PETROSENTINEL · GLOBAL CHOKEPOINT RISK INTELLIGENCEIRR-E MODEL v2.4 · RSS PIPELINE · REAL-TIMEPETROSENTINEL · GLOBAL CHOKEPOINT RISK INTELLIGENCEIRR-E MODEL v2.4 · RSS PIPELINE · REAL-TIME
PS
PetroSentinel
LIVE
Upgrade
Privacy Policy

Your data,
handled responsibly

Effective date: 01 April 2026. PetroSentinel collects minimal data, never tracks you, and never sells your information.

1. What we collect

Email address — only when you voluntarily submit a form on the site (lead capture form or contact form). This is the only personally identifiable information we collect.

Form submission metadata — when you submit a form, Formspree (our form processor) logs the submission timestamp and your IP address as part of their spam-prevention service. We do not store or process this data ourselves.

Vercel access logs — our hosting provider (Vercel) logs standard HTTP request data including IP addresses, user agents, and requested URLs. This is standard infrastructure logging and is governed by Vercel’s privacy policy. We do not access or process these logs.

2. What we do NOT collect

  • We do not set any cookies on your device
  • We do not use localStorage or sessionStorage for personal data
  • We do not run Google Analytics, Mixpanel, Hotjar, or any behavioral tracking
  • We do not serve advertising or share data with advertising networks
  • We do not use fingerprinting or device identification techniques
  • We do not collect payment data — all payment processing is handled by Lemon Squeezy
  • We do not collect your company, job title, or professional information unless you volunteer it via a contact form

3. How we use your data

Your email address is used solely to:

  • Deliver the intelligence report or resource you requested
  • Send IRR-E alert notifications (Scout tier subscribers only)
  • Send the weekly IRR-E Summary Report (if subscribed)
  • Respond to contact form inquiries

We do not send unsolicited commercial email. Every email we send includes an unsubscribe link. Clicking unsubscribe immediately removes you from all future communications.

4. Third-party processors

We use the following sub-processors who may receive your personal data:

  • Formspree (formspree.io) — form processing and spam prevention. EU–US Data Privacy Framework certified.
  • Vercel (vercel.com) — hosting and CDN. SOC 2 Type II certified.
  • Lemon Squeezy (lemonsqueezy.com) — payment processing (paid subscribers only). PCI DSS compliant, Merchant of Record in 135+ countries.
  • Resend (resend.com) — transactional email delivery (paid subscribers only).

We do not use any other sub-processors. We do not share your data with any other third parties.

5. Data retention

Email addresses collected via the lead capture form are retained until you unsubscribe or request deletion. Contact form submissions are retained for 90 days and then deleted. Paid subscriber data is retained for the duration of the subscription plus 12 months for legal compliance, then deleted.

6. Your rights (GDPR / CCPA)

If you are located in the European Economic Area, UK, or California, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure — request deletion of your personal data
  • Right to portability — request your data in a structured, machine-readable format
  • Right to object — object to processing of your personal data
  • Right to restrict processing — request that we restrict processing of your personal data

To exercise any of these rights, use the contact page. We will respond within 30 days.

7. Security

PetroSentinel implements the following security measures:

  • HTTPS enforced via HSTS (max-age=31536000; includeSubDomains)
  • Content Security Policy headers blocking unauthorized script execution and iframe embedding
  • X-Frame-Options: DENY — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing attacks
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer data leakage
  • Permissions-Policy blocking camera, microphone, geolocation, and payment APIs
  • Honeypot fields on all forms to prevent automated spam
  • Server-side HTML escaping of all data pipeline outputs
  • Client-side sanitization of all dynamically rendered content

The platform data (IRR-E scores, intelligence alerts) is public information derived from open-source feeds. No subscriber-specific data is stored client-side or served via public endpoints.

8. Contact

For privacy inquiries, data requests, or to exercise your rights under GDPR or CCPA, use the contact form and select “Other” as the topic, or email us directly. We respond within 4 business hours for active inquiries and within 30 days for data rights requests.

This privacy policy may be updated from time to time. Material changes will be noted at the top of this page with an updated effective date.