Trust

Our security commitments.

How we handle your data, your camera footage, and your privacy — concretely, not as marketing language.

Core principles

  • We don't catalog individuals. Face recognition is opt-in enrollment only. Anyone not enrolled is "a person" to us — never identified, never profiled, never remembered across sessions.
  • We don't share proactively with law enforcement. We respond to lawful subpoenas and preserve records when required — and we notify you unless legally prohibited.
  • We don't sell data. Not to advertisers, data brokers, insurance carriers, or model-training pipelines outside our own system.
  • Your cameras, your rules. Zones stop at your property line. We don't ingest footage from outside your explicit zone definitions.

Data handling

Three categories of data pass through our systems:

  • Account data — email, name, subscription status. Encrypted at rest. Never shared.
  • Event metadata — timestamps, detection classes, zone references.
  • Video clips — short clips (≤30s) used for model inference. Stored for the retention window on your plan, then deleted.

Full-resolution camera archives stay on Ring/Nest's servers. We receive only the short event clips needed to run detection.

Retention & deletion

  • Basic plan: 7 days of event history, then automatic deletion.
  • Pro plan: 30 days of event history, then automatic deletion.
  • Account deletion removes everything within 30 days. Minimal billing records retained up to 7 years for legal compliance.

Access control

  • All data transit is TLS 1.2+ encrypted
  • Data at rest uses AES-256 encryption
  • Employee access to production is role-based with MFA and audit logging
  • No employee can view your event clips without a support ticket you initiated

Law enforcement

Our policy:

  • We require a valid, specific legal demand — no voluntary sharing
  • We notify the affected account holder unless legally prohibited
  • We publish an annual transparency report with aggregate numbers
  • We do not participate in bulk data requests or "fishing expedition" demands

Compliance

  • US: CCPA / CPRA (California), Texas biometric law, BIPA (Illinois)
  • Payment data: PCI DSS via Stripe — card numbers never touch our servers
  • Working toward SOC 2 Type II — we expect attestation in the next 12 months

Incident response

If we become aware of unauthorized access, we will notify affected users within 72 hours, publish a public incident report, and provide clear guidance on what data was affected.

Contact

Reach our security team at security@gardensentry.app. We respond within 3 business days and run a responsible-disclosure program for verified vulnerabilities.