Data Processing Agreement
A short, plain-English agreement about how we look after the customer data you share with us. It satisfies UK GDPR Article 28.
This agreement is between you - the business that signs up to send us your leads (the “Customer”) - and us, Thomas Paul Hardiman, trading as Sentinay, based at 12 Wychwood Avenue, Lymm, Cheshire, WA13 0NE.
It takes effect when you first send us your list of leads (see How we agree this below). You are the data controller. We are the data processor working for you.
What we'll be doing
You'll send us a list of people who previously enquired about your services but never went ahead. We'll text and email them on your behalf to try and get them back on the table, and we'll send any interested leads to you.
What data we'll have
Whatever you choose to send us about your past enquiries. Typically that's some mix of:
- Names, email addresses, mobile phone numbers
- The service they originally enquired about
- Date and channel of their original enquiry
What we'll do with it
- Complete the campaign(s) we've agreed on
- Handle replies with AI
- Pass any interested leads back to you
What we won't do with it
- Share it with anyone outside this agreement
- Use it to market our own services
- Train AI models on it
- Use it to help any other customer
- Sell it
The only people who see your data outside our team are the named tools we use to deliver the service (database, email, SMS, AI - all listed at the bottom). They're all contractually bound to the same terms and GDPR.
How we keep it safe
- Multi-factor authentication on every admin account
- Encrypted in transit and at rest
- Only the people who need to access it can
- No production data on personal laptops
- Everyone on our side is under a confidentiality duty
If something does go wrong, we'll tell you within 24 hours of finding out - what happened, who was affected, and what we're doing about it.
If you ever want to verify we're sticking to what's in this agreement, just ask. We'll share whatever records you need, and we'll help with any data protection impact assessment or ICO query you need to handle.
If someone wants their data removed
If anyone we contact replies “stop” / “unsubscribe” or asks to be removed, we stop contacting them immediately and add them to a suppression list.
If anyone asks us directly to see, correct, or delete their data, we pass it to you within 2 business days for you to handle. We'll help if you need us to.
When the engagement ends
When we stop providing the service - for any reason - we'll either return your data in a CSV or delete it, whichever you prefer, within 30 days. We'll confirm in writing once it's done.
Your side of things
You confirm:
- You collected the data lawfully.
- You're not sending us anyone who's already opted out of marketing.
- You'll only ask us to do lawful things with the data. If we think an instruction crosses a line, we'll tell you and pause.
- You won't send us anything sensitive (health, race, religion, etc.). If something accidentally slips through, we'll delete it.
If things go wrong
Each side is responsible for the damage caused by their own breach of this agreement. Neither side can claim indirect losses (like lost profits) from the other.
Ending the agreement
Either side can end this with 14 days' written notice - an email to the addresses below counts. The deletion clause above still applies. The confidentiality, liability, and breach-notification commitments survive after termination.
The legal small print
The laws of the United Kingdom apply. Either party may bring a claim in any UK court of competent jurisdiction.
How to reach us
Email us at tom@sentinay.com. We'll reach you at the email address you sign up with.
How we agree this
When you send us your list of leads - by replying to the email we send you - that counts as you accepting these terms. No signature or formal document needed. We'll keep your reply on file as the record of acceptance.
Tools we use to deliver the service (“sub-processors”)
| Tool | What it does | Where it processes data |
|---|---|---|
| Supabase | Database | EU (Frankfurt) |
| Mailgun | Sends emails | EU |
| Twilio | Sends texts | EU / US |
| Anthropic (Claude) | AI for handling replies | US - they don't train on your data |
| Railway | Hosts our app | US |
| Vercel | Hosts our dashboard | EU (Frankfurt) |
For tools outside the UK, we use the standard UK transfer agreements (UK Addendum to EU Standard Contractual Clauses) and have completed a transfer impact assessment. If this list changes, we'll give you 30 days' written notice before the change takes effect. If you're not happy with a new addition, you can object - and if we can't resolve it, you can end the service.