Privacy Policy — Sentinel Risk Group — AI Governance Shield™

1. Introduction

Sentinel Risk Group ("we," "our," "us") operates the website www.sentinelriskgrp.com and provides AI governance assessment services under the brand AI Governance Shield™. This Privacy Policy describes how we collect, use, disclose, and protect information obtained through our website and services.

2. Information We Collect

2.1 Information You Provide

Contact information: name, email address, phone number, job title, organization name
Inquiry details submitted through our website contact form
Engagement documentation: signed agreements, payment information
Evidence materials submitted for governance assessment (de-identified by the client per HIPAA Safe Harbor before submission — the standard engagement is designed so no PHI flows to Sentinel; see Section 4)
AI-output verification (intake Step 8): the text of your AI tool’s output run against an assigned synthetic, fictitious test case (no real patient and no real PHI), together with integrity metadata (content hashes and timestamps). We retain only the extracted text and that metadata — the original file is not stored. See Section 4.

2.2 Information Collected Through Site Use

Device and browser information (type, version, operating system)
IP address and approximate geographic location
Pages visited, time spent, referring URLs
Cookies and similar tracking technologies (see Cookie Policy)
Aggregate analytics via Plausible Analytics — a cookieless, privacy-friendly tool that sets no cookies and collects no personal data or PHI, and does not track visitors across sites; private, token-accessed pages (your certificate bundle, attestation, and secure file links) are excluded from analytics entirely

2.3 Email Engagement Signals

Transactional and engagement-related emails sent through our email service provider include standard delivery and engagement signals: open events (recorded via a small embedded image when your email client downloads remote images) and click events (recorded via tracking-redirected URLs that resolve to the intended destination). These signals help us confirm deliverability, troubleshoot delivery problems, and improve communication relevance.

Email engagement signals are not used for advertising, are not shared with third parties for marketing purposes, and may be suppressed by configuring your email client to block remote images and by avoiding clicking tracked links.

3. How We Use Information

We use collected information for the following purposes:

To respond to inquiries and schedule consultations
To prepare and deliver governance assessment services
To communicate regarding engagements, deliverables, and renewals
To process payments
To improve our website and services
To comply with legal and regulatory obligations

We do not sell, rent, or trade personal information to third parties for marketing purposes.

4. Protected Health Information (PHI)

The standard AI Governance Shield™ engagement is designed so that no Protected Health Information (PHI) flows to Sentinel Risk Group, LLC. The intake wizard asks about your governance posture — policies, vendor agreements, staff training, oversight workflows — not about individual patients.

Clients de-identify any documents per HIPAA Safe Harbor (removal of the 18 identifiers: names, dates of birth, medical record numbers, Social Security numbers, addresses, telephone numbers, email addresses, and the other categories enumerated at 45 C.F.R. § 164.514(b)(2)) before upload. The intake wizard indicates when supporting documentation is needed and what to scrub.

The standard engagement does not include a Business Associate Agreement (BAA) between Sentinel Risk Group, LLC and the client practice. The AI Governance Shield™ certification is a governance evaluation; the standard scope does not contemplate Sentinel acting as a HIPAA Business Associate of the client.
Sentinel Risk Group has signed a Business Associate Agreement with Amazon Web Services, Inc., the cloud provider hosting our fallback quarantine bucket. This AWS BAA covers the rare case where PHI accidentally lands in the quarantine bucket despite client de-identification.
A Business Associate Agreement is not part of the standard engagement — the system is designed so PHI does not flow to Sentinel (Master Terms § H.8). If your compliance program requires one, you can execute our conditional BAA at sentinelriskgrp.com/baa.
Any PHI accidentally received in the fallback quarantine bucket is encrypted in transit and at rest, isolated from active assessment workflows, retained for the minimum period necessary for incident review, and destroyed per AWS BAA terms.
PHI is not collected through the website contact form, the intake wizard's text fields, or any deliverable email. The intake wizard is structured to elicit non-PHI governance information only.
AI-output verification step: this step uses synthetic, fictitious test cases that contain no real PHI; clients agree (in the Terms) to submit only the assigned synthetic case’s output and not real patient data. Submitted text is automatically scanned for PHI patterns. Because the synthetic cases intentionally include PHI-shaped fictitious identifiers, that scan is recorded for audit and does not by itself block a submission; if real PHI is nonetheless detected, it is handled under the same quarantine framework described above (encrypted, isolated in the AWS BAA-covered fallback bucket, and destroyed per minimum-necessary timing).

5. Information Sharing and Disclosure

We do not share personal information except in the following circumstances:

With your consent
To comply with legal obligations, subpoenas, or court orders
To enforce our agreements or protect our legal rights
With service providers who assist in our operations (e.g., payment processors, cloud storage providers), subject to confidentiality obligations

5.1 Categories of Service Providers (Sub-processors)

The following categories of service providers process personal information on our behalf under contractual confidentiality and security obligations:

Cloud hosting and content delivery: Cloudflare (US) — web hosting, security, DDoS protection.
Database and pipeline: Airtable (US) — engagement-record storage.
Payment processing: Stripe (US) — receives card and billing details directly; we do not store card numbers.
Email delivery: Postmark (US) — transactional and engagement-related email delivery.
Workflow automation: Make.com (Celonis subsidiary, EU/US) — orchestrates internal workflows.
AI inference: Anthropic (US) — receives non-PHI governance-metadata inputs only; does not train models on intake content under our commercial usage terms.
Document rendering and incident-fallback storage: Amazon Web Services (US) — PDF generation; AWS Business Associate Agreement on file for the rare case incidental PHI reaches the fallback bucket.

6. Data Security

We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, or disclosure. These measures include:

Encrypted data transmission (TLS/SSL) for all website communications
Access controls limiting information access to authorized personnel
Secure client workspaces with access controls for evidence submission
Regular review of security practices

No method of electronic transmission or storage is 100% secure. While we strive to protect information, we cannot guarantee absolute security.

6.1 Security Incident Notification

If we become aware of a security incident affecting personal information you have provided, we will notify you and any applicable regulators as required by law, including: Florida Information Protection Act of 2014 (Fla. Stat. § 501.171) (notification within 30 days of discovery); California Civil Code § 1798.82 (notification in the most expedient time possible without unreasonable delay); HHS Breach Notification Rule (45 C.F.R. § 164.404) timing for any incidental Protected Health Information; and equivalent state-law breach-notification timelines.

7. Data Retention

Website inquiry data: Retained for 24 months from date of collection, then deleted
Client engagement records: Retained for 7 years per professional record retention requirements
PHI accidentally received in the AWS fallback quarantine bucket: Retained for incident review only, with a maximum ceiling of thirty (30) days post-incident-closure unless a longer hold is required by law (e.g., active litigation hold, regulatory investigation), and destroyed per the terms of the AWS BAA. The standard engagement is designed so PHI does not flow to Sentinel — see Section 4.

8. Your Rights

8.1 All Users

Request access to personal information we hold about you
Request correction of inaccurate information
Request deletion of personal information (subject to legal retention requirements)
Opt out of non-essential communications

8.2 U.S. State Privacy Rights

Residents of the following U.S. states have rights under their state privacy laws to access, correct, delete, and (where applicable) port their personal information, and to opt out of the sale or sharing of personal information for cross-context behavioral advertising. Sentinel does not sell personal information and does not engage in cross-context behavioral advertising. State privacy laws covered include:

California: California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code § 1798.100 et seq.) — including the right to limit use of sensitive personal information.
Colorado: Colorado Privacy Act (CPA, Colo. Rev. Stat. § 6-1-1301 et seq.) — including opt-out of targeted advertising and profiling.
Virginia: Virginia Consumer Data Protection Act (VCDPA, Va. Code § 59.1-575 et seq.).
Connecticut: Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. § 42-515 et seq.).
Utah: Utah Consumer Privacy Act (UCPA, Utah Code § 13-61-101 et seq.).
Texas: Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code § 541.001 et seq.).
Oregon: Oregon Consumer Privacy Act (OCPA, Or. Rev. Stat. § 646A.570 et seq.).
Tennessee: Tennessee Information Protection Act (TIPA, Tenn. Code § 47-18-3201 et seq.).
Iowa, Indiana, Montana, Florida, and additional states as their consumer-privacy frameworks become effective.

To exercise any of these rights, submit a verifiable consumer request via our contact form. We will acknowledge receipt within seven (7) business days and respond substantively within thirty (30) days, or notify you in writing if a one-time extension of up to forty-five (45) additional days is required by the volume or complexity of the request, consistent with applicable state law. We will verify the requester's identity using information matching our records before disclosing or deleting personal information.

8.3 Authorized Agents

You may use an authorized agent to submit a request on your behalf. We will require the agent to provide written, signed authorization from you, and we may verify your identity directly.

9. Cookies and Similar Technologies

Our website uses a minimal set of first-party cookies and similar technologies for essential site function (session management, security, basic analytics). We do not use cross-site advertising trackers or third-party behavioral-advertising cookies. You can disable cookies in your browser; the site will still function, but some conveniences (form-progress retention, preference memory) may not be available. EU/EEA and UK visitors are presented with a cookie consent banner on first visit consistent with the ePrivacy Directive (2002/58/EC) and the General Data Protection Regulation.

10. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies.

11. Children's Privacy

Our website and services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on our website with an updated effective date. Material changes will be communicated via email to active clients.

13. Contact Information

For privacy-related inquiries or to exercise your rights, please use our Contact form at sentinelriskgrp.com/contact (preferred). You may also write to us at the postal address below:

Sentinel Risk Group, LLC
1125 N. Chickasaw Trail
Orlando, FL 32825 USA
Contact: sentinelriskgrp.com/contact