Sentinel CPO is engineered on a single governing principle: your biometric and acoustic data is never accessed, reviewed, or interpreted by any human being. All biometric processing is performed exclusively by isolated AI inference environments. Where a quality review function exists for AI-generated outputs, it is limited to the final document — never the signals, recordings, or data that produced it.
This Biometric Privacy Policy ("Policy") describes how Sentinel CPO LLC ("Sentinel CPO," "we," "us," or "our") collects, processes, stores, and destroys biometric and personal data in connection with the Sentinel CPO platform and Service.
This Policy applies to all licensed users of the Sentinel CPO Service and to Trial Enrollment participants, and supplements our Terms of Service. By activating your license, or by completing the Trial Enrollment signup and providing clickwrap consent, you consent to the data practices described herein as applicable to your participation tier.
| Data Category | Specific Data Points | Source | Purpose |
|---|---|---|---|
| Biometric Telemetry | Composite performance scores (readiness score, sleep score, activity score, 0–100); cardiovascular signals (heart rate variability / HRV, resting heart rate / RHR, respiratory rate); sleep architecture data (total sleep duration, deep sleep, REM sleep, light sleep, awake time, sleep efficiency, sleep latency); body temperature deviation from personal 30-day baseline; readiness contributor sub-scores (HRV balance, body temperature, resting heart rate, sleep balance, activity balance, recovery index) | Oura Ring via Oura Cloud API | Performance modeling, daily prompt generation, Sunday Briefing synthesis |
| AI Check-in Session Metadata | Structured performance data extracted at session close: scores per dimension (State, Priority, Friction, Alignment 1–10), thematic labels, behavioral flags, session summary (2–3 sentences, no verbatim content), session duration, and questions-covered count. No audio recordings or transcripts are stored. | AI voice conversation session, processed server-side at session close | Longitudinal performance analysis, trend detection, Sunday Briefing synthesis, daily prompt personalization |
| Assessment Responses | Professional context, friction points, strategic objectives, 90-day and 12-month goals | Onboarding assessment (text) | Baseline calibration, prompt personalization |
| Account Data | Name, email address, billing address (used exclusively for shipping and billing — never surfaced in platform intelligence operations) | Enrollment form, Stripe checkout | Account management, billing, hardware shipping only |
| Platform Usage | Login timestamps, check-in completion dates, briefing access logs | Platform activity | Service delivery, CRON scheduling, account health |
| Trial Enrollment Data | Diagnostic session responses (text); AI voice check-in session performance metadata (numerical scores, thematic labels, behavioral flags, brief pattern-level session summary — no audio recordings or transcripts retained); biometric telemetry if an Oura Ring is optionally connected by the participant (same metrics enumerated in the Biometric Telemetry row above) | Trial diagnostic form (text); AI voice conversation sessions, processed server-side at session close; Oura Cloud API (if participant optionally connects existing ring) | Day 7 Executive Cognitive Brief synthesis only; carried forward into Client record upon Day 8 Calibration Pilot conversion; permanently deleted within 30 days if Trial is cancelled before Day 8 |
Upon enrollment, each Client is assigned a permanent pseudonymous Client ID (format: CPO-XXXX). This identifier — not the Client's name or email — is used across all platform intelligence operations, including:
The Client's real name and contact information are collected once at enrollment and used solely for hardware shipping, payment processing, and legal agreement execution. These identifiers are never transmitted to AI processing systems, never appear in generated briefing content, and are not accessible to personnel conducting routine operational functions.
The Client ID is deterministically derived from the Client's account identifier using a one-way function. It cannot be reversed to identify the Client without access to the authentication record.
Where quality review occurs, the reviewer sees only a Client ID — not a name, not an email, not an employer. Identity disclosure is never required for the delivery of intelligence services and is structurally prevented by the platform's operational design.
Trial Enrollment Participants. Trial participants are not assigned a CPO-XXXX Client ID. During the Trial, participants are identified in Sentinel CPO's internal systems by an enrollment ID (UUID) generated at the time of Trial signup. This identifier is referenced in trial session records and the Day 7 Executive Cognitive Brief. The CPO-XXXX pseudonymous identifier is assigned only upon commencement of the Calibration Pilot.
Sentinel CPO's core privacy guarantee is Zero Human Access to all biometric and acoustic data. This means:
Where a quality review step exists, it operates on the AI-generated output document only — never on the biometric signals, voice recordings, transcripts, or assessment responses that informed it. The reviewer sees a CPO-XXXX Client ID. They do not see your name, your employer, or your raw data.
Biometric data is retrieved nightly from the Client's authorized biometric hardware platform via OAuth 2.0 tokens exclusively authorized by the Client. The complete set of metrics retrieved and stored is enumerated in the Section 2 data table above, and includes: composite performance scores (readiness, sleep, activity); cardiovascular signals (HRV, RHR, respiratory rate); full sleep architecture detail (total sleep duration, deep sleep, REM sleep, light sleep, awake time, sleep efficiency, sleep latency); body temperature deviation from personal baseline; and readiness contributor sub-scores (HRV balance, body temperature, resting heart rate, sleep balance, activity balance, recovery index). All data is stored in an encrypted database and processed by an AI language model for performance analysis. Sensor data outside this enumerated set is not retrieved or retained.
Daily check-in sessions are conducted via a real-time AI voice conversation. The conversation occurs directly between the Client and the AI agent. No audio recording is captured or stored by Sentinel CPO at any point. No transcript of the conversation is retained. At the conclusion of each session, the AI agent extracts structured session performance metadata — numerical scores, thematic labels, behavioral flags, and a brief pattern-level summary containing no verbatim client statements — and transmits this metadata to Sentinel CPO's encrypted database. The conversation itself is processed ephemerally by the voice AI provider and is not retained beyond the active session window.
Transcripts, biometric data, and assessment responses are processed by a large language model for the generation of daily prompts and Sunday Briefings. This processing occurs via encrypted API calls to the AI provider's infrastructure. Sentinel CPO's agreement with its AI provider expressly prohibits use of Client data for model training or fine-tuning.
Trial Enrollment participants access seven (7) daily voice check-in sessions via email-linked portal pages (no account login required). These sessions use the same real-time AI voice conversation architecture described in Section 5.2. No audio recording is captured or stored at any point. No transcript is retained. At the conclusion of each session, the AI agent extracts structured session performance metadata — numerical scores, thematic labels, behavioral flags, and a brief pattern-level summary containing no verbatim client statements — and transmits this metadata to Sentinel CPO's encrypted database for use exclusively in generating the Day 7 Executive Cognitive Brief.
Biometric Integration During Trial. Trial participants may optionally connect an existing Oura Ring to the platform. If connected, biometric telemetry as enumerated in the Section 2 data table is retrieved via the Oura Cloud API and integrated into the Day 7 brief. No biometric hardware is procured or shipped by Sentinel CPO as part of the Trial. Oura connection is not required.
Trial Data Retention. If the Trial converts to the Calibration Pilot on Day 8, Trial data is carried forward into the Client's platform record and governed by Section 8. If the participant cancels before Day 8, all Trial data — including diagnostic responses, session metadata, and (if applicable) biometric telemetry — is permanently deleted within 30 days of the cancellation date pursuant to the Ephemeral Data Lifecycle. Trial data is never used for model training, marketing, or any purpose beyond the Trial and subsequent Service delivery.
Sentinel CPO uses the following categories of third-party sub-processors to deliver the Service. Each is bound by data processing agreements and industry-standard security practices:
| Category | Role | Data Accessed |
|---|---|---|
| Encrypted Cloud Database & Storage | Database, authentication, and file storage infrastructure | All platform data (encrypted at rest and in transit) |
| AI Language Model Provider | Large language model inference for prompt generation and briefing synthesis | Transcripts, biometric summaries, and assessment context (via API — not retained for training) |
| AI Voice Conversation Provider | Real-time conversational AI agent for daily check-in sessions — speech recognition, AI reasoning, and voice synthesis | Live audio stream during the session only — not retained by the provider beyond the active session. No recordings or transcripts are stored by either party. |
| AI Voice Synthesis Provider | Text-to-speech synthesis for scripted prompt audio (introductions, preambles) | Text content only — not retained by provider beyond the synthesis window |
| Biometric Hardware & Cloud Platform | Wearable biometric device and associated cloud API | Biometric telemetry (Client-authorized via OAuth 2.0 — Client may revoke at any time) |
| Payment Processor | PCI-DSS compliant payment processing | Billing and payment information only — never stored by Sentinel CPO |
| Transactional Email Provider | Delivery of system notifications and briefing alerts | Email address and notification content only |
| Cloud Application Host | Application compute and global delivery | Application runtime only — no persistent Client data storage |
Sentinel CPO does not sell, rent, or trade Client data to any third party for marketing, advertising, or commercial purposes. A complete disclosure of all third-party sub-processors — including the specific data each receives, their jurisdiction, and data residency — is available at sentinelcpo.com/sub-processors. Enterprise clients and corporate sponsors requiring a Data Processing Agreement may access the template at sentinelcpo.com/data-processing-agreement.
Sentinel CPO employs the following security measures:
IT and InfoSec teams conducting vendor due diligence may access Sentinel CPO's full security posture — including a pre-filled vendor questionnaire, privacy impact assessment, access controls documentation, and incident response policy — at sentinelcpo.com/security.
Sentinel CPO operates under a strict Ephemeral Data Lifecycle. For complete technical details, see our Ephemeral Data Architecture policy.
Summary of retention periods:
Clients have the following rights with respect to their data:
Sentinel CPO is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and does not process Protected Health Information (PHI) as defined by HIPAA. The biometric data processed by Sentinel CPO is used exclusively for professional performance optimization and does not constitute a medical record.
Sentinel CPO does not enter into Business Associate Agreements (BAAs) in connection with the Service.
California residents have specific rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"). Biometric information is classified as sensitive personal information under the CPRA. As a B2B enterprise service, Sentinel CPO primarily processes data in a business-to-business context. California residents who are individual subscribers may exercise their rights — including the right to know, delete, correct, and limit the use of sensitive personal information — via the Privacy/CCPA inquiry form. Sentinel CPO does not sell or share personal information as defined by the CCPA/CPRA.
Sentinel CPO LLC is a Connecticut limited liability company and complies with the Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq., "CTDPA"), effective July 1, 2023. Biometric data constitutes sensitive personal data under the CTDPA, and Sentinel CPO obtains opt-in consent before processing it as described in this Policy and the Private Client Agreement.
Connecticut residents who are individual subscribers have the following rights with respect to their personal data: (a) to confirm whether Sentinel CPO is processing their personal data and to access it; (b) to correct inaccuracies; (c) to delete personal data provided by or obtained about them; (d) to obtain a portable copy in a machine-readable format; and (e) to opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
To exercise any of these rights, Connecticut residents may submit a request via the Privacy inquiry form. Sentinel CPO will respond to verified requests within 45 days, extendable by an additional 45 days where reasonably necessary with advance notice to the requestor. Connecticut residents who receive an adverse determination on a rights request may appeal that determination by submitting a follow-up Privacy inquiry within 60 days of Sentinel CPO's response.
Data Protection Assessments. As required under the CTDPA for controllers conducting high-risk processing activities — including the processing of sensitive personal data — Sentinel CPO LLC conducts and maintains internal Data Protection Assessments. These assessments document the purpose, necessity, proportionality, and risk mitigation safeguards for Sentinel CPO's biometric data processing. Assessments are maintained in Sentinel CPO's internal compliance records and are available to Connecticut regulatory authorities upon lawful request.
In the event of a security incident involving unauthorized access to, acquisition of, or disclosure of Client personal data or biometric information, Sentinel CPO LLC will: (a) conduct a prompt internal investigation to assess the nature and scope of the incident; (b) notify affected Clients via the email address on file without unreasonable delay and within the timeframe required by applicable law; (c) provide notice to applicable state regulatory authorities as required by the breach notification laws of Connecticut, California, Illinois, Washington, and any other jurisdiction with a legal notification obligation; and (d) take commercially reasonable steps to contain and remediate the incident.
FTC Health Breach Notification Rule. To the extent Sentinel CPO qualifies as a "personal health record vendor" or "related entity" under the Federal Trade Commission's Health Breach Notification Rule (16 C.F.R. Part 318), as amended effective July 29, 2024, Sentinel CPO will comply with all applicable notification obligations under that Rule — including notifying the FTC and affected individuals of any unauthorized acquisition of personally identifiable health information within the required timeframe. Sentinel CPO's ephemeral data architecture and pseudonymous design are intended to minimize the scope of any breach subject to this Rule.
Sentinel CPO's pseudonymous architecture and ephemeral data design structurally limit the potential impact of any security incident. Because no audio recordings or transcripts are retained and biometric data is referenced only by pseudonymous Client ID, the risk of identity-linked biometric data exposure is architecturally mitigated. Sentinel CPO LLC will fulfill all applicable notification obligations regardless of the assessed severity of the incident.
Note: Specific regulatory notification timelines vary by jurisdiction (generally 72 hours for regulatory notice and 30–60 days for individual notice depending on applicable law). This provision will be updated as required by changes to applicable breach notification statutes.
For Clients located in the State of Illinois, the following disclosures are made in compliance with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. ("BIPA").
BIPA defines "biometric identifiers" as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. Sentinel CPO collects physiological telemetry data from the Client's Oura Ring via the Oura cloud API — including composite performance scores (readiness, sleep, activity), cardiovascular signals (HRV, RHR, respiratory rate), sleep architecture data, body temperature deviation from baseline, and readiness contributor sub-scores, as fully enumerated in Section 2 of this Policy. These physiological metrics are not biometric identifiers as defined by BIPA. Daily check-in sessions involve real-time AI voice processing; no audio is recorded or retained, and no voiceprint template is created or stored at any point. Structured session performance metadata extracted at session close (numerical scores, thematic labels, behavioral flags, session summary) does not constitute a biometric identifier or biometric information as defined by BIPA. Sentinel CPO provides these disclosures as a matter of transparency even where BIPA's narrow definition may not apply.
Before collecting any biometric or biometric-adjacent data, Sentinel CPO provides written disclosure through this Policy and obtains written consent via clickwrap at enrollment. Illinois Clients are informed of: (a) the specific categories of data collected; (b) the specific purpose for collection (professional performance optimization); and (c) the retention period (active Subscription Term, destroyed within 30 days of termination and no longer than 3 years from last collection).
Sentinel CPO LLC does not sell, lease, trade, or otherwise profit from Client biometric identifiers or biometric information. Biometric data is used exclusively to provide the Service to the Client who generated it. No financial transaction involving Client biometric data occurs beyond payments to sub-processors for Service delivery.
Sentinel CPO retains biometric data only as long as necessary to fulfill the Service delivery purpose, and in no case longer than three (3) years from the date of last collection or thirty (30) days following license termination, whichever occurs first — consistent with BIPA Section 15(a). All data is permanently and irreversibly destroyed upon the applicable date pursuant to the Ephemeral Data Lifecycle described in Section 8.
For Clients located in the State of Texas, the following disclosures are made in compliance with the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001 et seq., "CUBI") and the Texas Data Privacy and Security Act ("TDPSA"), effective July 1, 2024.
Sentinel CPO collects biometric identifiers (to the extent applicable under CUBI) solely with the Client's informed written consent obtained at enrollment. Biometric identifiers are not sold, leased, or disclosed to any third party for any purpose other than Service delivery to the individual Client. Sentinel CPO employs reasonable security measures to protect biometric data as described in Section 7. Upon license termination, biometric data is permanently destroyed within 30 days — consistent with CUBI's requirement that biometric identifiers be destroyed within a reasonable time after the purpose for collection has been satisfied. Texas residents may exercise their rights under the TDPSA (including access, correction, deletion, portability, and opt-out of profiling) by submitting a request via the Privacy inquiry form.
For Clients located in the State of Washington, the following disclosures are made in compliance with Washington H.B. 1493 (codified at RCW 19.375 et seq.) governing the collection and use of biometric identifiers.
Sentinel CPO: (a) obtains Client consent before any enrollment of biometric data into its platform; (b) does not enroll biometric data into a commercial database for purposes other than providing the Service to the consenting Client; (c) does not sell, lease, or disclose biometric identifiers to third parties for commercial purposes; (d) uses reasonable care to store, transmit, and protect biometric data from disclosure; and (e) destroys biometric identifiers no later than 30 days following license termination.
Sentinel CPO complies with the Washington My Health MY Data Act (S.B. 1155, effective March 31, 2024, codified at RCW 70.372 et seq.), which governs the collection, processing, and sharing of consumer health data for Washington residents. The MHMD Act defines "consumer health data" broadly to include physiological and biometric data such as heart rate variability, resting heart rate, respiratory rate, sleep architecture, body temperature deviation, and related health metrics — all of which Sentinel CPO processes, as enumerated in Section 2 of this Policy.
Authorization and Consent. Sentinel CPO obtains express authorization from Washington residents before collecting consumer health data through the enrollment consent mechanism. This authorization covers the specific categories of health data collected, the purpose of collection (professional performance optimization), and the third parties with access to such data (as described in the sub-processor table in Section 6).
No Sale or Sharing. Sentinel CPO does not sell, disclose, or share consumer health data with third parties for advertising, marketing, or any commercial purpose beyond delivery of the Service to the individual Client who generated it.
No Geofencing. Sentinel CPO does not use location data to construct geofences around health care facilities or use health data for targeted advertising purposes.
Washington Residents' Rights. Washington residents have the right to: (a) confirm whether Sentinel CPO processes their consumer health data; (b) access a list of all third parties with whom Sentinel CPO has shared their health data; (c) withdraw consent and request deletion of their consumer health data; and (d) appeal Sentinel CPO's response to any rights request. To exercise these rights, Washington residents may submit a request via the Privacy inquiry form. Sentinel CPO will respond within 45 days and facilitate appeal within 60 days of an adverse determination.
Data Security. Consumer health data is protected using the security measures described in Section 7 of this Policy and is subject to the Ephemeral Data Lifecycle described in Section 8.
In addition to the state-specific disclosures above, residents of states with enacted comprehensive consumer privacy laws — including but not limited to Virginia (CDPA), Colorado (CPA), Montana (MTCDPA), Indiana (INCDPA), Tennessee (TIPA), New Hampshire (NHPDPA), New Jersey (NJDPA), Delaware (DPDPA), Nebraska (NDPA), Minnesota (MNDPA), Maryland (MODPA), Iowa (ICDPA), Rhode Island (RIDPA), Kentucky (KCDPA), and any other state with a comprehensive privacy statute in effect — are granted the same data subject rights described in Section 9 of this Policy, to the extent those rights apply under the resident's applicable state law:
Sentinel CPO does not sell personal data, does not engage in targeted advertising, and does not share sensitive personal data (including biometric data) with third parties for commercial purposes beyond sub-processor Service delivery. Accordingly, no opt-out of sale or targeted advertising sharing is required — but Clients may contact us at any time to confirm this.
To exercise any of these rights regardless of your state of residence, submit a request via the Privacy inquiry form. Sentinel CPO will respond within 45 days, extendable where permitted. If you receive an adverse determination, you may appeal within 60 days by submitting a follow-up Privacy inquiry marked "Appeal."
This section will be updated as new state privacy laws become effective. The absence of a specific state citation does not limit any resident's right to submit a privacy request.
Sentinel CPO accesses Client biometric telemetry exclusively through the Oura Health Oy cloud API pursuant to OAuth 2.0 authorization granted by the Client. The following principles govern this data access and confirm compliance with Oura's developer program requirements:
Sentinel CPO may update this Policy to reflect changes in our data practices or applicable law. We will notify active Clients of material changes via the email address on file at least 14 days prior to the change taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
For privacy-related inquiries, data subject requests, or security concerns:
Sentinel CPO LLC — Privacy
Submit a Privacy/CCPA inquiry →