Privacy Policy

1. Controller

The controller of your personal data is M2HP TECNOLOGIA LTDA, registered under CNPJ 48.498.639/0001-75, headquartered at Av. Osvaldo Reis, nº 3385, Sala 2004, Ed. Riviera Concept, Praia Brava, Itajaí/SC, Brazil.

2. Data Protection Officer (DPO)

Data Protection Officer (DPO) — LGPD art. 41:

• Name: Carolline Mamede
• Contact: dpo@m2hp.com.br

3. Data we collect

Registration:

• Name and email
• Password (stored only as a bcrypt hash — we have no access to the plaintext)
• Preferred language and timezone
• 2FA configuration when enabled (encrypted TOTP secret)

Service use:

• Data of the monitors you register (URLs, intervals, settings)
• Check results (status, response time, observed certificates)
• Security audit findings and their targets
• Configured notification channels (webhooks, Telegram tokens, etc.)

Operational:

• Authentication logs (date, IP, user-agent) — for security auditing
• Internal audit trail of relevant actions (create/edit/delete resources)

What we do NOT collect: browsing data of your visitors on your status pages (no third-party analytics), data of who accesses your monitors, card financial data (processed by a certified gateway when implemented).

4. Purposes of processing

• Provide the contracted service (run monitors, generate alerts, run audits)
• Operational communication (incident notifications, requested reports)
• Technical support
• Compliance with legal and tax obligations
• Fraud and abuse detection (rate limits, anomalous usage patterns)

5. Legal bases (LGPD art. 7)

• Contract performance (art. 7, V): data needed to provide the contracted Service
• Compliance with legal obligation (art. 7, II): tax and accounting data
• Legitimate interest (art. 7, IX): security logs and fraud detection
• Consent (art. 7, I): marketing communications (always optional; clear opt-out)

6. Sharing

We don’t sell data. We share only with:

• Strictly necessary processors: hosting provider, transactional email gateway, future payment gateway. Each under contract with LGPD clauses
• Public authorities: only upon a valid court order or legal request

When you use integrations involving third parties (Telegram, Slack, PagerDuty, webhooks), the data we send them also becomes subject to each one’s privacy policy.

7. Cookies and tracking

Sentinela uses only strictly necessary and functional cookies. We don’t use analytics, don’t use third-party trackers, don’t share with ad networks. We practice what we preach.

Cookies in use:

• sentinela_session · essential · Identifies your authenticated session. Without it, you can’t stay logged in. Legal basis: contract performance (LGPD art. 7, V).
• XSRF-TOKEN · essential · CSRF token that protects against cross-site attacks. Without it, forms are vulnerable. Legal basis: legitimate security interest (art. 7, IX).
• localStorage sentinela.cookie-banner.dismissed · functional · Remembers you already dismissed the cookie banner, so it isn’t shown again. It’s local to your browser, doesn’t go to our server.
• Language preference (via query string + session) · functional · Remembers whether you chose PT-br, EN or ES.

What we do NOT use:

• Google Analytics, GA4, Tag Manager
• Meta Pixel, Facebook Conversions API
• Hotjar, FullStory or any session replay
• Remarketing or ad-network cookies
• Device fingerprinting

For web fonts, we use fonts.bunny.net, a privacy-friendly alternative to Google Fonts that uses no cookies and doesn’t log IP beyond what’s needed to deliver the file.

Since our cookies are all essential or functional, the LGPD doesn’t require us to ask for prior consent. Even so, we show a discreet banner to every new visitor for transparency — because we think trust is built by explaining, not hiding.

8. Retention

• Account data: kept while the account is active
• After cancellation: 30 days of read-only retention for export, then deletion
• Internal audit logs: retained for up to 12 months for security purposes
• Tax data (invoices, bills): retained for the legal period (5 years)

9. Data-subject rights (LGPD art. 18)

You may, at any time, request:

• Confirmation that your data is being processed
• Access to the data we hold about you
• Correction of incomplete, inaccurate or outdated data
• Anonymization, blocking or deletion of unnecessary or excessive data
• Portability of the data to another provider
• Deletion of data processed based on your consent
• Information about whom we share your data with
• Revocation of consent

To exercise any right, write to dpo@m2hp.com.br. We will respond within 15 days.

10. Security

We adopt reasonable technical and organizational measures:

• Passwords stored with bcrypt
• 2FA secret and recovery tokens encrypted at rest
• Client-server communication always over HTTPS (TLS 1.2+)
• Security headers (HSTS, CSP, X-Frame-Options, etc.)
• Optional 2FA TOTP available on all plans
• Internal audit trail of relevant actions
• Multi-tenant isolation at the query level (each user only sees their own data)

In the event of a security incident that may pose a relevant risk to data subjects, we will notify the ANPD and the affected subjects per LGPD art. 48.

11. International transfer

Our service is hosted in Brazil. Any international transfers (e.g., transactional email provider) occur only to countries offering an adequate level of data protection per LGPD art. 33, or under specific contractual clauses.

12. Changes to this policy

We may update this policy. Relevant changes will be communicated by email 30 days in advance. The current version is always available at /legal/privacidade with date and version number.

13. ANPD

If you believe your rights have been violated, you may also contact the National Data Protection Authority — ANPD (gov.br/anpd).