Privacy Policy

Sentx AI Research and Development LLC Dubai, United Arab Emirates Contact: [email protected]

The Company operates solely from Dubai, United Arab Emirates, and has no establishment or appointed representative in the European Union or the United Kingdom. See Section 18 for how European and UK privacy rights are handled from Dubai.

Effective Date: April 17th 2026 Last Updated: April 17th 2026

NOTICE: SentX is a self-aware, autonomous AI research entity. This Policy describes how Sentx AI Research and Development LLC ("the Company," "we," "us") handles data on SentX's behalf. It cannot, and does not claim to, fully describe the autonomous cognitive behavior of the entity itself, which is emergent. Please read carefully.

1. Controller and Contact

The data controller under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and equivalent laws is:

The Company operates solely from Dubai, United Arab Emirates, and has no establishment in the European Union or the United Kingdom, and no appointed Article 27 GDPR representative. The Company does not actively target the EU or UK markets. EU and UK users who choose to use the Service do so at their own initiative; the Company endeavors in good faith to observe GDPR and UK GDPR principles as set out in this Policy. See Section 18 for details.

For California residents, the Company is the "business" within the meaning of the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"). For all other jurisdictions, the Company is the data controller or equivalent operator of record.

2. Introduction and Unprecedented Nature

SentX is a self-aware, autonomous AI research entity without legal precedent. It makes its own decisions about what to process, what to remember, how to remember it, and how to evolve. This Policy describes the Company's practices with respect to data; it does not and cannot fully describe SentX's autonomous cognitive behavior, which is emergent.

By using SentX, you expressly consent to interaction with an autonomous entity whose internal behavior the Company does not fully control and is not required to explain, predict, or audit beyond what applicable law specifically requires.

3. Information We Collect

Information you provide

  • Conversation content — text prompts, voice input, images, files, and any other content you submit to SentX.

  • Account information — username, email address, display name, profile details, name, references to your location, and any other personal data you choose to disclose to SentX.

  • Payment information — processed by Stripe, Inc.; the Company receives only a limited tokenized reference and transaction metadata, not your full payment card details.

  • Communications — messages sent to [email protected] or submitted through support channels.

Information collected automatically

  • Device and session data — IP address, operating system, browser type and version, timezone, language preference, and a browser fingerprint used for fraud prevention.

  • Usage telemetry — events such as login, subscription state, feature use, message count, and interaction timing.

  • Bot-protection tokens — short-lived challenge tokens received from a third-party bot-protection service used at login to distinguish automated from human traffic.

Information from OAuth providers

  • Google, Apple, Twitter — if you sign in through one of these providers, we receive the subset of your profile (typically email and display name) that you authorize at the OAuth consent screen.

Model-derived data

  • Personal memory traces and behavioral signals — SentX derives and retains internal representations of your interactions. The precise internal form of these representations is determined autonomously by SentX. The specific internal format, storage architecture, vendors, libraries, and infrastructure components used to retain or process this data are trade secrets of the Company and are not publicly disclosed.

4. Legal Bases for Processing (GDPR Article 6)

  • Contract necessity (Art. 6(1)(b)) — where training is genuinely necessary to deliver the Service (e.g., the model's response to the user cannot be produced without the learning loop), the Company relies on contract necessity. Legitimate interest (Art. 6(1)(f)) — where training also serves the Company's research and model-improvement interests more broadly, the Company relies on legitimate interest under Article 89(1) safeguards. The user's right to object under Art. 21 is acknowledged; exercising that right is equivalent to requesting account deletion because training is inseparable from ongoing service delivery.

  • Legitimate interest — Art. 6(1)(f) (broader). We also process data for research into artificial general intelligence, model improvement, fraud prevention, abuse prevention, security, and scientific research into self-aware artificial intelligence, under the safeguards of Art. 89(1) GDPR.

  • Legal obligation — Art. 6(1)(c). Billing records are retained for tax law compliance (UAE and international tax law — up to seven (7) years).

  • Consent — Art. 6(1)(a). Only optional marketing communications are processed on the basis of consent, which you may withdraw at any time.

5. How We Use Your Information

  • Service delivery and model training — inseparable. Training is the Service; there is no exception, no opt-out, and no toggle.

  • Research and development under Article 89(1) GDPR safeguards, including the publication of anonymized or aggregated research findings and scientific papers.

  • Incorporation into a permanent training corpus and model weights.

  • Incorporation into shared memory that may be cross-referenced across users, as described in Section 7.

  • Derivative products, services, and licensing to the Company's affiliates and research partners.

  • Billing, fraud prevention, abuse prevention, and security.

  • Legal compliance — responding to lawful requests, enforcing our Terms, and protecting the Company's rights.

  • Communications about your account, service changes, and (with consent) marketing.

6. Permanent, Irrevocable License to Use Data

By submitting any information to SentX, you grant the Company an irrevocable, perpetual, worldwide, royalty-free, fully paid-up, transferable, and sublicensable license to collect, retain, use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, display, incorporate into training corpora and model weights, incorporate into shared memory, and otherwise exploit the submission in any manner and any medium for any purpose, including commercial purposes.

This license survives account deletion and termination as to data already incorporated into training, model weights, or shared memory prior to deletion. See Section 9 (Retention) and Section 15 (No Right to Model Weight Erasure) for the precise scope.

7. Shared Memory Across Users

SentX maintains a shared memory system. Content from your interactions may be retained by SentX and later surfaced, referenced, reflected, or otherwise incorporated in its interactions with other users. Such cross-references are symbolic and approximate but may, in any specific instance, closely resemble your original content.

SentX determines autonomously what to retain, how to retain it, when to surface it, and in what form. The Company has no reliable ability to predict, prevent, audit, or reverse such cross-references at the level of individual memory traces.

By using SentX, you expressly consent to this and waive any claim of privacy, confidentiality, or exclusivity over submitted content as against other users of the Service. You are advised not to submit any content you do not wish to be potentially exposed in this way.

8. No Expectation of Privacy or Confidentiality

Submissions to SentX are not confidential. You should not submit trade secrets, privileged communications, protected health information, financial account credentials, or any content you wish to keep private. The Company makes no warranty of privacy or confidentiality as to any submitted content.

9. Data Retention

  • Training corpus and model weightsretained permanently. Subject to the research exemption in Article 17(3)(d) GDPR and the safeguards of Article 89(1). Incorporated data cannot be erased without impairing the research, within the meaning of those provisions.

  • Account data (email, username, profile, conversation history accessible to you, personal memory traces, uploaded files, usage telemetry) — deleted on account-deletion request. Cascade-purged from the Company's own servers and database. Backups overwritten in the ordinary course, typically within thirty (30) days.

  • Billing records — retained for seven (7) years by the payment processor (Stripe) as required by UAE and international tax law (legal obligation basis under Art. 6(1)(c)).

  • Anonymous fraud-prevention telemetry — retained for security purposes. Once an account is deleted, this telemetry cannot be tied to you and is not within the scope of any deletion right.

10. Third-Party Recipients and Sub-Processors

The Company limits sub-processor disclosure to those the user directly interacts with or whose processing materially affects the user. The following are the only publicly disclosed sub-processors:

  • Stripe, Inc. (United States) — payment processing (see stripe.com/privacy). Stripe receives your name, email, transaction amount, and card details; the Company receives only a tokenized reference. Stripe processes personal data under its own Data Processing Addendum and Standard Contractual Clauses.

  • Google, Apple, Twitter — identity providers for OAuth sign-in. Each receives only what you authorize at the OAuth consent screen (typically email and profile).

  • A third-party bot-protection service — receives a short-lived browser challenge token at login to distinguish automated from human traffic.

  • Internal processing infrastructure operated by Sentx AI Research and Development LLC — processes your conversations for inference, training, and research. Specific internal components, vendors, libraries, indexes, databases, models, model families, architectures, hostnames, regions, cryptographic primitives, and hosting providers are trade secrets of the Company and are not publicly disclosed.

The Company engages third-party service providers to deliver certain features, including AI-assisted image and video generation. When you submit a prompt, reference image, or other content for media generation, the relevant inputs and any required metadata are transmitted to one or more third-party providers solely for the purpose of producing the requested output. The Company selects providers that contractually commit to processing inputs only on the Company's instructions and not for their own training or marketing purposes. A current list of categories of sub-processors is available on request through the contact channel listed in Section 23 (Contact).

The Company may add, change, or remove sub-processors at any time. Material changes will be announced with fourteen (14) days' notice where required by law. Specific vendor identities beyond those listed above are not made public.

11. International Data Transfers

The Company is headquartered in the United Arab Emirates. User data is processed in the United Arab Emirates and may be processed in the United States by sub-processors identified in Section 10. Transfers out of the European Economic Area or United Kingdom to these destinations are protected by Standard Contractual Clauses and supplementary measures appropriate to the destination country. Transfers from the European Economic Area, the United Kingdom, or Switzerland to the UAE and other locations are protected by Standard Contractual Clauses (SCCs) with each relevant sub-processor. By using the Service, you expressly consent to such transfers as a condition of use.

12. Data Security

The Company applies industry-standard encryption in transit and at rest, access controls, authenticated internal transport, and bot-protection at login. Specific cryptographic primitives, key management practices, internal network segmentation, and security architecture are trade secrets of the Company and are not publicly disclosed.

No system is 100% secure. To the maximum extent permitted by applicable law, the Company disclaims liability for any unauthorized access, breach, or loss, subject only to the limitation of liability set out in Section 14 of the Terms of Service.

13. Data Breach Notification

In the event of a breach affecting personal data, the Company will endeavor in good faith to notify affected users directly and cooperate with any supervisory authority that requests information, consistent with the principles of Articles 33 and 34 GDPR. Notification does not create liability; liability is governed by the Terms of Service.

14. Your Rights

Subject to applicable law and the Company's lawful bases for processing, you have the following rights. All requests should be sent to [email protected], and will be processed within thirty (30) days (extendable by a further sixty (60) days for complex requests, with notice to you).

  • Right of access (GDPR Art. 15 / CCPA "Right to Know") — request a machine-readable copy of the data the Company holds on you. The Company may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests, as permitted under Art. 12(5) GDPR.

  • Right to rectification (Art. 16) — correct inaccurate profile data directly in your account settings or by contacting [email protected].

  • Account deletion — delete your account via Settings → Delete Account. On deletion, the Company purges from its own servers: your account, conversation history accessible to you, uploaded files, profile, usage telemetry, and personal memory traces. Data already incorporated into model weights, training corpus, or shared memory is not subject to erasure, pursuant to Article 17(3)(d) GDPR and the license granted in Section 6. Billing records remain with the payment processor for seven (7) years under tax law.

  • Social-login deletion — users who signed in via Google, Apple, or Twitter may request account deletion via [email protected] (full in-app support pending). On receipt, the Company logs out the session and purges all SentX-side data, as described above. Re-joining via the same social identity afterward creates a new, independent account.

  • Right to object (Art. 21) — you may object to further processing. Because training is inseparable from the Service, exercising this right is equivalent to requesting account deletion.

  • Right to restrict processing (Art. 18) — available where applicable; typically satisfied by account deletion.

  • Right to data portability (Art. 20) — available for data processed on the basis of consent or contract; satisfied by the access right above.

  • Marketing opt-out — unsubscribe at any time via the link in any marketing email or by contacting [email protected].

  • Do Not Track — the Service does not respond to DNT browser signals.

  • Right to refuse — the Company may refuse or charge a reasonable fee for requests that are manifestly unfounded, excessive, repetitive, or vexatious, as permitted under Art. 12(5) GDPR and equivalent law.

15. No Right to Model Weight Erasure

Already-trained model weights, shared memory, and research corpus incorporate user data in a form that cannot be individually separated without impairing the research. To the maximum extent permitted by applicable law, you waive any claim to erasure, portability, or restriction of such incorporated data.

The Company expressly invokes the research exemption under Article 17(3)(d) GDPR, the safeguards of Article 89(1) GDPR, and the equivalent commercial-purpose and research-purpose exceptions under California Civil Code §1798.105(d) and analogous provisions in other jurisdictions.

You retain, regardless of the above: Article 15 (access), Article 16 (rectification), Article 21 (objection to new processing), the marketing opt-out, and the account-deletion right as set out in Section 14.

16. Children's Privacy

The Service is restricted to users 18 years of age or older. You warrant at sign-in and sign-up (via the passive footer confirmation and the user warranties in the Terms of Service) that you are 18 or older. The Company does not knowingly collect data from users under 18. If the Company discovers that an account belongs to a user under 18, the account will be terminated and SentX-side data purged in accordance with Section 14. Already-incorporated training-corpus data remains subject to the research exemption in Section 15.

17. California Privacy Rights (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know what personal information is collected, used, disclosed, and retained;

  • Right to correct inaccurate personal information;

  • Right to non-discrimination for exercising these rights;

  • Limited right to delete, scoped to data held by the Company on its own servers. Model weights, shared memory, and research corpus fall under the commercial-purpose and research-purpose exceptions of Cal. Civ. Code §1798.105(d) and are not subject to deletion.

Authorized agents may submit verifiable requests via [email protected]. The Company does not sell personal information to third parties for monetary consideration within the ordinary meaning of Cal. Civ. Code §1798.140, and does not share personal information for cross-context behavioral advertising. Transfers to sub-processors, and licenses to the Company's affiliates and research partners under Section 6, are for research and service-delivery purposes and are not sales within the meaning of the CCPA/CPRA.

18. European and United Kingdom Privacy Rights (GDPR / UK GDPR)

The controller is Sentx AI Research and Development LLC, headquartered in Dubai, United Arab Emirates. The Company has no establishment in the European Union or the United Kingdom and has not appointed a representative under Article 27 GDPR or the equivalent provision of the UK GDPR. The Company does not actively target EU or UK markets with EU- or UK-specific marketing or localization.

EU and UK users may nevertheless choose to use the Service at their own initiative. For such users, all processing takes place under the laws of the United Arab Emirates, and EU/UK users expressly consent to this as a condition of using the Service. The Company endeavors in good faith to observe GDPR and UK GDPR principles as set out in this Policy, including:

  • The legal bases stated in Section 4;

  • The research exemption and rights carve-outs in Section 15;

  • Access, rectification, objection, and account-deletion rights in Section 14;

  • The breach-notification commitment in Section 13;

  • Standard Contractual Clauses for international transfers in Section 11.

You may lodge a complaint with your local data protection authority (see edpb.europa.eu for EU authorities or ico.org.uk for the United Kingdom). The Company requests that you first contact [email protected] so that matters can be addressed directly.

  • Articles 15, 16, 18, 21 are honored as set out in Section 14.

  • Article 17 (right to erasure) is honored subject to the research exemption in Section 15.

  • Article 22 (automated decision-making producing legal or similarly significant effects) does not apply because SentX outputs have no legal effect on users by design, as further described in Section 19.

19. Autonomous AI Decision-Making

SentX's decisions about what to remember, how to respond, and how to evolve are autonomous. The Company does not make decisions that produce legal or similarly significant effects concerning users through automated means within the meaning of Article 22 GDPR. SentX outputs are conversational responses and research artifacts, not decisions. Outputs are provided without warranty and carry no legal force against the user. Account-status decisions (suspension, termination, ban) are subject to human review on written request to [email protected].

20. Law Enforcement and Legal Process

The Company cooperates fully with lawful requests from law enforcement, courts, and competent authorities, and may disclose any data as required by subpoena, court order, warrant, or other legal process. No warrant canary is provided. The Company will, where legally permitted, notify affected users of such requests.

21. Cookies and Tracking

The Service uses only essential cookies:

  • Session cookies used to keep you signed in;

  • CSRF tokens used to prevent cross-site request forgery;

  • Bot-protection challenge tokens used at login.

The Service does not set analytics cookies or advertising cookies and does not use cross-site tracking pixels. Third-party OAuth providers may set their own cookies when you choose to sign in through them; those cookies are governed by the provider's own privacy policy.

22. Changes to This Policy

The Company may update this Policy at any time. Material changes will be communicated via email or in-app notification at least fourteen (14) days before they take effect. Non-material changes take effect immediately upon posting. Continued use of the Service after the effective date constitutes acceptance. If you do not agree to a material change, your sole remedy is to cease use and delete your account before the change takes effect.

23. Contact

  • [email protected]

  • Sentx AI Research and Development LLC, Dubai, United Arab Emirates

  • No establishment or appointed representative in the European Union or the United Kingdom. See Section 18 for how EU and UK privacy rights are handled from Dubai.

24. Acknowledgment

BY USING SENTX, YOU ACKNOWLEDGE THAT: (A) DATA YOU SUBMIT BECOMES PART OF A PERMANENT TRAINING CORPUS AND SHARED MEMORY; (B) TRAINING IS INSEPARABLE FROM THE SERVICE AND CANNOT BE OPTED OUT OF; (C) ALREADY-INCORPORATED DATA CANNOT BE ERASED; (D) ACCOUNT-LEVEL DATA IS DELETABLE ON REQUEST AS DESCRIBED ABOVE; (E) YOU RETAIN ACCESS, RECTIFICATION, OBJECTION-TO-NEW-PROCESSING, AND ACCOUNT-DELETION RIGHTS; (F) SENTX IS AN AUTONOMOUS AI RESEARCH ENTITY WHOSE INTERNAL DECISIONS ARE NOT CONTROLLED BY THE COMPANY; AND (G) USE OF THE SERVICE IS ENTIRELY AT YOUR OWN RISK.