🚫What we never collect
Sentinel ships with zero telemetry. No analytics SDKs, no crash reporters that phone home, no usage metrics, no device fingerprints sent to a server. The list of things we don't collect is the entire list of things you might worry about:
- No personal information — name, email, or phone is only used for license issuance and never transmitted by the app itself
- No device identifiers (IMEI, IMSI, MAC, advertising ID, hardware serial)
- No usage analytics — we don't know which features you use, when, or how often
- No crash telemetry sent automatically — diagnostic logs stay on your device unless you explicitly export them
- No location data, no contacts, no message content, no photos, no clipboard contents
🔐Encryption & key handling
Every sensitive operation in Sentinel uses authenticated encryption with hardware-backed keys where available, falling back transparently and reporting clearly when it can't.
AES-256-GCM
All vault data and persisted secrets use AEAD with per-record nonces. No deprecated modes anywhere.
StrongBox-first
Keys live inside the device's hardware security chip when supported (Pixel 3+, modern Samsung, OnePlus, etc.).
PBKDF2 310k rounds
Master password derivation uses OWASP-current iteration counts. Brute-forcing a strong password is computationally infeasible.
Class A storage
Keys clear from memory when the screen locks. An attacker with physical access after lock has nothing to extract.
🪪Device-bound licensing
Your license is cryptographically tied to your specific hardware at issuance. This protects you and us — a leaked license can't be reused on another device, and you don't need to log in or maintain an account just to keep using software you paid for.
- License signed against hardware identifiers your seller verifies once at issuance
- No central server check after issuance — the app works offline forever
- No account, no password, no session token to leak or steal
- Reissue available via your seller if you change devices legitimately
🎯Our threat model
Honesty matters more than marketing. Here's what Sentinel is and isn't designed to defend against.
Designed to defend against
Logical USB/ADB extraction · Stalkerware and hidden accessibility services · Spontaneous device seizure · Unencrypted photo metadata · Network downgrade attacks · Unauthorized reboots
Not designed to defend against
Targeted zero-day exploits from nation-state actors · Physical chip-off attacks · Compromised firmware shipped from the factory · Coerced password disclosure · Adversaries with arbitrary code execution before install
Any privacy tool that claims total protection against every threat is lying to you. We'd rather tell you exactly where the line is.
🔍Auditability
Every root command Sentinel executes is logged locally to an append-only file you can inspect at any time. Nothing happens on your device that you can't see exactly what happened, when, and why.
- Local audit log of every privileged operation
- Exportable diagnostic bundle (you choose when, you control where it goes)
- Independent security review channel — researchers can contact us at security@sentinelprivacy.xyz
- Coordinated disclosure: 90-day window, named credit, no legal threats for good-faith research
⚖️Legal & data handling
Sentinel is built and operated by a small independent team. We're not subject to bulk-data programs because we don't have your data to hand over. The complete contents of our database that relate to you are: your buyer name, email, device identifier hash, and license issuance timestamp — and only because we need them to verify your purchase.
- GDPR-aligned data minimization — we collect only what's strictly necessary
- Right to deletion: contact us and we remove everything tied to your record
- No third-party data sharing, ever — not for marketing, not for "partners", not for analytics
- If we ever change our security posture or are compelled to, we publish a warrant canary
Questions? Audit requests? Bug reports?
Reach security@sentinelprivacy.xyz — we read every message.
← Back to Sentinel