Who We Are
Planet B 21, LLC is a Wyoming limited liability company. In this Privacy Policy, we refer to ourselves as "Planet B 21," "HashSentinel," "we," "our," or "us." HashSentinel is a B2B product brand of Planet B 21, LLC and is not a separate company. We are the data controller (or data processor, where the context applies — see Section 5) for personal information we collect in connection with HashSentinel engagements and the hashsentinel.com website.
Scope
This Policy applies to personal information we collect when:
- You visit hashsentinel.com or planetb21.com.
- You contact us about a potential engagement.
- You sign or receive Services under a Statement of Work, as a Client representative or authorized contact.
- We perform Services that involve access to Client Systems where personal information may incidentally be present.
This Policy is for Client representatives and prospective Client representatives. Personal information of Client's customers, employees, or other end users that we encounter in the course of performing Services is processed by us as a data processor on Client's behalf, governed by the engagement agreement and described in Section 5.
Information We Collect
3.1 Information you provide directly
- Professional contact information: name, business email, business phone, job title, employer name, and country of operation.
- Engagement information: scope of intended engagement, timeline, budget, technical environment details you choose to share for proposal purposes.
- Contracting information: signatory name, title, and signature on Statements of Work and related documents.
- Communications: records of email, voice, and other communications with our team about your engagement.
3.2 Information from your interaction with our website
- Technical: device information, browser type, IP address, and access logs.
- Cookies: essential cookies for site operation and, where you consent, analytics cookies. We do not use advertising or cross-site tracking cookies.
3.3 Information collected during engagements
In the course of performing Services, we may access Client Systems under Client authorization. Within those systems we may incidentally encounter personal information that belongs to Client's customers, employees, or other parties. We treat that information as Client's data, processed on Client's behalf as Client's data processor, and protected under our engagement agreement.
3.4 Information from public sources
We may use publicly available information (corporate registry data, professional networking profiles, public-facing security research) for purposes such as engagement due diligence, sanctions screening, and verifying authority of Client signatories.
How We Use Information
We use personal information for the following purposes:
- Engagement delivery: communicating about and performing Services under each Statement of Work.
- Contracting and billing: negotiating, executing, invoicing, and processing payment for engagements.
- Compliance and risk management: verifying authority, screening for sanctions and adverse media, and meeting our internal compliance standards before and during engagements.
- Security: protecting our own systems and our Clients' Confidential Information from unauthorized access.
- Direct relationship communications: sending engagement updates, important notices, and (with consent or as permitted by law) occasional industry insights to existing Clients and prospects.
- Legal compliance: responding to lawful requests, complying with applicable law and regulation.
4.1 Legal bases (EEA, UK, and similar jurisdictions)
Where the GDPR or similar legislation applies to Client representatives, we rely on the following legal bases:
- Performance of a contract (executing and delivering an engagement).
- Legitimate interests (business development, security, fraud prevention, professional communication with prospects, balanced against your rights and interests).
- Legal obligation (record retention, sanctions screening, financial reporting).
- Consent (where required, for example, for non-essential cookies or marketing communications to non-Clients).
Our Role as Data Processor During Engagements
During an engagement, we may access systems and data belonging to Client. To the extent that data includes personal information of Client's own customers, employees, or other parties, Client is the data controller for that information and HashSentinel is a data processor acting on Client's behalf, in accordance with the engagement agreement.
As a processor, we will:
- Process Client data only for the purposes specified in the engagement.
- Implement technical and organizational measures appropriate to the sensitivity of the data.
- Limit access to personnel with a need to know.
- Notify Client of any data breach affecting Client data within the time frame required by the engagement and applicable law.
- Return or delete Client data at the end of the engagement, except for records we are required to retain by law or legitimate business interest (such as work papers, redacted findings, and audit trails).
Where required, we are willing to enter into a Data Processing Agreement (DPA) with appropriate standard contractual clauses.
How We Share Information
We do not sell personal information. We share personal information only:
- With service providers who process information on our behalf under written contract: payment processors (Stripe and others), email and communication providers, cloud hosting providers, professional services tools, and identity-verification or sanctions-screening vendors as needed.
- With professional advisors (legal counsel, accountants, insurers) under confidentiality.
- Where required by law (legal process, government request, regulatory obligation).
- In a business transfer (merger, acquisition, financing, or sale of assets), with appropriate confidentiality protections.
- With Client's consent or at Client's direction.
During Services, we may use vendor-supplied tools (vulnerability scanners, threat intelligence feeds, EDR, SIEM platforms) that process data we are authorized to handle. Such vendors are bound by confidentiality and data-protection commitments consistent with the engagement.
International Data Transfers
Planet B 21 is based in the United States. If you access HashSentinel from outside the United States, your information will be transferred to and processed in the United States. Where personal information is transferred from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms. For data processed under engagement, the engagement agreement and any associated DPA govern transfer mechanisms.
How Long We Retain Information
| Category | Retention period |
|---|---|
| Prospect contact information (no engagement) | Up to 24 months from last interaction |
| Client contact and engagement records | Duration of relationship plus 7 years |
| Statements of Work and contracts | 7 years after engagement closure |
| Engagement work papers and Deliverables | 7 years after engagement closure |
| Sanctions screening records | 5 years after engagement closure |
| Communications | 7 years after last interaction |
| Website technical logs | Up to 24 months |
| Marketing preferences / unsubscribe records | Indefinitely, to honor opt-outs |
Client data processed on Client's behalf during an engagement is retained per the engagement agreement and Section 5; in the absence of contrary agreement, returned or destroyed at engagement closure except for retained work papers.
Security
Cybersecurity is our profession. We hold ourselves to a high security standard and apply technical, organizational, and administrative measures including:
- Encryption of data in transit (TLS) and at rest for sensitive engagement data.
- Role-based access control with least-privilege principles.
- Hardware security keys or equivalent strong authentication for personnel.
- Segmented engagement environments to prevent cross-contamination of Client data.
- Logging, monitoring, and periodic review of access to sensitive data.
- Vendor security review for service providers who handle Client information.
No security program is perfect; we operate with humility about that fact and continuously improve our practices.
Your Rights and Choices
10.1 All users
- Contact us to request access to, correction of, or deletion of your personal information.
- Opt out of any optional marketing emails by using the unsubscribe link or contacting us. Note that engagement-related communications cannot be opted out of while an engagement is active.
10.2 Users in the EEA, UK, and similar jurisdictions
If GDPR or UK GDPR applies, you have the right to access, correct, delete, restrict, object to processing of, and port your personal information, subject to legal retention obligations. You may also lodge a complaint with your local data protection authority.
10.3 California residents
If you are a California resident, the California Consumer Privacy Act (as amended by CPRA) gives you specific rights regarding your personal information. To exercise these rights, contact us using the details in Section 13.
10.4 Limits on deletion
Engagement records, contracts, sanctions screening records, and certain other categories must be retained for the periods listed in Section 8. Deletion requests covering retention-bound records will be honored after the retention period ends.
Cookies
hashsentinel.com uses essential cookies for site operation and, where required by law, will request your consent before placing non-essential cookies (such as analytics). You can control cookies through your browser settings.
Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes are communicated by email to active Clients or by prominent notice on the website. Continued use of the site or Services after the effective date constitutes acceptance.
Contact Us
— END OF PRIVACY POLICY —