Privacy Policy
Effective 11 July 2026 · Last updated 11 July 2026
This policy explains what RegisAI collects, why it is needed, which service providers support the MVP, and the choices available to you.
1. Information we collect
Account and company information. This can include your email address, organisation name, sector, jurisdiction, role, and the company profiles you create or select.
Compliance-workflow content. This includes PDFs and policy text you submit, scenario descriptions, governance-assessment answers, reviewer notes, generated findings, remediation drafts, saved reports, and related audit history.
Billing and support information. If you start a paid plan or buy an available top-up, Stripe handles payment details and sends us subscription, transaction, and customer identifiers. We also retain messages you send to support.
Technical and usage information. Hosting and security providers may process IP addresses, device and browser details, request timestamps, and diagnostic logs. If product analytics is enabled, RegisAI records limited, cookieless product events configured not to include uploaded documents or findings.
2. How we use information
- ✓Provide authentication, company intelligence, document review, scenario analysis, governance assessment, reporting, monitoring, and account history.
- ✓Generate requested AI-assisted findings and draft remediation content.
- ✓Operate subscriptions, usage allowances, top-ups, service messages, and customer support.
- ✓Protect accounts, diagnose faults, prevent misuse, and improve the reliability of the MVP.
- ✓Meet legal obligations and establish, exercise, or defend legal claims where necessary.
We do not sell personal data and do not use customer documents for advertising.
3. Service providers
Supabase
Anthropic
Vercel and Cloudflare
Stripe
Resend
PostHog
4. AI and document handling
- ✓Uploaded PDFs are parsed on the server and kept in access-controlled storage.
- ✓AI requests are made from the server; provider credentials are not sent to the browser.
- ✓Remediation drafting sends the relevant finding context rather than the complete source document.
- ✓Anthropic's commercial API terms govern its processing and state that API inputs and outputs are not used to train its models by default.
- ✓You should redact personal or confidential information that is not needed for the requested compliance review.
5. Storage, security, and international processing
Primary account data, uploaded documents, and saved workflow records are stored in the European Union. External providers may process limited data in other countries under their own contractual and legal safeguards.
RegisAI uses encrypted HTTPS connections, provider-managed encryption at rest, server-side authentication, per-user storage paths, and database row-level security. No internet service can promise absolute security, and the MVP is not currently represented as independently security certified.
6. Cookies and analytics
RegisAI uses the session storage and cookies needed to keep you signed in and protect authenticated routes. It does not use advertising cookies. Optional product analytics is configured without persistent browser storage, cross-site tracking, autocapture, or session replay.
7. Retention and deletion
- ✓Account and profile data is kept while your account remains active and for a limited period where needed for legal, billing, fraud-prevention, or dispute purposes.
- ✓Documents and their saved outputs remain available until you delete them or request account closure.
- ✓Deleting a document removes its stored file and associated database record; dependent audits and findings are removed through database relationships.
- ✓Infrastructure and security logs follow the retention settings of the relevant provider and are kept only as reasonably needed for operations and security.
- ✓Account-deletion requests are actioned within 30 days, subject to records that must be retained by law or for legitimate legal purposes.
Save anything you need for your own records before deletion. Deletion may be irreversible.
8. Your rights
Depending on where you are, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data, and to complain to a data-protection authority.
To make a privacy request, email privacy@regisai.dev. We may need to verify your identity before completing it.
9. Changes and contact
We may update this policy as the MVP, providers, or legal obligations change. Material updates will be shown here and, where appropriate, communicated to registered users.
Privacy enquiries
Email: privacy@regisai.dev