Privacy Policy
Last updated: July 2026
This policy covers both this website (iosentra.com) and the IOSentra service - a health-monitoring platform for CCTV and physical-security systems. It explains what we collect, what we deliberately do not collect, and the rights you have. For data processed inside your organization's IOSentra tenant, your organization is the data controller and IOSentra acts as a processor on its behalf.
What we never collect: your footage
IOSentra monitors the health of CCTV systems - it does not record or store video. Frames fetched for image-quality checks are analyzed in memory and discarded; only a 64-bit perceptual hash (a numeric fingerprint that cannot be reversed into an image) is kept. Live snapshots are served with no-store caching. The only exception is evidence an operator deliberately attaches to an incident - a human action governed by your organization's own policy.
Information collected on this website
When you submit the contact or demo form we receive the details you provide: name, work email, company and your message (including optional fields such as role, site count and vendors). The site itself sets no tracking cookies; it uses only essential local storage for your preferences (language, cookie choice, accessibility settings) and privacy-friendly, cookieless analytics.
Information processed in the IOSentra service
To operate a tenant, the service stores account data (name, email, password hash, optional two-factor secret), session records (IP address, user agent), notification contacts (email, phone, messaging handles), free-text content in incidents and tickets, and an audit log of administrative actions (actor, IP, user agent). Device credentials for recorders and cameras are stored encrypted with AES-256-GCM using per-tenant key derivation.
How we use information
Website enquiries are used solely to respond and schedule demos. Service data is used solely to provide the service - running checks, opening incidents, sending the alerts your organization configured. We do not sell personal data, we do not use it for advertising, and we do not use it for automated decision-making with legal effect.
Retention
The service enforces retention limits automatically, per tenant: device events 90 days, alarms 365 days, incidents 730 days and audit logs 365 days by default - each configurable by your organization. Expired sessions are pruned together with their IP and user-agent records. Website enquiries are kept only as long as needed to follow up, then deleted.
Your rights (GDPR & Israeli PPL)
Subject to applicable law - including the GDPR and the Israeli Privacy Protection Law (Amendment 13) - you may request access to, a copy of, correction of, or deletion of your personal data, and object to its processing. These rights are implemented in the product itself: an administrator can export all data held about a person and perform a hard erasure that also removes the underlying identity record. Service users should contact their organization's administrator first; you can always reach us directly as well.
Tenant isolation & data residency
Every tenant's data lives in a physically separate database. Deleting a tenant drops that database entirely - true erasure. Where a data-residency region is configured, the tenant's database and file storage are pinned to that region's infrastructure, fail-closed: data cannot silently land in the wrong region, and the region cannot be changed after provisioning.
Sub-processors
We use a small number of service providers to operate: an identity provider (authentication), cloud hosting and database infrastructure, object storage (for operator-attached evidence only), and an email delivery provider. Each processes data only under contract and only as needed to provide the service.
Security
Data in transit is encrypted with TLS; device credentials at rest with AES-256-GCM. Access is governed by role-based access control with optional TOTP two-factor authentication, per-account login lockout and per-IP rate limits. Authorization headers are redacted from logs, and administrative actions are recorded in a tamper-evident audit trail.
Breach notification
The audit trail (actor, IP, user agent) is designed to support forensic reconstruction within the notification windows that apply to us and to our customers - 72 hours under GDPR and 24 hours to the authority under the Israeli PPL. If a breach affects your data, we will notify your organization without undue delay.
Cookies & local storage
This website uses no advertising or cross-site tracking cookies. Essential local storage remembers your language, cookie choice and accessibility preferences. Analytics are cookieless and aggregate.
Contact
For any privacy question or request - including data-subject requests - email support@iosentra.com and we will respond promptly.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected here with a revised 'last updated' date.
Ready to take control?
Every camera records. Every device communicates. Every issue is tracked. Every ticket is resolved.
Book a demo