-
Notifications
You must be signed in to change notification settings - Fork 7
Privacy
github-actions[bot] edited this page May 28, 2026
·
2 revisions
This page documents every outbound data flow from a SentryUSB device, the legal basis it relies on under GDPR, how long the data is retained, and how to disable it. If anything you observe on the wire doesn't match what's listed here, it's a bug — please open an issue.
By default, SentryUSB sends no device identifier to our servers.
The "opt-in for analytics" toggle in the setup wizard and in
Settings → Privacy is the only switch that controls whether a
device-derived identifier ever leaves your Pi.
-
Endpoint:
POST https://api.sentry-six.com/sentryusb/telemetry -
Sent:
current_version,arch,model,update_availableflag,new_version(when relevant) -
Identifier: None by default. If you have opted in to the
analytics toggle, a one-way salted SHA-256 of your board's serial
number is included as
fingerprint. - Purpose: Detect vulnerable builds, ship compatible binaries, and (for opted-in devices) count unique installs without double- counting reinstalls.
- Legal basis: Legitimate interest under Art. 6(1)(f) for the default (no fingerprint) version — Recital 49 explicitly recognizes security as a legitimate-interest purpose. For the opted-in fingerprinted variant, consent under Art. 6(1)(a).
- Retention: Opted-in rows kept until you toggle off or the row is purged manually. Non-fingerprinted calls are not stored — only rate-limit counters survive briefly in RAM.
-
How to disable:
Settings → Privacy → Analytics opt-in → Opted out. The toggle takes effect immediately.
-
Endpoint:
POST https://api.sentry-six.com/sentryusb/install-beacon - Sent: Nothing. Empty body, no headers beyond standard HTTP.
- Identifier: None. The server only increments a daily counter.
- Purpose: Tell us gross install volume independent of the opt-in cohort — i.e. so we can see if a release attracted new installs at all without knowing anything about anyone.
- Legal basis: Not personal data, so GDPR doesn't apply. (Your IP is briefly seen by the rate-limiter but isn't stored or logged beyond the in-memory rolling window.)
- Retention: Daily counts are kept indefinitely as aggregate numbers. No per-user data exists to retain.
-
How to disable: Fires exactly once per install (gated by a
/mutable/.beaconedmarker). To suppress entirely, create that file before first boot:sudo touch /mutable/.beaconed. Network-blockapi.sentry-six.comif you want to be sure.
-
Endpoint:
POST https://api.sentry-six.com/wraps/upload,POST https://api.sentry-six.com/lockchime/upload - Sent: The file you uploaded, name, model (for wraps), and your IP address (briefly, for rate-limiting and abuse moderation).
-
Identifier: No device fingerprint. Older versions sent an
X-Fingerprintheader — that was removed. Abuse handling now goes through the Discord moderation queue plus per-IP rate limits. - Purpose: Sharing your contribution with the community.
- Legal basis: Contractual necessity under Art. 6(1)(b) — you triggered the upload, so processing the upload is intrinsic to the service you requested.
- Retention: The uploaded file is retained as long as it's listed in the community library. Your IP is retained in the row for abuse-investigation purposes only; not exposed to the public library view.
- How to disable: Don't submit. Browsing/downloading the library is anonymous (no headers needed) and rate-limited by IP only.
-
Endpoint:
GET https://api.sentry-six.com/wraps/download/<code>,GET https://api.sentry-six.com/lockchime/download/<code> - Sent: Standard HTTP request. No custom identifying headers.
- Identifier: None.
- Purpose: Fetch the requested asset.
- Legal basis: Contractual necessity — you asked for the file.
-
Retention: A unique-download counter at the IP level was
previously kept; with
X-Fingerprintremoved it's no longer meaningful and is effectively dormant. - How to disable: Don't download.
-
Endpoint: Various
https://api.sentry-six.com/cloud/...routes. - Sent: Your Sentry Cloud account credentials (signing in), then the files and metadata you sync.
- Identifier: Your Sentry Cloud account.
- Purpose: Cloud sync requires it — the feature can't function otherwise.
- Legal basis: Contractual necessity (Art. 6(1)(b)) — you signed up for the service.
- Retention: See the Sentry Cloud terms of service.
- How to disable: Don't sign in to Cloud. The feature is fully opt-in.
-
Endpoint:
POST https://api.sentry-six.com/register-code -
Sent: A
device_id(random UUID generated on this Pi),device_secret, your chosen pairing code, and your Pi's hostname. -
Identifier: The
device_id— but it's a random value created locally on first run, not derived from your hardware. Resetting it generates a new one. - Purpose: Routing push notifications from your Pi to your phone.
- Legal basis: Consent — you actively enabled this feature.
- Retention: Kept until you unpair the device.
- How to disable: Don't pair, or unpair in the iOS app + delete the credentials on the Pi.
- Send a hardware fingerprint without explicit opt-in.
- Phone home on every boot. (The old
spawn_startup_telemetrywas removed entirely in the privacy overhaul.) - Send "diagnostics" or "crash reports" in the background. If a crash reporter is ever added, it will be its own opt-in.
- Bundle multiple consents under one button. Each opt-in is a separate affirmative action.
- Use pre-ticked checkboxes — explicit click required.
If you want to verify any of the above against the source:
- Update-check telemetry:
crates/api/src/update.rs→send_telemetry(). Look for theanalytics_opt_inread and confirm thefingerprintkey is only inserted when that pref istrue. - Install beacon: same file →
spawn_install_beacon(). The POST is bodyless. - Wraps/chimes header forwarding:
crates/api/src/community.rs→forward_headers(). Should only forwardx-passcode, neverx-fingerprint. - Notification pairing:
crates/api/src/notifications.rs→register_code_with_backend(). Confirm the request body has nofingerprintfield.
Open an issue at
github.com/Sentry-Six/Sentry-USB-Rusty/issues
or email privacy@sentry-six.com. If the bug is "the client sent X
even though the docs said it wouldn't" please include a tcpdump or
the relevant journalctl line so we can fix it.
Discord · Report an issue · MIT License