GDPR is not a badge you can buy; it is an operating discipline. ChangeSentry is designed to collect only what is needed, explain why it is used, secure it, honor applicable rights, and make customer responsibilities clear.
This page is an overview for customers and prospects. The Privacy Policy remains the main public notice, and a data processing agreement can be used where required for business customers.
1. Controller and processor roles
ChangeSentry is generally a controller for account, billing, website, support, and product analytics data, and a processor for monitoring content you configure where GDPR applies. You remain responsible for confirming that monitored pages may be lawfully processed and for giving ChangeSentry lawful instructions for customer-controlled monitoring content.
2. Lawful bases
Privacy notices identify common lawful bases including contract, legitimate interests, consent, and legal obligation depending on the processing activity. Examples include contract for account and monitor delivery, legitimate interests for security and service improvement, consent for optional cookies and certain marketing, and legal obligation for tax, accounting, sanctions, consumer protection, and compliance requests.
3. Subprocessors and vendors
Vendors are used for hosting, storage, authentication, billing, analytics, support, notification delivery, error monitoring, and AI features under appropriate contractual safeguards. See the Subprocessors and Vendors page for the current public inventory. Material changes may be announced through reasonable notice, which may include website, product, email, or account notices depending on the change.
4. International transfers
International transfers may rely on adequacy decisions, Standard Contractual Clauses, data processing terms, the UK International Data Transfer Addendum or equivalent terms, and technical and organizational controls. Customers that need signed transfer terms should request a DPA review before submitting regulated or sensitive data.
5. Privacy by design
Monitor scope, retention limits, security controls, consent choices, and account deletion workflows are designed to reduce unnecessary data exposure. Optional AI features may send URLs, labels, page titles, monitoring intent, diff summaries, and before-and-after excerpts to configured providers such as OpenRouter, Anthropic, or OpenAI. Customers should not use AI-assisted monitoring for regulated, secret, or sensitive data without proper authority and vendor-term review.
6. Customer responsibility
Customers must only monitor pages they are allowed to monitor and should not submit sensitive personal data, secrets, credentials, or regulated data unless they have proper authority. If you are a controller and ChangeSentry is your processor, your instructions are limited to lawful use of the service, your product configuration, and any signed DPA.
7. Access and portability
You can ask for a copy of personal data associated with your account and, where technically feasible, receive exportable information about your monitors and change history. Some records, such as billing processor records, security logs, vendor-held data, or records retained under legal exceptions, may require manual review or may be provided through a different process.
8. Correction and deletion
You can update account details in the dashboard and request deletion assistance. Some records may be retained where required for security, billing, legal, tax, abuse-prevention, or dispute reasons. Account deletion currently includes a 30-day recovery window and may anonymize selected fields while retaining limited records required for lawful purposes.
9. Restriction and objection
Where GDPR applies, you may ask us to restrict certain processing or object to processing based on legitimate interests, subject to applicable exceptions. If a request is denied in whole or part, you may ask us to review the decision or contact your supervisory authority.
10. Consent withdrawal
Where processing is based on consent, such as optional cookies or certain marketing communications, you can withdraw consent without affecting prior lawful processing.
11. Data breach notification
In the event of a personal data breach, ChangeSentry will notify the relevant supervisory authority within 72 hours of becoming aware where feasible, as required by Article 33 GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, ChangeSentry will also notify affected individuals without undue delay under Article 34 GDPR. Notifications will describe the nature of the breach, data categories affected, likely consequences, and remediation measures taken or planned.
12. Data Protection Officer
ChangeSentry has assessed its processing activities against the criteria in Article 37 GDPR and has determined that appointment of a Data Protection Officer is not required at this stage. Privacy requests and data subject rights requests can be directed to privacy@changesentry.com.
13. Complaint rights
You may have the right to complain to your local data protection authority. For EEA residents, the relevant lead supervisory authority depends on your country of residence. For UK residents, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk. We encourage contacting us first at privacy@changesentry.com so we can try to resolve the issue quickly.
14. How to submit a GDPR request
- Contact us from the email address connected to your ChangeSentry account.
- State the request type, such as access, export, correction, deletion, objection, or consent withdrawal.
- Include enough context for us to identify the account, workspace, monitor, or data category involved.
- We may ask for verification before processing the request.
- We aim to respond within legally required timeframes, such as 30 days for GDPR and UK GDPR requests, subject to permitted extensions.
15. DPA and business requests
Business customers that need a signed data processing agreement, transfer terms, subprocessor review, or security questionnaire can start with the DPA overview. Email privacy@changesentry.com to request signed paperwork.
16. Contact
Submit a request by emailing privacy@changesentry.com or through the contact page. If your organization needs a signed DPA, subprocessor list, security questionnaire, or vendor review, include your requirements and timeline.