Privacy Policy
This Privacy Policy explains how Entropy Lab SRL ("Entropy Lab", "we", "us", "our") collects, uses, stores, and protects personal data when you use the EntryGuard service ("the Service") or visit our websites at entryguard.io and docs.entryguard.io.
We take privacy seriously. EntryGuard is built for security-conscious organizations, and we apply the same standards to how we handle personal data.
1. Who We Are
Data Controller for our website visitors and customer administrators:
Entropy Lab SRL
IDNO: 1025600028930
Address: Alba Iulia 21, ap. 33, Chișinău, MD-2051, Republic of Moldova
Email: [email protected]
Data Processor for end-user data: When customer organizations use EntryGuard, we act as a data processor on their behalf. The customer organization is the data controller for their employees' data. See our Data Processing Agreement for details.
2. What Personal Data We Collect
We only collect personal data that is necessary to provide and operate the Service. We do not sell personal data, and we do not use it for advertising.
2.1 Account and identity data
When you create an EntryGuard account or are invited to one, we collect:
- Full name
- Email address
- Hashed password (we use bcrypt and never store passwords in plain text)
- Organization name and role within the organization
- Preferred language
- Multi-factor authentication secret (for users who enable MFA — encrypted at rest using AES-256-GCM)
2.2 Usage data
When you use the Service, we collect:
- IP addresses used to access the Service
- IP addresses you whitelist through sessions, static rules, or guest access
- Country code derived from IP addresses (used to display a country flag in the dashboard)
- Timestamps of logins, sessions started, and other actions
- Browser type and operating system (from HTTP headers)
- API request logs (endpoints accessed, response codes)
2.3 Audit and security data
To maintain a complete audit trail of access events, we collect and retain:
- Records of session starts, stops, and extensions
- Records of resource configuration changes
- Records of user invitations, role changes, and removals
- Records of credential creation and revocation
- Records of administrator actions
- Failed login attempts and security events
2.4 Billing data
For paid customers, we collect:
- Billing contact name and email
- Company name, address, and tax ID
- Payment card token (we do not store full card numbers — these are stored by our payment processor MAIB)
- Invoice and payment history
2.5 Communications
When you contact us via support, we collect the content of your messages and any data you choose to share, including names, emails, screenshots, and technical information.
2.6 Cookies and similar technologies
Our website and application use a small number of strictly necessary cookies for authentication, session management, and security. We do not use advertising or tracking cookies. See Section 8 below for details.
3. Where the Data Comes From
We collect data from:
- You directly, when you sign up, configure your account, or contact us
- Your organization, when an administrator invites you or sets up resources on your behalf
- Your use of the Service, automatically as you interact with the platform
- Third-party processors we use for billing, hosting, and infrastructure
4. Why We Process Personal Data and Legal Basis
We process personal data only for specific purposes, each with a clear legal basis under the GDPR and Moldovan Law No. 133/2011 on Personal Data Protection.
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Contract performance |
| Authenticating you and securing your account | Contract performance, legitimate interest in security |
| Operating the Service (sessions, audit logs, billing) | Contract performance |
| Providing customer support | Contract performance |
| Sending service-related notifications | Contract performance, legitimate interest |
| Preventing fraud, abuse, and security incidents | Legitimate interest in security and integrity |
| Complying with legal obligations (tax, accounting, court orders) | Legal obligation |
| Improving the Service (aggregated, non-identifiable analysis) | Legitimate interest |
We do not send marketing emails. We do not profile users for advertising.
5. Who We Share Data With
We share personal data only with parties that help us provide the Service, and only as much as is necessary. We do not sell or rent personal data.
5.1 Sub-processors
We use the following categories of third-party services. The full, current list is available at entryguard.io/subprocessors.
- Cloud hosting (Oracle Cloud Infrastructure, eu-frankfurt-1, Germany) — stores all customer data and runs the Service
- Payment processing (MAIB, Republic of Moldova) — processes card payments and stores card tokens
- Content delivery and DNS (Cloudflare) — protects the Service from abuse and improves performance
- Email delivery (Oracle Cloud Infrastructure Email Delivery, EU) — sends transactional emails for invitations, password resets, and notifications
All sub-processors are bound by data protection agreements and process personal data only on our instructions.
5.2 Legal disclosures
We may disclose personal data when required by law, in response to a valid court order, or when we believe in good faith that disclosure is necessary to:
- Comply with a legal obligation
- Protect the rights, safety, or property of Entropy Lab, our customers, or the public
- Investigate fraud or security incidents
We do not voluntarily disclose customer data to government authorities. Where legally permitted, we will notify the affected customer before disclosure.
5.3 Business transfers
If Entropy Lab is involved in a merger, acquisition, or sale of all or part of its assets, personal data may be transferred to the acquiring entity. We will give affected customers reasonable notice before any such transfer.
6. Where Data is Stored
All personal data and customer data is stored on infrastructure located in the European Union (currently Oracle Cloud Infrastructure, eu-frankfurt-1 region, Germany). Backups are stored in the same region.
We have not transferred personal data outside the EU. If we ever need to do so, we will rely on appropriate safeguards as required by GDPR (such as Standard Contractual Clauses) and update this Privacy Policy in advance.
7. How Long We Keep Data
We retain personal data only for as long as necessary for the purposes described above and as required by law.
| Data type | Retention period |
|---|---|
| Account data (active customers) | For the duration of the subscription |
| Account data (after cancellation) | 30 days, then permanently deleted |
| Audit logs | For the duration of the subscription, then 30 days |
| Billing records and invoices | 7 years (as required by Moldovan tax law) |
| Backups | 14 days (rolling) |
| Support communications | 2 years |
| Failed login attempts and security events | 90 days |
If you request earlier deletion of personal data, we will comply unless we are legally required to retain it.
8. Cookies and Similar Technologies
EntryGuard uses only strictly necessary cookies. We do not use advertising, marketing, or third-party tracking cookies, and we do not load tracking scripts from social networks or analytics services.
The cookies we set are:
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication token | Keeps you logged in after authentication | Session / 30 days if "remember me" |
| CSRF token | Prevents cross-site request forgery attacks | Session |
| Language preference | Remembers your selected language | 1 year |
Because all our cookies are strictly necessary for the Service to function, we do not show a cookie consent banner. This is consistent with GDPR ePrivacy guidelines for strictly necessary cookies.
9. Your Rights
If you are located in the EU, EEA, UK, or Moldova, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdrawal of consent — where processing is based on consent, you can withdraw it at any time
- Lodge a complaint — file a complaint with your local data protection authority
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by law).
If you are an end-user of EntryGuard whose data is processed on behalf of your employer or another organization, please contact that organization first — they are the data controller and we will direct your request to them.
10. Security
We protect personal data using technical and organizational measures appropriate to the sensitivity of the data, including:
- Encryption in transit using TLS 1.2 or higher for all connections
- Encryption at rest using AES-256-GCM for sensitive data (cloud credentials, MFA secrets)
- Hashed passwords using bcrypt with appropriate work factors
- Access controls for our internal systems with multi-factor authentication
- Regular security updates to our infrastructure and dependencies
- Encrypted database backups with restricted access
- Audit logging of all administrative actions
- Network isolation between customer environments
- Principle of least privilege for staff access to customer data
No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR.
11. Children
EntryGuard is a B2B service for businesses. It is not intended for use by children under 16, and we do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify customers via email or in-app notification at least 30 days before the changes take effect. Continued use of the Service after the effective date means you accept the updated policy.
The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact Us
For any questions about this Privacy Policy or how we handle personal data:
Email: [email protected]
Postal address: Entropy Lab SRL, Alba Iulia 21, ap. 33, Chișinău, MD-2051, Republic of Moldova
If you are an EU resident, you also have the right to lodge a complaint with your local data protection authority. A list is available at edpb.europa.eu.
If you are in Moldova, the supervisory authority is the Centrul Național pentru Protecția Datelor cu Caracter Personal (datepersonale.md).