Privacy Policy

1. Information We Collect

We collect the following categories of information when you use RegSeal:

Account Information

When you create an account, we collect your name, email address, organization name, and encrypted password. If you subscribe to a paid plan, payment information is processed and stored by Stripe; we do not store credit card numbers on our servers.

AI System Data

When you register AI systems for compliance assessment, we collect the system metadata you provide, including system name, description, model type, intended use, deployment geography, training data source descriptions, and risk classification inputs. We do not collect or store your AI models, training data, or model weights.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, assessment activities, API calls, and timestamps. This data is used to improve the Service and ensure security.

Device and Technical Data

We collect your IP address, browser type, operating system, and device identifiers for security, rate limiting, and analytics purposes.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service, including risk classification, compliance assessments, document generation, and attestation certificate issuance
• Authenticate your identity and manage your account and organization
• Process billing transactions and manage subscriptions via Stripe
• Send transactional emails such as assessment completion notifications, attestation certificate issuance, expiration alerts, and regulatory updates
• Monitor and prevent fraud, abuse, and unauthorized access through audit logging and rate limiting
• Comply with legal obligations and respond to lawful requests from authorities

3. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

• Service Providers: We use third-party providers to operate the Service, including Stripe (payments), Resend (transactional email), Upstash (rate limiting), and Supabase (database hosting). These providers process data on our behalf under contractual data protection obligations.
• Public Verification: When you issue an attestation certificate, the certificate hash, system name, risk level, frameworks assessed, and issuance/expiration dates are made publicly accessible through the verification portal. No other data is exposed publicly.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction with equivalent privacy protections.

4. Data Retention

We retain your account data for as long as your account is active. Assessment data, attestation records, and audit logs are retained for a minimum of 5 years to support regulatory compliance requirements. Upon account deletion, we remove personally identifiable information within 30 days, while anonymized and aggregated data may be retained indefinitely for service improvement.

5. Data Security

We implement industry-standard security measures to protect your data:

• Authentication is managed by Supabase Auth, which uses industry-standard password hashing, OAuth social login, and multi-factor authentication options
• API keys are stored as SHA-256 hashes; raw keys are never stored
• All data is transmitted over HTTPS/TLS and encrypted at rest
• Attestation certificates use SHA-256 hashing for tamper detection
• Rate limiting and audit logging protect against abuse and unauthorized access
• Role-based access control (RBAC) restricts data access within organizations

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention obligations
• Portability: Request a machine-readable export of your data
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@regseal.ai. We will respond within 30 days.

7. Cookies and Tracking

RegSeal uses session cookies managed by our authentication provider (Supabase Auth) to maintain your authenticated session. These cookies are HTTP-only and secure in production. We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies.

We may use minimal analytics to understand aggregate usage patterns. No personal data is shared with advertising networks.

8. International Data Transfers

Your data may be processed and stored in the United States and other countries where our service providers operate. We ensure that any international data transfers comply with applicable data protection laws, including through standard contractual clauses where required.

9. Children's Privacy

RegSeal is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

10. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@regseal.ai.