Legal & Compliance

Privacy Policy

Effective May 29, 2026 · Last updated June 1, 2026

The platform ("we", "us") takes data privacy seriously — especially given that our customers trust us with sensitive compliance documents. This policy explains exactly what we collect, why, and how we protect it.

1. Information We Collect

Account information. When you create an account, we collect your email address and, during onboarding, your organisation name, sector, and jurisdiction. This information is used to personalise every analysis to your regulatory context.

Documents you upload. Compliance documents (PDFs) you upload for gap analysis are stored in encrypted cloud storage. The extracted text is sent to our AI provider for analysis and then stored alongside your audit results.

Analysis and drafted content. The findings produced by an analysis, and any AI-drafted policy language you generate to remediate a finding, are stored with your account’s audit history so you can return to them. Drafted content is associated only with your account and is never shared across accounts.

Usage data. We collect information about how you use the platform — pages visited, features used, audit frequency — to improve the product and diagnose issues.

Log data. Standard server logs including IP address, browser type, and request timestamps. These are retained for 30 days for security monitoring purposes.

2. How We Use Your Information

  • To provide the compliance audit service: running gap analyses, surfacing regulatory monitoring updates, and storing your audit history.
  • To personalise your experience: every audit and monitoring feed is scoped to your sector, jurisdiction, and applicable regulatory frameworks.
  • To send email alerts: regulatory monitoring notifications and, if opted in, the weekly digest.
  • To improve the product: aggregate, anonymised usage patterns inform feature development.
  • For security and fraud prevention: log data is reviewed when anomalous access patterns are detected.

We do not sell your data to third parties. We do not use your data for advertising.

3. Sub-Processors

The platform is built on the following infrastructure sub-processors, each under its own data processing agreement. Where a provider stores data, that data is hosted in the European Union (see Data Residency below).

Supabase (AWS eu-west-1, Ireland)

Database, encrypted file storage, and authentication. Your account data and uploaded documents are stored in the EU (AWS Europe, Ireland). SOC 2 Type II certified.

Anthropic

AI analysis. A truncated extract of document text is sent to Anthropic's Claude API to perform the gap analysis; processing may occur outside the EU. Anthropic does not use API-submitted content to train models. See Anthropic's privacy policy for details.

Resend

Transactional email delivery — account verification, password reset, and (if opted in) the regulatory monitoring digest. Receives only your email address and message content, never your documents.

Vercel

Application hosting and global edge/CDN. Serves the application; company data at rest is not stored here. SOC 2 Type II certified.

4. Data Residency

Your account data, uploaded documents, and audit history are stored and encrypted at rest within the European Union (AWS Europe, Ireland — eu-west-1). Because the UK and EU maintain mutual data-adequacy decisions, EU-hosted data stays within the UK/EU adequacy zone recognised under UK GDPR.

Your data is stored in the EU. The one exception is AI analysis: to produce a gap analysis, a minimised text extract (never the raw file, capped at 12,000 characters) is processed by Anthropic as a sub-processor, which may occur outside the EU under Anthropic’s API terms. Your documents are never used to train AI models.

5. Data Isolation

i

Every customer account is fully isolated. No cross-user data access is possible by design — it is enforced at the database layer via row-level security policies, not just application logic.

The platform uses a multi-tenant architecture where each user account is assigned a unique, immutable ID at registration. All database queries are automatically scoped to this ID via database Row-Level Security (RLS). Even if a bug existed in our application code, the database layer would prevent any account from accessing another account's documents, audit results, or profile data.

6. Data Retention

  • Account and profile data: retained until you request deletion.
  • Uploaded documents: stored until you delete them from the platform or close your account.
  • Audit results and findings: retained with your account history until deletion.
  • Server logs: retained for 30 days for security purposes, then purged.
  • On account closure: all personal data and documents are deleted within 30 days of your request.

7. AI and Your Documents

This section matters particularly for compliance professionals handling sensitive company documents.

  • Your documents are not used to train AI models — by us or, per Anthropic's API data usage terms, by Anthropic. See Anthropic's commercial terms for current detail on API data handling.
  • Document text is extracted server-side and transmitted to Anthropic's API over an encrypted connection (TLS 1.3).
  • The extracted text is scoped to 12,000 characters per analysis to minimise data exposure.
  • When you generate draft policy language for a finding, only that finding's details (the rule, the gap, and the suggested remediation) are sent to Anthropic's API — not your full document.
  • If you are concerned about uploading particularly sensitive documents, we recommend reviewing the specific document before upload and redacting client-identifying information where it is not relevant to the compliance analysis.

8. Cookies

The platform uses only authentication session cookies — the minimum required to keep you logged in. We do not use advertising cookies, third-party tracking pixels, or analytics that send data to external services.

Session cookies are set as httpOnly and Secure, which means they cannot be accessed by JavaScript and are only transmitted over HTTPS.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data in your profile.
  • Export your audit history and data in a machine-readable format.
  • Delete your account and all associated data.
  • Object to certain processing (e.g., usage analytics).

To exercise any of these rights, email privacy@regisai.dev. We will respond within 30 days.

10. Changes to This Policy

We will notify registered users by email at least 14 days before any material change to this policy takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your data rights:

Privacy Operations Team

Email: privacy@regisai.dev