy

Sentinel's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Google user data we access

When you connect Google Ads to Sentinel, you authorize us to access the following data via the Google Ads API:

  • Your Google Ads customer ID and linked account hierarchy.
  • Campaign, ad group, keyword, and shopping-feed performance metrics (impressions, clicks, cost, conversions, conversion value).
  • Product-level Shopping performance data.

Sentinel requests only the https://www.googleapis.com/auth/adwords scope. We do not request access to Gmail, Google Drive, Google Calendar, Contacts, or any other Google service.

Limited Use of Google user data

Sentinel's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features visible in the Sentinel dashboard (analytics, reporting, ROAS alerts).
  • We do not transfer Google user data to third parties, except as necessary to provide or improve the service, comply with applicable law, or as part of a merger/acquisition with notice to you.
  • We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
  • We do not allow humans to read Google user data unless (a) you have given explicit consent for specific data we can view, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized for internal operations.
  • We do not use Google user data to train or improve generalized machine-learning or AI models.

How to revoke Sentinel's access

You can revoke Sentinel's access to your Google account at any time by visiting https://myaccount.google.com/permissions and removing Sentinel from the list of connected apps. You can also disconnect Google Ads from within Sentinel's Settings page ("Disconnect Google Ads"), which additionally deletes the stored OAuth tokens from our database.

9. Security

We apply industry-standard safeguards including encryption at rest and in transit, role-based access, two-factor authentication on administrative accounts, and audit logging. No system is perfectly secure — if you believe your account is compromised, contact us immediately.

10. Children's privacy

Sentinel is a B2B analytics product and is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a minor has provided us information, email us and we will delete it.

11. "Do Not Track" signals

Our systems do not currently respond to browser "Do Not Track" signals. We do not track you across third-party websites.

12. Changes to this policy

We will post updates to this page and, for material changes, notify you by email or in-app at least 14 days before the change takes effect.

13. Contact

Data controller: Invicta Media, United States. For any privacy-related request, email support@invicta-media.co.

This document is provided for transparency. For binding agreements or legal advice, please contact us at support@invicta-media.co.