PRIVACY POLICY

Last updated: April 2, 2026

This Privacy Policy explains how SenSec LLC, a Wyoming (USA) limited liability company ("SenSec," "we," "us," "our"), collects, uses, discloses, and protects Personal Data when you visit our websites — including sensec.ai, sensec.app, and associated product domains — or use any of our software-as-a-service platforms, mobile applications, hardware systems, APIs, and related services (collectively, the "Services").

This is the master privacy policy for all SenSec products. Where a specific product processes data in a unique way, we call that out explicitly.

Plain-language summary (not legally binding): We collect only the data we need to operate, secure, and improve our products. When your company puts operational data into our platform, we act as your processor — you stay in control. We protect everything with strong security, we never sell your data, and we use recognized mechanisms for international transfers. You can exercise your privacy rights any time.

1. WHO WE ARE

Data Controller (primary contact): SenSec LLC 30 N Gould St, Ste N Sheridan, WY 82801, USA Email: privacy@sensec.ai

EU/EEA Representative (Art. 27 GDPR): Sentinel Security s.r.o. Jičínská 226/17, Žižkov, 130 00 Praha 3, Czech Republic VAT ID: CZ19997604

UK Representative (Art. 27 UK GDPR): To be appointed — details will be added here once designated.

Data Protection Contact: We have appointed an internal privacy lead reachable at privacy@sensec.ai.

2. PRODUCTS COVERED BY THIS POLICY

This Privacy Policy governs all SenSec products and services, including but not limited to:

Product

Domain

Description

SenSec FieldOps

sensec.app

AI-powered guard management and dispatch platform

CommandOps

commandops.sensec.ai

AI operational command system for executive protection

EMRA

emra.sensec.ai

AI-powered executive movement risk assessment and travel threat intelligence

VectorOps

vectorops.sensec.ai

AI-powered vehicle counter-surveillance (hardware + software)

ShiftOps

AI shift orchestration and scheduling

FinanceOps

AI financial control and invoice automation

SignalOps

Open-source intelligence monitoring and threat detection

NexusOps

AI-driven commercial pipeline and CRM infrastructure

TalentOps

Behavioral analysis, role alignment, and personnel management

IntelOps

Autonomous site monitoring and anomaly detection

AssetOps

Real-time personnel, vehicle, and asset tracking

Each product may collect and process different categories of data as described below.

3. OUR ROLES: CONTROLLER vs. PROCESSOR

We act in two distinct roles depending on the data and context:

As Controller (GDPR) / Business (CPRA): For data where we determine the purposes and means of processing — including website analytics, marketing contacts, account administration, billing, product telemetry, and service improvement.

As Processor (GDPR) / Service Provider (CPRA): For Customer Data that our business customers input into the Services (e.g., guard schedules, patrol logs, visitor records, threat assessments, vehicle surveillance logs). In this role, the customer is the Controller/Business and is responsible for providing required notices and obtaining a lawful basis. Our processing of such data is governed by our Data Processing Addendum (DPA).

If you are an end user (employee, guard, client, visitor, principal) whose information was submitted by a SenSec customer, please direct privacy requests to that customer first. We will assist them in fulfilling requests per our DPA.

4. CATEGORIES OF PERSONAL DATA WE COLLECT

4.1 Account & Contract Data (All Products)

Name, business email, phone number, job title, company name; login credentials, authentication tokens, role and permission data; billing contacts, subscription details (payment card data is handled exclusively by our PCI-compliant payment processor and is never stored by SenSec).

4.2 Platform & Operational Data (Customer Data)

The types of operational data depend on the product:

SenSec FieldOps (sensec.app): Guard real-time GPS location and patrol tracking; geofence entry/exit events; incident and task records; patrol checkpoint logs; uploaded media (photos, audio, video, documents); visitor and client information entered by customers; key and access-card assignment logs; shift schedules and attendance records; speech-to-text transcriptions of guard reports; AI-enhanced report outputs; system access logs and audit trails.

CommandOps: Executive protection detail communications; GPS positions of detail members and vehicles; calendar and movement data of protected principals (as provided by the customer); signal ingestion logs (comms, traffic, schedules); operational drift alerts and confirmation records; AI-generated operational reports and summaries.

EMRA: Travel itinerary data for protected principals (destinations, dates, accommodation, transport); threat assessment outputs derived from aggregated open-source intelligence; risk scores and scenario-engine outputs; country and route-level risk profiles. EMRA aggregates publicly available data sources — it does not collect personal data about third parties beyond what is publicly available.

VectorOps: License plate images and recognition data captured by vehicle-mounted hardware; facial imagery and recognition data (where enabled by the customer and permitted by local law); vehicle location and route data; behavioral correlation patterns across observation windows; counter-surveillance alert logs. VectorOps hardware is installed and operated by the customer; SenSec processes this data as a processor under the customer's instructions and applicable law.

ShiftOps: Employee availability and preference data; shift assignments; absence records; schedule change history.

FinanceOps: Invoice data (vendor names, amounts, dates); bank transaction matching data; operational cost tags; financial control reports. FinanceOps does not store raw bank credentials.

SignalOps: Publicly available open-source intelligence data; reputation surface monitoring results; alert and escalation records. SignalOps monitors public sources — it does not conduct surveillance on individuals.

NexusOps: Sales pipeline records; client and prospect contact information; compliance gate results; commercial strategy outputs.

TalentOps: Employee performance patterns; behavioral risk indicators; role-alignment assessments; background-check results (where provided by the customer through authorized integrations).

IntelOps: Site activity logs; anomaly detection events; corrective action records; sensor and access-control data.

AssetOps: Real-time location data for personnel, vehicles, and equipment; zone entry/exit logs; spatial protocol enforcement records.

4.3 Device & Usage Data (Automatically Collected)

IP address, device identifiers, operating system and browser type/version; referrer URLs, feature usage patterns, timestamps, clickstream data, performance metrics; cookies and similar technologies (see Section 10).

4.4 Third-Party & Customer-Provided Sources

Background-check or identity-verification results (where a customer uses such integrations); public records, sanctions lists, and watch lists; data synchronized from customer systems (HR, CRM, payroll, dispatch, access control, calendar systems).

We may combine information from different sources to the extent permitted by law.

5. PURPOSES AND LEGAL BASES FOR PROCESSING

5.1 Purposes

We process Personal Data to:

  1. Provide and operate the Services — authentication, workflow execution, AI-driven analysis, report generation, communications, and hardware-software integration.

  2. Secure the Services and individuals — fraud detection, access control, intrusion detection, incident investigation, and counter-surveillance operations.

  3. Improve, research, and develop the Services and our AI/ML models — using aggregated, de-identified, or anonymized data where feasible.

  4. Communicate with you — transactional notices, product updates, support responses, surveys; marketing communications with consent or where permitted by law.

  5. Comply with laws — tax, accounting, law-enforcement requests, audits, regulatory reporting.

  6. Protect vital interests — in rare emergencies affecting safety of life.

5.2 Legal Bases (EU/EEA & UK — GDPR / UK GDPR)

  • Contract performance (Art. 6(1)(b)) — operating the Services under our agreement with you.

  • Legitimate interests (Art. 6(1)(f)) — securing and improving the Services, preventing abuse, B2B marketing, fraud prevention (balanced against your rights).

  • Consent (Art. 6(1)(a)) — for optional cookies, marketing communications, or specific data categories where required.

  • Legal obligation (Art. 6(1)(c)) — responding to regulators, tax authorities, and legal process.

  • Vital interests (Art. 6(1)(d)) — protecting someone's life or physical safety.

5.3 U.S. State Privacy Laws (CPRA, VCDPA, CPA, CTDPA, etc.)

Our processing purposes include: providing the Services, debugging, security, internal research and development, short-term transient use, quality control, and other purposes permitted by applicable state law. We do not "sell" Personal Data as defined by CPRA. We only "share" data for cross-context behavioral advertising with your consent, and you may opt out (see Section 12).

6. SPECIAL CATEGORIES OF DATA

Certain products may process data that qualifies as special-category or sensitive under applicable law:

  • Biometric data — VectorOps may process facial imagery and license-plate recognition data. This processing occurs only at the customer's direction, under the customer's lawful basis, and in compliance with applicable biometric privacy laws (including, where applicable, BIPA, GDPR Art. 9, and equivalent requirements).

  • Precise geolocation — FieldOps, CommandOps, VectorOps, and AssetOps process real-time GPS data. This is essential to the operational function of these products and is processed under contract performance or legitimate interests (with appropriate safeguards).

  • Health or safety data — Where customers enter health-related incident reports or safety data into the platform, we process it as a processor under the customer's instructions and lawful basis.

We do not process special-category data for purposes beyond what is strictly necessary to deliver the Services, unless we have obtained explicit consent or another valid legal basis.

7. DISCLOSURE OF PERSONAL DATA

We may disclose Personal Data to:

  • Service Providers and Subprocessors — cloud hosting, storage, analytics, communications, AI model providers, background-check vendors, and payment processors, each under written contracts limiting their use to our instructions.

  • Integration Partners and APIs — when you connect third-party systems at your direction (e.g., HR systems, calendar providers, dispatch tools).

  • Affiliates and Successors — in a merger, acquisition, or corporate restructuring (subject to confidentiality obligations and continuation of protections).

  • Authorities, courts, and law enforcement — when legally required or to protect rights, safety, or property.

  • Other parties with your consent or instructions.

We may share aggregated or anonymized data that does not reasonably identify any individual.

A current list of subprocessors is available upon request at privacy@sensec.ai.

8. DATA SECURITY

We implement reasonable and appropriate technical and organizational measures, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent where applicable)

  • Role-based access control and multi-factor authentication for administrative access

  • Network and application monitoring, logging, and intrusion detection

  • Regular vulnerability scanning and penetration testing

  • Employee confidentiality agreements and security training

  • Physical security controls for hardware components (VectorOps)

No system is 100% secure. If we become aware of a security breach affecting Personal Data, we will notify affected customers and/or supervisory authorities as required by applicable law and our contractual obligations, without undue delay.

9. DATA RETENTION

We retain Personal Data for as long as necessary to fulfill the purposes described in this Policy or as required by law. Our standard retention periods are:

  • Account and contract data: Duration of the subscription plus up to 6 years (for audit, tax, and legal defense purposes).

  • Operational records (Customer Data): As directed by the customer. If no instructions are given, we delete or anonymize within 90 days after contract termination, subject to legal holds.

  • Device, usage, and analytics data: Up to 26 months, unless longer retention is needed for security investigation or legal reasons.

  • Backups: Rolling backups retained 30–60 days.

  • VectorOps hardware data: On-device data retention is configurable by the customer. Cloud-synced data follows the standard operational-records schedule.

We may retain anonymized or aggregated data indefinitely for research and statistical purposes.

10. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, local storage, SDKs, pixels, and similar technologies for:

  • Strictly necessary purposes — session management, security, load balancing, user preferences.

  • Performance and analytics — understanding usage patterns to improve the Services.

  • Marketing and advertising (optional) — only with consent where required by law.

You can manage your preferences via our cookie consent banner and your browser settings. Blocking certain cookies may reduce functionality.

For full details, see our Cookies & Tracking Technologies Policy available at sensec.app/cookies-policy.

11. INTERNATIONAL DATA TRANSFERS

SenSec is headquartered in the United States. We process data primarily in the U.S. and may transfer data to other countries where our Service Providers or infrastructure operate.

For transfers of Personal Data from the EU/EEA/UK to the United States or other third countries, we rely on:

  • EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum

  • Data Processing Addendum (DPA) with customers and vendors

  • Supplementary safeguards — including encryption, strict access controls, and data minimization

Copies of relevant transfer mechanisms are available upon request (subject to redactions for security and confidentiality). Contact privacy@sensec.ai.

12. "DO NOT SELL" / "DO NOT SHARE" (U.S. State Laws)

We do not sell Personal Data as defined under CPRA or other applicable U.S. state privacy laws. We only share data for cross-context behavioral advertising with your prior consent. You may opt out at any time by:

  • Emailing privacy@sensec.ai

  • Using the "Do Not Sell or Share My Personal Information" link where available on our websites

We use Sensitive Personal Information only as necessary to provide the Services and for security and compliance — not to infer characteristics about you.

13. RIGHTS OF INDIVIDUALS

Your rights depend on your jurisdiction and our role (Controller vs. Processor).

13.1 EU/EEA & UK (GDPR / UK GDPR)

You may request: access to your data, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and the right to object to certain processing (including profiling). You may withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local supervisory authority.

13.2 California (CPRA) & Other U.S. States

You may have the right to: know and access your data, correct inaccuracies, delete your data, opt out of "sharing" for cross-context advertising, and limit use and disclosure of Sensitive Personal Information. We will not discriminate against you for exercising your rights.

13.3 How to Exercise Your Rights

  • Where SenSec is Controller: Email privacy@sensec.ai or use in-product privacy tools where available. We may need to verify your identity.

  • Where SenSec is Processor: Contact the SenSec customer (your employer or the organization that engaged SenSec). We will support them in fulfilling your request per our DPA.

Authorized agents (California): You may authorize an agent to act on your behalf. We require proof of authorization and may verify your identity directly.

14. AUTOMATED DECISION-MAKING AND AI

Our platform employs artificial intelligence and machine learning to assist with:

  • Task assignment and scheduling optimization (FieldOps, ShiftOps)

  • Incident classification and prioritization (FieldOps, IntelOps)

  • Threat assessment and risk scoring (EMRA, SignalOps)

  • Behavioral pattern detection (VectorOps, TalentOps)

  • Report enhancement and natural-language generation (FieldOps, CommandOps)

  • Anomaly detection and operational drift alerts (CommandOps, IntelOps)

These AI systems are designed to support human decision-making, not replace it. Where automated processing could produce legal effects or similarly significant effects on individuals, we require that customers maintain appropriate human oversight.

You may request human review of, or challenge, an AI-assisted decision where required by applicable law. Contact privacy@sensec.ai.

For further details on our approach to AI transparency, see our AI Transparency & Human Oversight Notice at sensec.app/ai-transparency-human-oversight-notice.

15. CHILDREN'S PRIVACY

The Services are designed for business use and are not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If you believe we have collected data from a minor, please contact us at privacy@sensec.ai and we will promptly delete it.

16. THIRD-PARTY LINKS AND INTEGRATIONS

Our Services may contain links to or integrations with third-party services, tools, or platforms. Their own privacy policies govern those services. We are not responsible for their privacy practices and encourage you to review their policies.

17. DATA PROCESSING ADDENDUM (DPA)

When we act as Processor, our DPA (incorporated by reference into your service agreement or available upon request) governs:

  • Subject matter, duration, nature, and purposes of processing

  • Types of Personal Data and categories of Data Subjects

  • Our obligations regarding confidentiality, security, and assistance with data-subject rights

  • Breach notification procedures

  • Sub-processor engagement, notification, and objection process

  • Data return and deletion at end of services

  • International transfer mechanisms (SCCs / UK Addendum)

  • Audit and cooperation terms

To request a signed DPA, contact privacy@sensec.ai.

18. CHANGES TO THIS POLICY

We may update this Policy from time to time. We will post the revised version with an updated "Last updated" date. For material changes, we will provide additional notice (e.g., email, in-app notification, or prominent notice on our websites). Continued use of the Services after the effective date of a revised Policy constitutes acceptance. If you do not agree, discontinue use of the Services and contact us regarding your data.

19. DISPUTE RESOLUTION AND COMPLAINTS

Disputes regarding this Privacy Policy or our data practices are governed by the dispute resolution provisions in our Terms of Service, including binding arbitration in Sheridan, Wyoming, USA.

You may also lodge a complaint with a supervisory authority if you believe our processing violates applicable law:

  • EU/EEA: Your local Data Protection Authority

  • UK: The Information Commissioner's Office (ICO)

  • U.S.: Your state attorney general or the FTC, as applicable

20. HOW TO CONTACT US

Primary contact: privacy@sensec.ai Mailing address: SenSec LLC, 30 N Gould St, Ste N, Sheridan, WY 82801, USA EU/EEA Representative: Sentinel Security s.r.o., Jičínská 226/17, Žižkov, 130 00 Praha 3, Czech Republic

© 2026 SenSec LLC. All rights reserved.

‹ TERMS OF SERVICE