Privacy Policy

Last updated: May 28, 2026

This Privacy Policy describes what information SDSentry collects, how we use it, and the choices you have. We collect only what we need to run the service. We do not sell your data. We do not use your inventory data to train AI models.

1. Scope
2. Information we collect
3. How we use it
4. Who we share it with
5. Cookies
6. Data retention
7. Security
8. Your choices
9. Children
10. International users
11. Changes
12. Contact

1. Scope

This Policy applies to the SDSentry web application served from sdsentry.0xpi.com and sds.0xpi.com, and to any related communications we send you. It does not apply to third-party services we link to (their own privacy policies apply).

The service is operated by 0xpi LLC, a Washington limited liability company, doing business as "SDSentry" ("we," "our," "us").

2. Information we collect

Information you give us

Account info: email address, password (stored bcrypt-hashed, never in plain text), name (optional), facility / company name, role.
Inventory & SDS lookups: the chemicals, products, manufacturers, EPA registration numbers, CAS numbers, barcodes, notes, and locations you enter into the service.
Billing info: we do not store your credit card number or bank details. PayPal stores those. We retain the PayPal subscription ID, payer ID, and plan ID associated with your account.
Support correspondence: if you email us, we retain the message and our reply.

Information collected automatically

Session data: a randomly-generated session token (cookie), the IP address of your connection, your user-agent (browser identifier), and the time of each request.
Audit log: every meaningful action in your tenant (login, password change, role change, inventory add/remove, billing event, export) is logged with user, time, IP, and a brief description. This is a feature of the service; you can export it on demand.
Server logs: short-term request logs (URL, status, response time, IP) for debugging and security. Retained ≤ 14 days.

We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker. We do not fingerprint your device.

3. How we use it

To operate the service: authenticate you, scope inventory to the right tenant and location, return SDSs you ask for, generate posters and exports.
To send transactional email: subscription receipts, password-reset notices, security alerts. We do not send marketing email.
To bill you and respond to billing disputes through PayPal.
To enforce our Terms and Acceptable Use Policy and protect the service from abuse.
To improve the service through aggregated, anonymized usage analysis (e.g., "X% of searches go to product names vs. CAS numbers"). This never involves selling or sharing identifiable data.
To comply with legal obligations (e.g., responding to subpoenas).

We share data only with the third parties below, and only as needed to run the service:

Recipient	What they receive	Why
PayPal	Your email, subscription preferences, and billing events. Your payment method stays with PayPal — we never see it.	Subscription billing.
Anthropic (Claude API)	The text of SDS documents we ask their AI to extract structured data from, plus the chemical name / EPA number you searched.	AI-assisted SDS extraction when our other resolvers can't find a structured answer.
U.S. EPA PPLS, PubChem, manufacturer websites	The product name, CAS number, or EPA registration number you searched.	Outbound lookups against public chemical databases.
Let's Encrypt	The hostnames we serve from.	Issuing HTTPS certificates.
Infrastructure providers (host, ISP, DNS)	Network packets in transit.	Delivering the service.

We do not sell your personal data. We do not share your data with advertisers. We do not allow PayPal or Anthropic to use your data for their own marketing. We may disclose information if compelled by a valid legal request (subpoena, court order), and we will notify you unless we are legally prohibited from doing so.

5. Cookies

We use a single cookie: sds_session, an HttpOnly, Secure, SameSite=Lax cookie that holds a random session token used to recognize your browser between requests. We do not use third-party cookies, advertising cookies, or analytics cookies. See our Cookie Policy for details.

6. Data retention

Account data and inventory: retained for the life of your account, plus 30 days after cancellation to allow recovery. After 30 days of inactivity post-cancellation, data is permanently deleted.
Audit log: retained for the life of your account (OSHA recordkeeping). Exported copies are yours to keep.
Server logs: 14 days.
Billing records: 7 years (US tax-record requirements).
Support correspondence: 2 years.

7. Security

We use industry-standard practices to protect your data:

All traffic is HTTPS with valid TLS certificates. HTTP traffic is redirected to HTTPS.
Passwords are hashed with bcrypt (work factor 10) and are never logged in plain text.
Sessions are HttpOnly cookies with 30-day TTLs and are invalidated on password change.
Multi-tenant data is scoped per-company at the database query level — there is no application path for one tenant to access another tenant's data.
The application server is firewalled and accessible only behind a reverse proxy.
Database backups are taken regularly and stored on the same infrastructure.

No system is impenetrable. If we become aware of a security incident affecting your data, we will notify affected users within 72 hours.

8. Your choices

You may at any time:

Access your data — your inventory, audit log, and account details are all visible in the app, and the audit log is exportable as CSV or PDF.
Update your data — change your email, password, name, or inventory entries from within the app.
Delete your data — cancel your subscription, then email customer.service@0xpi.com to request immediate purge instead of the default 30-day delay.
Export your data — CSV export is available for inventory and audit log.
Opt out of any non-essential email by emailing us (transactional emails like password resets cannot be opted out of while the account is active).

California residents have additional rights under the CCPA (right to know, right to delete, right to non-discrimination). To exercise them, email customer.service@0xpi.com; we will respond within 45 days.

9. Children

SDSentry is not intended for and is not directed at children under 18. We do not knowingly collect information from anyone under 18. If you believe a child has provided us information, email us and we will delete it.

10. International users

The service is hosted in the United States and intended for U.S.-based facility operators. If you access the service from outside the United States, you do so on your own initiative and are responsible for compliance with local law. We do not target EU residents and have not implemented GDPR-specific data-subject-rights mechanisms.

11. Changes to this Policy

We may update this Policy. The "Last updated" date at the top reflects the latest revision. Material changes will be announced in-app or by email at least 14 days before they take effect.

12. Contact

Privacy questions or data requests? Email customer.service@0xpi.com.