Last updated: 30th December 2025

This Privacy Notice explains how Sentra Cyber Ltd (“we”, “us”, “our”) collects, uses, shares, and retains personal data when providing the Sentra Cyber SaaS platform (the “Service”), including our analytics dashboard and Microsoft Teams bot.

 

 

1. Who We Are

Company: Sentra Cyber Ltd

Role: Independent Data Controller

Contact: info@sentracyber.co.uk

Sentra Cyber Ltd acts as an independent data controller for personal data processed in connection with the Service.

 

 

2. Who This Notice Applies To

This notice applies to:

• Organisation administrators distributing the app and using the admin dashboard
• End users (organisation members) who interact with the app via Teams
• Including both trial and paying admins and users

 

 

3. How the Service Works (Context)

The Service enables:

• Users to receive and complete weekly cyber behavioural briefings via Teams
• Users to watch previous briefing videos on demand via Teams
• Organisations to view aggregated engagement and response statistics via the admin dashboard
• Organisations to manage their organisation via the admin dashboard

Personal data is processed only to the extent necessary to deliver these functions.

 

 

4. Personal Data We Collect

a) Identity & Account Data

• Name
• Work email address
• Organisation name
• Role (e.g. Org Admin, End User)
• Microsoft Teams user ID and tenant ID

b) Usage & Engagement Data

• Message delivery timestamps
• Video view started/completed timestamps
• Question response timestamps and selected answers
• Aggregated engagement metrics

c) Technical & Log Data

• Platform and device type
• IP address (transient, for security purposes)
• Application logs and error diagnostics

We do not intentionally collect special category data.

 

 

5. How We Use Personal Data (Purposes)

We process personal data to:

• Deliver scheduled cyber briefings via Microsoft Teams
• Authenticate users and manage organisational access
• Display engagement and response statistics to organisation administrators
• Operate, maintain, and secure the Service
• Monitor performance and improve product quality and relevance
• Produce aggregated or anonymised analytics

We do not sell personal data or use it for unrelated advertising.

 

 

6. Lawful Bases for Processing

Under UK GDPR, we rely on:

• Legitimate interests – to provide and improve a workplace cyber awareness service
• Contract – where processing is necessary to deliver the Service requested by an organisation

Where legitimate interests are relied upon, we balance our interests against the rights of individuals.

 

 

7. Data Sharing

a) Within Customer Organisations

Organisation administrators may view defined engagement and response data for their organisation for governance, awareness, and evaluation purposes.

b) Service Providers

We use carefully selected service providers to support delivery of the Service, including:

• Hosting and application infrastructure (Vercel)
• Database services (Neon / PostgreSQL)
• Microsoft Azure (Bot Service and Functions)
• Monitoring and logging services (Sentry)

These providers process data under contractual confidentiality and security obligations.

c) Legal Obligations

We may disclose personal data where required to comply with legal or regulatory obligations or to protect our rights.

D) Anonymised and Aggregated Data

We may use personal data to create anonymised and aggregated datasets that do not identify any individual. We may share or commercially license these anonymised insights with third parties (including insurers and other organisations) for research, analytics, benchmarking, or other lawful business purposes.

 

 

 

8. International Transfers

Some service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent protections.

 

 

9. Data Retention

We retain personal data only for as long as necessary:

• Trial organisations: up to 90 days after trial end unless converted or deletion is requested
• Active customers: for the duration of the contract and up to 90 days post contract.
• Engagement and response data: retained while required for dashboards and governance reporting and up to 90 days post contract
• Logs and diagnostics: retained for security and reliability, then deleted or anonymised up to 90 days after contract

Aggregated and anonymised data may be retained indefinitely.

Organisations may request deletion of their data at any time.

 

 

10. Individual Rights

Individuals have rights under UK GDPR, including:

• Access to personal data
• Rectification of inaccurate data
• Erasure (where applicable)
• Restriction or objection to processing
• Data portability (where applicable)

Requests can be made by contacting us using the details above.

 

 

11. Security

We implement appropriate technical and organisational measures, including:

• HTTPS for all data in transit
• Per-organisation data isolation
• Role-based access controls
• Secure authentication and signed tokens
• Monitoring and logging for abuse and reliability

 

 

12. Changes to This Notice

We may update this notice from time to time within reason. Material changes will be communicated where appropriate.

 

 

13. Contact

If you have questions about this notice or our data practices, contact:

Sentra Cyber Ltd

Email: info@sentracyber.co.uk