The Ephemeral Data Architecture is not a privacy preference — it is the structural design of the Sentinel CPO platform. Data exists only for as long as it is required to deliver the Service. Upon license termination, Client data is permanently and irreversibly destroyed. There is no archive, no backup retained, no recovery path.
C-Suite executives operate with informational asymmetry as a core strategic asset. The uncensored operational intelligence shared within the Sentinel CPO platform — friction points, strategic pivots, physiological states, behavioral patterns — represents some of the most sensitive professional data in existence.
The Ephemeral Data Architecture ("EDA") exists to ensure that this data cannot be leaked, subpoenaed, acquired through corporate due diligence, or accessed by any unauthorized party — including Sentinel CPO itself — beyond the active service window.
The EDA is governed by three principles:
Daily check-in sessions are conducted via a real-time AI voice conversation. No audio recording is captured or stored by Sentinel CPO at any point. The live audio stream is processed ephemerally by ElevenLabs Conversational AI during the session. Upon session close, ElevenLabs does not retain the audio. There is no audio file to delete because no audio file is ever created. This represents a structural privacy guarantee — the absence of data is not a deletion policy, it is an architectural commitment.
No transcripts of AI voice sessions are stored by Sentinel CPO. Sentinel CPO stores only structured session performance metadata — numerical scores per diagnostic dimension, categorical thematic labels, behavioral flags, and a brief pattern-level session summary containing no verbatim client statements. This metadata is generated by the AI agent at session close and is the only record of any check-in session. No verbatim content, no quotation, and no reconstructible conversation record is retained by any party.
Structured performance data extracted from each check-in session — including dimension scores (State, Priority, Friction, Alignment rated 1–10), thematic labels, behavioral flags (e.g., board_tension, decision_pending, energy_low), session duration, and a 2–3 sentence pattern-level session summary — is retained in an encrypted database for the duration of the active Subscription Term. This metadata is the longitudinal intelligence layer that enables trend detection, Sunday Briefing synthesis, and personalized daily prompt generation. Upon license termination, all session metadata is permanently deleted within 30 days.
Heart Rate Variability (HRV), Resting Heart Rate (RHR), and sleep score data retrieved from the Oura Cloud API is retained for the duration of the active Subscription Term. This data supports the biometric forensic window used in daily prompt generation and briefing synthesis. Upon license termination, all biometric records are permanently deleted within 30 days.
Sunday Briefings (baseline and weekly) and cached daily prompt text are retained in encrypted storage for the duration of the active Subscription Term. These documents constitute the Client's "Optimization Vault" — the delivered intelligence output of the platform. Upon license termination, all briefing documents and prompt records are permanently deleted within 30 days.
Onboarding assessment responses (professional context, friction points, strategic objectives) and voice-detected goal records are retained for the duration of the active Subscription Term. Upon license termination, all assessment and goal data is permanently deleted within 30 days.
Name, email address, company, and shipping address are retained for the Subscription Term plus 90 days following termination for billing dispute resolution and compliance purposes. Payment card data is never stored by Sentinel CPO — it is held exclusively by Stripe under PCI-DSS compliance.
Upon license termination — whether initiated by Client, by Sentinel CPO, or by non-renewal — the following sequence executes:
Deletion is irreversible. Sentinel CPO cannot recover any Client data following the deletion sequence. Clients are advised to export any Sunday Briefings or assessment documents they wish to retain before terminating their license.
All data is encrypted at rest using AES-256 encryption managed by Supabase (PostgreSQL database) and Supabase Storage (object storage). All data in transit is encrypted via TLS 1.2 or higher. There are no unencrypted data paths in the Sentinel CPO architecture.
Row-Level Security (RLS) policies are enforced at the database layer on every table. Policies are enforced by PostgreSQL's native security model — they cannot be bypassed by application-layer logic. Each Client's data is cryptographically scoped to their authenticated user ID. No query can return another Client's data under any circumstances.
Audio files are stored in a private bucket with no public access. File access requires a time-limited signed URL generated by the server on behalf of the authenticated user. Signed URLs expire and cannot be reused. There is no mechanism to enumerate or bulk-access the storage bucket.
The service-role database key (which bypasses RLS) is used exclusively in server-side CRON processes and webhook handlers — never in client-facing application code. This key is never transmitted to or accessible from browser environments.
Each API call to Anthropic (Claude) and Deepgram is a stateless, ephemeral inference request. No conversation history, audio, or biometric data is persisted in AI provider infrastructure beyond the processing window. Sentinel CPO's agreement with AI providers prohibits use of Client data for model training.
AI voice check-in sessions are conducted via ElevenLabs Conversational AI. The session audio stream is processed in real-time by ElevenLabs and is not retained beyond the active session window. ElevenLabs does not store session audio, transcripts, or any session content on behalf of Sentinel CPO. Only the structured performance metadata extracted by the AI agent at session close is transmitted to and stored in Sentinel CPO's encrypted database.
All platform intelligence operations — including AI briefing generation, daily prompt synthesis, and Performance Manager review — are conducted against a pseudonymous Client ID (format: CPO-XXXX), not the Client's real name or email address. This identifier is assigned at enrollment and used throughout the service lifecycle. The Client's real identity is compartmentalized to billing, shipping, and authentication records only. No real name, email, or contact information is passed to AI inference endpoints. The Client ID is referenced in all delivered documents, including Sunday Briefings and Baseline Assessments.
Even if AI provider infrastructure were somehow compromised, the processed data would reference only a pseudonymous Client ID — not an identity. This is a structural privacy guarantee, not a policy one.
In the event Sentinel CPO receives a valid legal order (subpoena, court order, government demand) for Client data:
The Ephemeral Data Architecture is the most powerful protection against legal exposure: data that does not exist cannot be produced.
Prior to license termination, Clients may request an export of:
Export requests must be submitted via the Privacy/CCPA inquiry form at sentinelcpo.com/contact at least 14 days prior to intended termination. Raw audio files, biometric telemetry, and AI transcripts are not available for export as they are either already deleted (audio) or constitute intermediate processing artifacts rather than deliverable outputs.
In the event of a security incident affecting Client data:
Sentinel CPO may update this Architecture document to reflect platform changes or legal requirements. Material changes will be communicated to active Clients via the email address on file at least 14 days prior to taking effect. Changes that reduce data protections will require affirmative Client consent before applying to existing accounts.
For data lifecycle inquiries, deletion requests, or security concerns:
Sentinel CPO LLC — Privacy & Security
Submit a Privacy/CCPA inquiry →