Data Processing Agreement

A short, plain-English agreement about how we look after the customer data you share with us. It satisfies UK GDPR Article 28.

This agreement is between you - the business that signs up to send us your leads (the “Customer”) - and us, Thomas Paul Hardiman, trading as Sentinay, based at 12 Wychwood Avenue, Lymm, Cheshire, WA13 0NE.

It takes effect when you first send us your list of leads (see How we agree this below). You are the data controller. We are the data processor working for you.

What we'll be doing

You'll send us a list of people who previously enquired about your services but never went ahead. We'll text and email them on your behalf to try and get them back on the table, and we'll send any interested leads to you.

What data we'll have

Whatever you choose to send us about your past enquiries. Typically that's some mix of:

  • Names, email addresses, mobile phone numbers
  • The service they originally enquired about
  • Date and channel of their original enquiry

What we'll do with it

  • Complete the campaign(s) we've agreed on
  • Handle replies with AI
  • Pass any interested leads back to you

What we won't do with it

  • Share it with anyone outside this agreement
  • Use it to market our own services
  • Train AI models on it
  • Use it to help any other customer
  • Sell it

The only people who see your data outside our team are the named tools we use to deliver the service (database, email, SMS, AI - all listed at the bottom). They're all contractually bound to the same terms and GDPR.

How we keep it safe

  • Multi-factor authentication on every admin account
  • Encrypted in transit and at rest
  • Only the people who need to access it can
  • No production data on personal laptops
  • Everyone on our side is under a confidentiality duty

If something does go wrong, we'll tell you within 24 hours of finding out - what happened, who was affected, and what we're doing about it.

If you ever want to verify we're sticking to what's in this agreement, just ask. We'll share whatever records you need, and we'll help with any data protection impact assessment or ICO query you need to handle.

If someone wants their data removed

If anyone we contact replies “stop” / “unsubscribe” or asks to be removed, we stop contacting them immediately and add them to a suppression list.

If anyone asks us directly to see, correct, or delete their data, we pass it to you within 2 business days for you to handle. We'll help if you need us to.

When the engagement ends

When we stop providing the service - for any reason - we'll either return your data in a CSV or delete it, whichever you prefer, within 30 days. We'll confirm in writing once it's done.

Your side of things

You confirm:

  • You collected the data lawfully.
  • You're not sending us anyone who's already opted out of marketing.
  • You'll only ask us to do lawful things with the data. If we think an instruction crosses a line, we'll tell you and pause.
  • You won't send us anything sensitive (health, race, religion, etc.). If something accidentally slips through, we'll delete it.

If things go wrong

Each side is responsible for the damage caused by their own breach of this agreement. Neither side can claim indirect losses (like lost profits) from the other.

Ending the agreement

Either side can end this with 14 days' written notice - an email to the addresses below counts. The deletion clause above still applies. The confidentiality, liability, and breach-notification commitments survive after termination.

The legal small print

The laws of the United Kingdom apply. Either party may bring a claim in any UK court of competent jurisdiction.

How to reach us

Email us at tom@sentinay.com. We'll reach you at the email address you sign up with.

How we agree this

When you send us your list of leads - by replying to the email we send you - that counts as you accepting these terms. No signature or formal document needed. We'll keep your reply on file as the record of acceptance.

Tools we use to deliver the service (“sub-processors”)

ToolWhat it doesWhere it processes data
SupabaseDatabaseEU (Frankfurt)
MailgunSends emailsEU
TwilioSends textsEU / US
Anthropic (Claude)AI for handling repliesUS - they don't train on your data
RailwayHosts our appUS
VercelHosts our dashboardEU (Frankfurt)

For tools outside the UK, we use the standard UK transfer agreements (UK Addendum to EU Standard Contractual Clauses) and have completed a transfer impact assessment. If this list changes, we'll give you 30 days' written notice before the change takes effect. If you're not happy with a new addition, you can object - and if we can't resolve it, you can end the service.