Privacy Policy — Core Sentinel
Privacy Policy
Version: v0.3 Effective date: 23 June 2026 Last updated: 23 June 2026
1. Who we are
This service is operated by Core Sentinel Pty Ltd (ABN 51 611 410 658), Governor Phillip Tower, 1 Farrer Place, Sydney NSW 2000, Australia (“Core Sentinel”, “we”, “us”, “our”).
This Privacy Policy explains how we collect, use, disclose, store and protect personal information when you use our Phishing Site Takedown Service at takedown.coresentinel.com (the “Service”). It applies in addition to any privacy notice on our main website.
We are the data controller for personal information processed through the Service. Where we act as a processor on a customer’s behalf (for example, evidence supplied to us by a customer about their own users), we process that information under our agreement with that customer.
We handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and — where it applies to you — the EU General Data Protection Regulation (GDPR) and the UK GDPR.
2. The kinds of personal information we collect
We collect information in four streams. Each stream and its purpose is set out below.
2.1 Information you give us (customers and reporters)
When you submit a takedown request through our intake form, we collect:
- Your name and email address (used for case correspondence; our reply address is
phishing@coresentinel.com). - Your organisation / business name (required).
- A contact phone number (optional).
- The suspected phishing URL.
- The brand or entity being impersonated (optional) and any context, notes or description you choose to provide.
- Any further correspondence you send us about a case.
2.2 Payment information
Payments are processed by Stripe. We operate a pre-authorisation (auth-hold) model: your card is authorised at checkout and only captured after a verified takedown. We do not store full card numbers, card brand, or cardholder billing details. We receive and store only limited transaction metadata from Stripe — payment and authorisation status, the amount and currency, refund details, authorisation-hold expiry, and Stripe’s payment and payment-intent identifiers — to manage the case and reconcile invoicing.
2.3 Information we collect automatically
When you use the Service we collect:
- IP address, browser/device and usage data, and request logs (for security, abuse prevention and reliability).
- A Google reCAPTCHA assessment token at form submission, to block automated abuse. reCAPTCHA is subject to Google’s privacy terms.
- Essential cookies required for security (CSRF protection, session). See Section 9.
2.4 Investigation data we generate about a reported site
To investigate and take down a reported phishing site, we collect technical and registration data about that site, which may contain personal information of third parties (for example, a domain registrant’s name or email in WHOIS records). This includes:
- WHOIS / RDAP registration records (via RDAP and command-line WHOIS).
- DNS records and hosting / IP geolocation data (via ipinfo).
- Liveness probes, page captures / screenshots and automated scans (via urlscan.io and a headless browser) used as evidence.
- Reputation data from public blocklists and scan providers, used as context only.
3. Personal information about third parties (site operators and registrants)
A phishing takedown necessarily involves processing information about the operator, registrant or host of a malicious site. This information is collected from public registries (WHOIS/RDAP), DNS, and our own analysis of the reported page.
We process this third-party information on the basis of our legitimate interests (and, where applicable, the public interest) in detecting, investigating and disrupting online fraud and crime, and in protecting potential victims. We limit this processing to what is necessary to validate, evidence and action a takedown, and to make accurate abuse reports.
4. How we use personal information
We use personal information to:
- Validate and investigate a reported phishing site.
- Prepare and send abuse reports to registrars, hosting providers and infrastructure abuse desks (from
phishreport@coresentinel.com). - Submit indicators to mitigation and disruption partners (see Section 5).
- Where you elect it, report to government and law enforcement bodies (see Section 5).
- Process payment, capture funds on a verified takedown, release holds where our service-level commitment is not met, and issue invoices.
- Communicate with you about your case (including monitoring updates for “Takedown + Watch”).
- Maintain an append-only case audit log for integrity, dispute resolution and compliance.
- Secure the Service, prevent abuse, and meet our legal obligations.
5. When we disclose personal information
We disclose personal information in the following circumstances.
5.1 Service providers (sub-processors)
We use trusted providers to run the Service. They process personal information only on our instructions and under contract. Our current sub-processors are listed in Section 6.
5.2 Mitigation and disruption partners
To get a phishing site removed and blocked, we disclose the malicious URL and supporting evidence to:
- Registrars, registries, hosting / infrastructure providers, regional internet registries (RIRs) and CDNs (abuse desks), selected dynamically based on the infrastructure serving the reported site.
- Anti-phishing and threat-intelligence networks, including Netcraft, the APWG, Spamhaus, OpenPhish, PhishTank, Phishing Initiative, and VirusTotal.
- Browser / safe-browsing programs, including Google Web Risk / Safe Browsing, Microsoft SmartScreen and the Microsoft Security Response Center (MSRC).
- Cloud-provider abuse channels (for example AWS abuse reporting) where the site is hosted on that provider.
Submissions to broad-reach blocking programs (e.g. Google Web Risk) are made on a per-case authorised basis, not by default.
5.3 Government and law enforcement
Where you request it, or where we are required or permitted by law, we report phishing activity to government and national cyber-security bodies. The body or bodies depend on where the reported site and its likely victims are located, and may include the Australian Cyber Security Centre (ACSC / ReportCyber) and ACCC Scamwatch; the US FBI IC3, FTC and CISA; the UK NCSC; CERT-EU; and national cyber-emergency teams in other jurisdictions (for example Belgium’s Safeonweb / CCB, Canada’s Anti-Fraud Centre and Canadian Centre for Cyber Security, Germany’s BSI, France’s CERT-FR, Spain’s INCIBE-CERT, India’s CERT-In, Brazil’s CERT.br, Japan’s JC3, and others). Government and law-enforcement reporting of this kind is opt-in and off by default — we make these reports only where you elect them, or where we are required or permitted by law. (Reports to the Anti-Phishing Working Group (APWG) are made automatically on every case as part of standard abuse reporting; see Section 5.2.) We may also disclose information to comply with a lawful request, court order, or to protect our rights or the safety of others.
5.4 Business and professional advisers
We may disclose information to our accountants and, where necessary, legal advisers, and to a successor in the event of a business sale, subject to confidentiality.
We do not sell personal information, and we do not disclose it for third-party advertising.
6. Sub-processors, recipients and international data transfers
Core Sentinel is an Australian business, but the Service’s infrastructure and several providers process data overseas. In particular, our application compute runs in Singapore, and our databases — and therefore all personal data we hold at rest — are located in the United States (San Francisco). Other providers operate in the United States and the European Union. Where we transfer personal information outside Australia, we take reasonable steps to ensure it is handled consistently with the APPs; where the GDPR/UK GDPR applies, we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy mechanism.
6(a) Service providers (sub-processors acting on our instructions)
These providers process personal information on our behalf to operate the Service.
| Provider | Purpose | Primary location |
|---|---|---|
| Stripe | Payment processing | United States (AU entity for AU merchants) |
| Resend | Transactional & abuse-report email | United States |
| Railway | Application hosting, database, queue | Compute: Singapore; database, queue & all personal data at rest: United States (San Francisco) |
| WP Engine | Marketing/site hosting | Sydney, Australia (GCP australia-southeast1) |
| Cloudflare | Network / CDN / geo detection | United States |
| Google reCAPTCHA v3 | Intake bot-protection (abuse prevention on the request form) | United States |
| urlscan.io (urlscan GmbH) | URL scanning / evidence capture | Germany (EU) |
| ipinfo | IP geolocation | United States |
| Xero | Accounting / invoicing (via Stripe integration) | Australia / New Zealand |
6(b) Independent recipients (mitigation & disruption)
To get a reported site removed or blocked, we disclose the reported URL and supporting evidence to these parties (see Section 5.2). They act as independent controllers, not on our instructions.
| Recipient | Purpose | Primary location |
|---|---|---|
| Netcraft | Anti-phishing takedown / blocklist submission | United Kingdom |
| APWG (Anti-Phishing Working Group) | Threat-intelligence submission (every case) | United States |
| Google (Web Risk / Safe Browsing) | URL blocklist / browser-safety submission | United States |
| Microsoft (SmartScreen, MSRC) | Browser-safety / abuse submission | United States |
| VirusTotal | Reputation / blocklist submission | United States |
| OpenPhish | Phishing blocklist submission | jurisdiction pending verification |
| PhishTank | Phishing blocklist submission | United States |
| Phishing Initiative | Phishing blocklist submission | France (EU) |
| Spamhaus | Reputation / blocklist submission | jurisdiction pending verification |
| AWS (abuse reporting) | Cloud-host abuse channel | United States |
| Registrars, registries, hosts, RIRs, CDNs (abuse desks) | Takedown / abuse reporting | selected dynamically by infrastructure; international |
6(c) Takedown-operations tooling
| Tool | Purpose | Primary location |
|---|---|---|
| 2Captcha | Automated submission to third-party abuse portals; receives those portals’ CAPTCHA challenges, not your personal information | International |
Internal systems. Operator/administrator access to our systems is protected by third-party authentication and bot-protection services (admin login) that authenticate our staff only and do not process customer personal information.
Verification status: the sub-processor, recipient and tooling lists above have been reconciled against the Service’s code-verified integration set — both directions (nothing missing, nothing over-declared) — as of 23 June 2026. Railway compute (Singapore) and database/queue regions (United States, San Francisco) are confirmed from the live prod containers; the WP Engine prod origin region is confirmed Sydney, Australia (GCP australia-southeast1) by live-probe. A few recipients’ jurisdictions remain pending confirmation (marked inline).
7. How long we keep information
We keep personal information only as long as necessary for the purposes above, then delete or de-identify it.
Terminal case records and their evidence are automatically deleted ~150 days after creation, once any re-takedown monitoring window has closed; active cases are retained until resolved; the case audit log is retained for the life of the record.
- Financial records are retained for at least 5 years as required under Australian tax law.
8. How we protect information
We apply security controls appropriate to the sensitivity of the data, including encryption in transit, access controls and least-privilege handling, server-side request forgery (SSRF) protections on outbound fetches, fail-closed abuse checks, CSRF protection, and an append-only, tamper-evident audit log. No system is perfectly secure; if a data breach occurs that is likely to cause serious harm, we will act in line with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and notify affected individuals and the OAIC as required.
9. Cookies and tracking
The Service uses strictly necessary cookies for security and session management, and loads Google reCAPTCHA, which sets its own cookies to distinguish humans from bots. We do not use advertising or cross-site tracking cookies. Where required, EU/UK visitors are shown a consent banner (geo-detected) before any non-essential cookies are set.
Please note that, as part of evidence capture, a reported URL may be submitted to urlscan.io as an “unlisted” scan. Unlisted scans are not indexed or listed publicly, but anyone who has the resulting scan link can view the result (including the screenshot), and that link is permanent. Do not include confidential information in a reported URL.
10. Your privacy rights
Subject to the law that applies to you, you may:
- Access the personal information we hold about you and ask for a copy.
- Correct information that is inaccurate or out of date.
- Request erasure of your information. We honour erasure requests where we are able, subject to our retention schedule (Section 7) and our legal and fraud-prevention obligations (see the carve-out below).
- Object to or restrict processing, or request portability (GDPR/UK GDPR).
- Withdraw consent where processing is based on consent (without affecting prior processing).
To exercise any right, contact us using Section 12. We will respond within the timeframe required by law. We may need to verify your identity first. Note that some information (for example, fraud-investigation and abuse-report records, or financial records) may be retained where we have an overriding legal obligation or legitimate interest.
If you are in the EU or UK and ask us to delete information about a site you operate that is the subject of an abuse report, we may decline where retention is necessary for the establishment, exercise or defence of legal claims or for fraud prevention.
11. Children
The Service is a business-to-business offering and is not directed at children. We do not knowingly collect personal information from anyone under 16.
12. Contact and complaints
Privacy enquiries: phishing@coresentinel.com Core Sentinel Pty Ltd, Governor Phillip Tower, 1 Farrer Place, Sydney NSW 2000, Australia.
If you are not satisfied with our response, you may complain to:
- Australia — Office of the Australian Information Commissioner (OAIC), oaic.gov.au.
- United Kingdom — Information Commissioner’s Office (ICO), ico.org.uk.
- EU — your local data protection authority.
13. Changes to this policy
We may update this policy from time to time. The current version is always posted at takedown.coresentinel.com, with the “Last updated” date above. Material changes will be notified where required by law.