Biometric Privacy Policy

Sentinel CPO is engineered on a single governing principle: your biometric and acoustic data is never accessed, reviewed, or interpreted by any human being. All biometric processing is performed exclusively by isolated AI inference environments. Where a quality review function exists for AI-generated outputs, it is limited to the final document — never the signals, recordings, or data that produced it.

1. Scope and Application

This Biometric Privacy Policy ("Policy") describes how Sentinel CPO LLC ("Sentinel CPO," "we," "us," or "our") collects, processes, stores, and destroys biometric and personal data in connection with the Sentinel CPO platform and Service.

This Policy applies to all licensed users of the Sentinel CPO Service and supplements our Terms of Service. By activating your license, you consent to the data practices described herein.

2. Categories of Data Collected

Data Category	Specific Data Points	Source	Purpose
Biometric Telemetry	Heart Rate Variability (HRV), Resting Heart Rate (RHR), Sleep Score, Sleep architecture data	Oura Ring via Oura Cloud API	Performance modeling, daily prompt generation, Sunday Briefing synthesis
AI Check-in Session Metadata	Structured performance data extracted at session close: scores per dimension (State, Priority, Friction, Alignment 1–10), thematic labels, behavioral flags, session summary (2–3 sentences, no verbatim content), session duration, and questions-covered count. No audio recordings or transcripts are stored.	AI voice conversation session (ElevenLabs Conversational AI), processed server-side at session close	Longitudinal performance analysis, trend detection, Sunday Briefing synthesis, daily prompt personalization
Assessment Responses	Professional context, friction points, strategic objectives, 90-day and 12-month goals	Onboarding assessment (text)	Baseline calibration, prompt personalization
Account Data	Name, email address, billing address (used exclusively for shipping and billing — never surfaced in platform intelligence operations)	Enrollment form, Stripe checkout	Account management, billing, hardware shipping only
Platform Usage	Login timestamps, check-in completion dates, briefing access logs	Platform activity	Service delivery, CRON scheduling, account health

3. Pseudonymous Client Identification

Upon enrollment, each Client is assigned a permanent pseudonymous Client ID (format: CPO-XXXX). This identifier — not the Client's name or email — is used across all platform intelligence operations, including:

AI-generated briefing documents (baseline assessments and Sunday Briefings)
Daily check-in prompt generation
Performance Manager review queue
Internal operational logs and system references

The Client's real name and contact information are collected once at enrollment and used solely for hardware shipping, payment processing, and legal agreement execution. These identifiers are never transmitted to AI processing systems, never appear in generated briefing content, and are not accessible to personnel conducting routine operational functions.

The Client ID is deterministically derived from the Client's account identifier using a one-way function. It cannot be reversed to identify the Client without access to the authentication record.

The Performance Manager responsible for approving Sunday Briefings sees a Client ID — not a name, not an email, not an employer. Identity disclosure is never required for the delivery of intelligence services and is structurally prevented by the platform's operational design.

4. Zero Human Access Architecture

Sentinel CPO's core privacy guarantee is Zero Human Access to all biometric and acoustic data. This means:

No Sentinel CPO employee, contractor, or affiliate ever listens to, reads, or reviews your voice recordings or transcripts.
No Sentinel CPO personnel access your biometric telemetry (HRV, RHR, sleep data) in its raw or processed form.
All data pipeline routing is automated. Human involvement, where it exists, is limited to output quality review only — never to biometric inputs, voice recordings, or transcripts.
The platform is architected toward full autonomous operation. Any current quality review function is a temporary safeguard applied to AI-generated documents only, not to the data that produced them.

Where a quality review step exists, it operates on the AI-generated output document only — never on the biometric signals, voice recordings, transcripts, or assessment responses that informed it. The reviewer sees a CPO-XXXX Client ID. They do not see your name, your employer, or your raw data.

5. How Data is Processed

4.1 Biometric Data

Biometric data is retrieved nightly from the Client's authorized biometric hardware platform via OAuth 2.0 tokens exclusively authorized by the Client. HRV, RHR, and sleep scores are stored in an encrypted database and processed by an AI language model for performance analysis. Raw sensor data beyond these three metrics is not retained by Sentinel CPO.

4.2 AI Voice Check-in Sessions

Daily check-in sessions are conducted via a real-time AI voice conversation powered by ElevenLabs Conversational AI. The conversation occurs directly between the Client and the AI agent. No audio recording is captured or stored by Sentinel CPO at any point. No transcript of the conversation is retained. At the conclusion of each session, the AI agent extracts structured session performance metadata — numerical scores, thematic labels, behavioral flags, and a brief pattern-level summary containing no verbatim client statements — and transmits this metadata to Sentinel CPO's encrypted database. The conversation itself is processed ephemerally by ElevenLabs and is not retained beyond the active session window.

4.3 AI Processing

Transcripts, biometric data, and assessment responses are processed by a large language model for the generation of daily prompts and Sunday Briefings. This processing occurs via encrypted API calls to the AI provider's infrastructure. Sentinel CPO's agreement with its AI provider expressly prohibits use of Client data for model training or fine-tuning.

6. Third-Party Service Providers

Sentinel CPO uses the following categories of third-party sub-processors to deliver the Service. Each is bound by data processing agreements and industry-standard security practices:

Category	Role	Data Accessed
Encrypted Cloud Database & Storage	Database, authentication, and file storage infrastructure	All platform data (encrypted at rest and in transit)
AI Language Model Provider	Large language model inference for prompt generation and briefing synthesis	Transcripts, biometric summaries, and assessment context (via API — not retained for training)
AI Voice Conversation Provider (ElevenLabs)	Real-time conversational AI agent for daily check-in sessions — speech recognition, AI reasoning, and voice synthesis	Live audio stream during the session only — not retained by ElevenLabs beyond the active session. No recordings or transcripts are stored by either party.
AI Voice Synthesis Provider (Deepgram)	Text-to-speech synthesis for scripted prompt audio (introductions, preambles)	Text content only — not retained by provider beyond the synthesis window
Biometric Hardware & Cloud Platform	Wearable biometric device and associated cloud API	Biometric telemetry (Client-authorized via OAuth 2.0 — Client may revoke at any time)
Payment Processor	PCI-DSS compliant payment processing	Billing and payment information only — never stored by Sentinel CPO
Transactional Email Provider	Delivery of system notifications and briefing alerts	Email address and notification content only
Cloud Application Host	Application compute and global delivery	Application runtime only — no persistent Client data storage

Sentinel CPO does not sell, rent, or trade Client data to any third party for marketing, advertising, or commercial purposes. The specific vendors engaged in each category are disclosed to Clients upon written request submitted via the Privacy/CCPA inquiry form.

7. Data Security

Sentinel CPO employs the following security measures:

Encryption at rest: All database records and stored files are encrypted using AES-256.
Encryption in transit: All data transmissions use TLS 1.2 or higher.
Access controls: Row-Level Security (RLS) policies enforce strict data isolation between client accounts. No client can access another client's data under any circumstances.
Signed URLs: Audio file uploads use time-limited, cryptographically signed URLs — no persistent public access paths exist for audio data.
Service role isolation: Administrative database access is restricted to server-side CRON processes and webhook handlers. Client-facing application code operates under restricted permissions.

8. Data Retention and Ephemeral Lifecycle

Sentinel CPO operates under a strict Ephemeral Data Lifecycle. For complete technical details, see our Ephemeral Data Architecture policy.

Summary of retention periods:

Audio recordings: Not applicable — no audio is recorded or stored at any point. Check-in sessions are conducted via real-time AI voice conversation; the audio stream is processed ephemerally and discarded at session close.
Session performance metadata and biometric records: Retained for the duration of the active Subscription Term to enable briefing synthesis and longitudinal performance trending.
Account and assessment data: Retained for the duration of the active Subscription Term plus 30 days for billing resolution purposes.
Upon termination: All Client data — including transcripts, biometrics, briefings, and assessment responses — is permanently deleted within 30 days of license termination. This deletion is irreversible.

9. Client Rights

Clients have the following rights with respect to their data:

Access: Request a summary of the categories of data held on your account.
Correction: Request correction of inaccurate account or profile data.
Deletion: Request deletion of all data prior to the standard termination lifecycle via the Privacy/CCPA inquiry form. Note: deletion of active account data will result in service termination and applicable fees.
Portability: Request an export of your assessment responses and briefing documents in PDF or JSON format.
Revocation of Oura Authorization: Clients may revoke Sentinel CPO's Oura API access at any time via the Oura app settings. This will suspend biometric data sync but does not terminate the subscription.

10. HIPAA and Healthcare Compliance

Sentinel CPO is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and does not process Protected Health Information (PHI) as defined by HIPAA. The biometric data processed by Sentinel CPO is used exclusively for professional performance optimization and does not constitute a medical record.

Sentinel CPO does not enter into Business Associate Agreements (BAAs) in connection with the Service.

11. California Privacy Rights (CCPA)

California residents have specific rights under the California Consumer Privacy Act (CCPA). As a B2B enterprise service, Sentinel CPO primarily processes data in a business-to-business context. California residents who are individual subscribers may exercise their rights under CCPA via the Privacy/CCPA inquiry form. Sentinel CPO does not sell personal information as defined by the CCPA.

11. Policy Updates

Sentinel CPO may update this Policy to reflect changes in our data practices or applicable law. We will notify active Clients of material changes via the email address on file at least 14 days prior to the change taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact

For privacy-related inquiries, data subject requests, or security concerns:

Sentinel CPO LLC — Privacy
Submit a Privacy/CCPA inquiry →