Privacy Policy

Effective Date: February 22, 2026 · Last Updated: February 22, 2026

1. Introduction

ReaTech, Inc. ("ReaTech," "we," "us," or "our") operates the Sentinel compliance automation platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service, visit our website at reatech.io, or interact with us in any other way.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Your name (first and last name)
  • Email address
  • Company name
  • Password (stored as a cryptographic hash using bcrypt — we never store your plaintext password)
  • Role within your organization

2.2 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your credit card numbers, bank account details, or other payment instrument data. When you subscribe, Stripe collects and processes your payment information in accordance with Stripe's Privacy Policy. We receive only a Stripe customer identifier and subscription status from Stripe.

2.3 Cloud Integration Credentials

To provide compliance evidence collection, you may connect your cloud accounts (AWS, GitHub, Google Workspace) to Sentinel. The credentials you provide (such as AWS access keys, GitHub personal access tokens, or Google Workspace OAuth tokens) are:

  • Encrypted at rest using industry-standard AES-256 encryption with dedicated encryption keys
  • Used solely to collect compliance evidence from your connected accounts
  • Never shared with third parties
  • Revocable at any time by disconnecting the integration

2.4 Compliance Evidence Data

When you run evidence collection, Sentinel retrieves configuration data and metadata from your connected cloud accounts. This may include:

  • Security configurations (e.g., MFA settings, encryption policies, access controls)
  • Resource metadata (e.g., resource IDs, types, regions)
  • Access and activity logs relevant to compliance checks
  • Repository settings and branch protection rules (GitHub)
  • Workspace security settings (Google Workspace)

This data is processed to generate compliance assessments and is stored in association with your company account.

2.5 Usage Data

We automatically collect certain information when you use the Service, including:

  • Pages visited and features used within Sentinel
  • Session duration and interaction patterns
  • Browser type, operating system, and device information
  • IP address and approximate geographic location
  • Referring URLs

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service — operating the Sentinel platform, authenticating users, and managing subscriptions
  • Collect and analyze compliance evidence — connecting to your cloud accounts, running compliance checks, and generating evidence reports
  • Generate compliance reports — producing SOC 2, ISO 27001, and executive summary audit reports
  • Generate and manage policies — creating security and compliance policy documents tailored to your organization
  • Process payments — managing subscriptions, billing, and invoicing through Stripe
  • Send account communications — transactional emails, account notifications, and product updates
  • Improve the Service — analyzing usage patterns to enhance features, fix bugs, and improve user experience
  • Ensure security — detecting and preventing fraud, abuse, and unauthorized access

4. Data Storage and Security

We take the security of your data seriously. Our security measures include:

  • Encryption in transit — all data is transmitted over TLS 1.2 or higher
  • Encryption at rest — sensitive data, including cloud credentials, is encrypted using AES-256
  • Secure infrastructure — hosted on AWS with SOC 2 certified infrastructure
  • Access controls — strict role-based access controls for both users and internal personnel
  • Regular security assessments — periodic vulnerability scanning and penetration testing
  • Data isolation — each company's data is logically isolated from other tenants

For more details about our security practices, please visit our Security page.

5. Third-Party Services

We use the following third-party services in connection with the Service:

  • Stripe — payment processing. Stripe Privacy Policy
  • Amazon Web Services (AWS) — cloud infrastructure hosting and, when connected by you, a source of compliance evidence
  • GitHub — when connected by you, a source of compliance evidence related to code repository security
  • Google Workspace — when connected by you, a source of compliance evidence related to workspace security settings

Each of these services has its own privacy policy governing how they handle data. We encourage you to review their policies.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • With your consent — when you explicitly authorize us to share information
  • Service providers — with trusted third-party providers who assist us in operating the Service (e.g., Stripe for payments), under confidentiality obligations
  • Legal requirements — when required by law, regulation, legal process, or governmental request
  • Protection of rights — to protect the rights, property, or safety of ReaTech, our users, or the public
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users

7. Data Retention

We retain your data as follows:

  • Account data — retained for as long as your account is active. Upon account deletion, personal data is removed within 30 days.
  • Compliance evidence — retained for as long as your account is active. Upon account deletion, evidence data is removed within 90 days.
  • Generated policies and reports — retained for as long as your account is active and deleted upon account termination.
  • Payment records — retained as required by tax and financial regulations (typically 7 years).
  • Usage logs — retained for up to 12 months for analytics and security purposes.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete personal data
  • Deletion — request deletion of your personal data (subject to legal retention requirements)
  • Data portability — request a copy of your data in a structured, machine-readable format
  • Opt-out of marketing — unsubscribe from marketing communications at any time
  • Restrict processing — request that we limit how we process your data in certain circumstances

To exercise any of these rights, please contact us at nicholas@reatech.io. For EU/EEA-specific rights, please see our GDPR page.

9. Cookies

We use cookies and similar technologies for the following purposes:

  • Essential cookies — required for authentication and session management. These cannot be disabled.
  • Analytics cookies — help us understand how users interact with the Service. You may opt out of analytics cookies through your browser settings.

We do not use cookies for advertising or third-party tracking purposes.

10. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us at nicholas@reatech.io and we will take steps to remove that information.

11. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located. If you are located outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. We use appropriate safeguards, including Standard Contractual Clauses, to protect your data during international transfers. For more information, see our GDPR page.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by sending you an email notification. Your continued use of the Service after such changes constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: