Legal and privacy

Privacy Policy

Effective 11 July 2026 · Last updated 11 July 2026

This policy explains what RegisAI collects, why it is needed, which service providers support the MVP, and the choices available to you.

1. Information we collect

Account and company information. This can include your email address, organisation name, sector, jurisdiction, role, and the company profiles you create or select.

Compliance-workflow content. This includes PDFs and policy text you submit, scenario descriptions, governance-assessment answers, reviewer notes, generated findings, remediation drafts, saved reports, and related audit history.

Billing and support information. If you start a paid plan or buy an available top-up, Stripe handles payment details and sends us subscription, transaction, and customer identifiers. We also retain messages you send to support.

Technical and usage information. Hosting and security providers may process IP addresses, device and browser details, request timestamps, and diagnostic logs. If product analytics is enabled, RegisAI records limited, cookieless product events configured not to include uploaded documents or findings.

2. How we use information

  • Provide authentication, company intelligence, document review, scenario analysis, governance assessment, reporting, monitoring, and account history.
  • Generate requested AI-assisted findings and draft remediation content.
  • Operate subscriptions, usage allowances, top-ups, service messages, and customer support.
  • Protect accounts, diagnose faults, prevent misuse, and improve the reliability of the MVP.
  • Meet legal obligations and establish, exercise, or defend legal claims where necessary.

We do not sell personal data and do not use customer documents for advertising.

3. Service providers

Supabase

Authentication, the primary database, and document storage. The RegisAI project stores primary account and workflow data in AWS Europe (Ireland).

Anthropic

Processes minimised text and finding context when you request AI analysis or drafting. API processing may occur outside the UK or EU under Anthropic's applicable commercial terms.

Vercel and Cloudflare

Vercel hosts and delivers the application. Cloudflare provides authoritative DNS for the domain and is currently configured without proxying RegisAI application traffic.

Stripe

Processes payments and provides subscription and transaction status. RegisAI does not receive full payment-card details.

Resend

Delivers account and service emails and receives the information required to send those messages.

PostHog

Provides limited product analytics only when configured. The current integration is cookieless and disables autocapture, session recording, and persistent user identification.

4. AI and document handling

i
RegisAI sends a bounded text extract, not the original PDF file, to the configured AI provider for document analysis. The current document-analysis limit is 12,000 characters.
  • Uploaded PDFs are parsed on the server and kept in access-controlled storage.
  • AI requests are made from the server; provider credentials are not sent to the browser.
  • Remediation drafting sends the relevant finding context rather than the complete source document.
  • Anthropic's commercial API terms govern its processing and state that API inputs and outputs are not used to train its models by default.
  • You should redact personal or confidential information that is not needed for the requested compliance review.

5. Storage, security, and international processing

Primary account data, uploaded documents, and saved workflow records are stored in the European Union. External providers may process limited data in other countries under their own contractual and legal safeguards.

RegisAI uses encrypted HTTPS connections, provider-managed encryption at rest, server-side authentication, per-user storage paths, and database row-level security. No internet service can promise absolute security, and the MVP is not currently represented as independently security certified.

6. Cookies and analytics

RegisAI uses the session storage and cookies needed to keep you signed in and protect authenticated routes. It does not use advertising cookies. Optional product analytics is configured without persistent browser storage, cross-site tracking, autocapture, or session replay.

7. Retention and deletion

  • Account and profile data is kept while your account remains active and for a limited period where needed for legal, billing, fraud-prevention, or dispute purposes.
  • Documents and their saved outputs remain available until you delete them or request account closure.
  • Deleting a document removes its stored file and associated database record; dependent audits and findings are removed through database relationships.
  • Infrastructure and security logs follow the retention settings of the relevant provider and are kept only as reasonably needed for operations and security.
  • Account-deletion requests are actioned within 30 days, subject to records that must be retained by law or for legitimate legal purposes.

Save anything you need for your own records before deletion. Deletion may be irreversible.

8. Your rights

Depending on where you are, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data, and to complain to a data-protection authority.

To make a privacy request, email privacy@regisai.dev. We may need to verify your identity before completing it.

9. Changes and contact

We may update this policy as the MVP, providers, or legal obligations change. Material updates will be shown here and, where appropriate, communicated to registered users.

Privacy enquiries

Email: privacy@regisai.dev