Version | Date Issued | Update reason | Author |
1.0 | Dec 23 | Document created | Nick Lee |
2.0 | Dec 24 | Reviewed and reworked – adding individual services details. | Nick Lee |
2.1 | Mar 25 | Added word regarding iGel version of Armored Client | Nick Lee |
Review Date | Review comments | Approver |
SentryBay understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all our customers and customers end users and will only collect and use personal data in a lawful and transparent manner.
As a ‘data subject’ you have a number of rights under the law with respect to our use of your personal data. This policy explains those rights and how to exercise them.
SentryBay is a limited company registered in England under company number 06370537. Registered address:
4th Floor, 24 Old Bond Street, London W1S 4AW
Main trading address: 20 Little Britain, London EC1A 7DH.
Data Protection Officer: Pete Simms.
Email address: [email protected].
Generic questions should be sent to
Email address: [email protected]
Under data protection law in the UK, including key legislation such as the UK GDPR and Data Protection Act 2018 and any successor legislation, (collectively, “the Data Protection Legislation”) individuals have important rights designed to protect them and their personal data.
This Policy sets out those rights, explains them in clear terms, and provides guidelines on how to exercise them.
Personal data is defined by the Data Protection Legislation as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website.
SentryBay’s Armored Client collects basic end point data only. All data that is collected is encrypted at rest and no collected data is classified as sensitive or PII data.
The customer administrator of the admin portal will be able to see all data collected for their end users in the portal. The following information is collected.
ArmoredID Accounts are imported with the following information from SentryBay Business Customers portals:
We can collect the following data for the searches. However, if a contracted customer explicitly asks NOT for the data to be offered to their end customers this data will be excluded:
The UK GDPR sets out your key rights as a ‘data subject’ as follows:
The following sections of this Policy explain each right in more detail. If you have any questions about any of your rights under the Data Protection Legislation, or require more detailed information, please contact our Data Protection Officer at dpo.sentrybay.com the Information Commissioner’s Office (ICO).
we are required by law to respond to any request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for exercising your right to data portability. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.
You have the right to be informed about our collection and use of your personal data. The information we provide must include details of the purpose or purposes for which your data is used, how long we keep it, and who (if anyone) it will be shared with.
This important privacy information is provided in this Privacy Policy.
If we collect data directly from you, the privacy information will be provided at the time the data is collected.
If we collect data about you from a third party, this privacy information will be provided to you as soon as possible and in any event no later than one month after we have obtained that data.
This right, also known as ‘subject access’ gives you the right to obtain a copy of any personal data that we hold about you as well as other supporting information.
This right is designed to help you understand how and why we use your data, and to check that we are using it lawfully.
You can exercise this right by making a ‘subject access request’. A subject access request can be made orally or in writing and the more detail you can provide, the easier it will be for us to respond quickly. There is no prescribed format for such requests. A Subject Access Request Form is available for you to use when making a request.
Under the Data Protection Legislation, you have the right to have inaccurate personal data corrected, or incomplete personal data completed.
As a ‘data controller’ we are required to take all reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up-to-date. Your right to rectification is closely tied to this obligation.
You can exercise this right by contacting us and asking for your data to be rectified if you believe it is incorrect, out-of-date, or incomplete. Requests for rectification can be made orally or in writing.
This right is also known as the ‘right to be forgotten’ and gives you the right to have your personal data deleted (or ‘otherwise disposed of’ if, for example, it is kept in paper records rather than electronically).
You can exercise this right by contacting us and asking for your data to be erased. Requests for erasure can be made orally or in writing.
Please note that the right to erasure is not an absolute right and there are certain circumstances set out in the Data Protection Legislation in which the right does not apply. For example, we may not have to erase your personal data if we need it to comply with a legal obligation. If any of these circumstances apply, we will explain why your personal data cannot be erased when responding to your request for erasure.
You have the right to request the restriction or suppression of your personal data. In practice, this is an alternative to having your personal data erased. This means that you can limit the way in which we use your personal data, while still allowing us to retain it.
Please note that the right to restrict processing is not an absolute right and only applies in certain circumstances as follows:
You can exercise this right by contacting us and asking for the processing of your data to be restricted. Requests for the restriction of processing can be made orally or in writing.
Where we are processing your personal data either with your consent or for the performance of a contract between us, and we are using automated means of processing (i.e. not using paper files), you have the right to obtain a copy of your personal data in a commonly-used format for use with another organisation. You can also request that we send your personal data directly to another organisation.
This right is designed to enable you to easily move, copy, or transfer your personal data from one organisation’s IT system to another organisation’s IT system in a safe and secure way, without affecting its usability.
Please note that this right only applies to personal data that you have provided to us as well as data that we may obtain from your activities on our website SentryBay.com such as usage history. It does not include additional data that we may create based upon the data you have provided or to data that has been anonymised. In some cases, more personal data relating to you may be available under your right of access.
Where we are processing your personal data on the basis of our ‘legitimate interests’, you have the right to object to us processing your personal data.
You also have the absolute right to object to us using your personal data for direct marketing purposes.
If you object to us using your personal data for direct marketing purposes, your right to do so is absolute and we have no grounds on which to refuse.
If you object to us using your personal data on the basis of our ‘legitimate interests’, please note that your right to do so is not absolute. When making your request to exercise this right, you must give specific reasons for your objection based upon your particular situation. we can continue using your personal data if we can demonstrate ‘compelling legitimate grounds’ which override your interests, rights, and freedoms; or if the processing is necessary for the establishment, exercise, or defence of legal claims. Additional limitations apply if your personal data is being processed for research purposes.
You can exercise this right by contacting us and stating your objection to the processing of your personal data for the relevant purpose or purposes, providing an explanation if required (see previous paragraph). Objections to processing can be made orally or in writing. You can also object to our processing of your personal data for direct marketing purposes only by sending an email to [email protected]
we are required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for exercising your right to object. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.
You have the right to withdraw your consent to the processing of your personal information. Data protection law says that you must be able to opt out at any time that you choose, on your own initiative and without suffering any detriment.
If you choose to withdraw your consent, the SentryBay can no longer rely on consent as the lawful basis for the processing. The organisation will need to stop any processing that was based on consent as soon as possible.
It should be as easy for you to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, you should be able to withdraw your consent using the same method as when you gave it.
Finally, if you wish for a third party to act on your behalf and withdraw your consent, you’ll need to demonstrate to the organisation that the third party has the authority from you to do so.
we do not carry out automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data.
You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal or ‘similarly significant’ effects.
You have the right to challenge decisions made in this way and can:
You can exercise this right by contacting us and stating that you wish to ask about or challenge a decision made using your personal data by solely automated means, telling us which of the above challenges (a, b, and/or c) you wish to bring. You can contact us orally or in writing.
Our lawful basis for collecting or using personal information to provide services and goods is:
Contract – we collect device and user information to allow the owner of the data services protected by Armored Client to manage users and user profile configuration. All of your data protection rights may apply except the right to object.
Our lawful basis for collecting or using personal information for legal requirements is:
We collect personal information for the operation of customer accounts and guarantees
Where we get personal information from?
Directly from the contracted customer that has chosen to protect their services with Armored Client
How long do we keep information?
We keep information on SentryBay systems so long as you remain employed by, contracted to or require access to Armored Clients protected systems. The contracted customer of SentryBay will manage all Armored Client users and are responsible for ensuring that their user data is accurate and is used and retained lawfully.
Our lawful basis for collecting or using personal information to provide services and goods is:
Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Where we get personal information from?
Directly from you, via the ArmoredID application
SentryBay’s Data Management policy states the following about data retention “SentryBay shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.”
SentryBay will remove data associated with a contract within a month of the contract termination date. Or on request from an individual.
We keep information only whilst you require access to the systems protected by Armored Client or until the contract for Armored Client services ends. All data will be removed within 1 month of a contract ending. User requests should be made to the data controller for each SentryBay customer that have procured SentryBay’s services.
We keep information only whilst we have your permission to hold the data or until the contract with the ArmoredID service ends. All data will be removed within 1 month of notice being given to us.
SentryBay shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.
We do not share Armored Client end user data with any third party.
MarketScape is a data processor that provides darkweb breach data that SentryBay uses as part of its Dark Web search process.
We do not have visibility or share Armored Client end user data with any third party in or outside the UK.
Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.
Organisation name: MarketScape
Category of recipient: Data processor
Country the personal information is sent to: Denmark
Data is transferred using a secure API and is checked against their DarkWeb breach repository. However the data is not stored by MarketScape. Nor is it accessible by any of their employees. The transfer complies with UK data protection law as the UK government permits the transfer of data from the UK to the European Economic Area (EEA), which includes Denmark, without the need for new arrangements.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
To exercise any of your rights as a data subject, please contact our Data Protection Officer (“DPO”) Pete Simms via:
Email: [email protected]
Post: 20 Little Britain, London EC1A 7DH;
When contacting us always provide the following information:
Your full name;
Your address;
Your telephone number;
Your email address;
Additional Information will be need depending on the right being exercised. This information is detailed below:
Details of the information being requested.
Details of the information you wish to have rectified; and
(Where relevant) any information that supports your request or otherwise provides evidence of the need for rectification.
Details of the information you wish to have erased; and
(Where relevant) any information that supports your request or otherwise justifies the need to have the data erased.
Details of the processing you wish to restrict or object to;
Details of why you want the processing to be restricted or why you object to it; and
(Where relevant) any information that supports your request or otherwise provides evidence of the need for processing to be restricted or stopped.
Details of the personal data you wish to use with another service or organisation, also stating whether you require a copy of that data for yourself or whether you would like us to transfer it directly to the other service or organisation; and
(Where relevant) any information that supports your request.
Details of the decision that you wish us to explain or review, also stating whether you would like us to explain the decision, if you are requesting human intervention, wish to express your own point of view about the decision, or wish to challenge the decision; and
(Where relevant) any information that supports your request.
We will always respond quickly to your request to exercise any of your rights in relation to your personal data. we will acknowledge receipt without undue delay and will provide a complete response to your request as quickly as possible. Normally, as stated above, this will be within one calendar month of receipt of your request. If additional time is required, we will contact you within the first calendar month to explain why the delay is necessary.
If you have any cause for complaint about our use of your personal data, or about our handling of your request to exercise your rights under this Policy and we would welcome the opportunity to resolve your concerns. Please contact us using the details set out above in the right to object section above.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioner’s Office (ICO)
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
