Privacy Policy
Last updated: March 7, 2026
1. Data Controller
Regulia ("we", "us", "our") operates the website regulia.app. For questions about this policy, contact us at hello@regulia.app.
2. Data We Collect
Account data
When you sign up via Google OAuth, we receive your email address and display name from Google. We store this alongside your company profile information you provide during onboarding.
Waitlist data
If you join our waitlist, we collect your email and optionally your company name and module of interest.
Scan data
When you use our free accessibility scanner, we process the URL you submit. Scan results are not stored for anonymous users. For logged-in users, scan results are stored in your account.
Payment data
Payments are processed by Lemon Squeezy (Lemon Squeezy LLC). We do not store credit card numbers. We receive your email, subscription plan, and transaction identifiers from Lemon Squeezy.
Usage data
We use Umami (self-hosted, cookieless) and Vercel Analytics to understand how our product is used. Umami does not use cookies, does not collect personal data, and does not track users across websites. No data is shared with third parties for advertising.
3. Legal Basis (GDPR Art. 6)
- Contract performance — processing account and payment data to provide our service
- Legitimate interest — analytics to improve the product, security monitoring
- Consent — waitlist signup, optional cookies
4. Data Processors
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Vercel | Hosting & edge functions | EU & US |
| Lemon Squeezy | Payment processing | US |
| Resend | Transactional email | US |
| Umami | Product analytics (cookieless, self-hosted) | Self-hosted |
| Google (Gemini) | AI-generated compliance content | US |
5. Cookies
We use only essential cookies:
- Authentication cookies — Supabase session cookies, strictly necessary to keep you logged in. No consent required under GDPR Art. 5(3).
We do not use any analytics cookies. Umami is fully cookieless and does not store any data on your device.
6. Data Retention
- Account data — retained while your account is active, deleted within 30 days of account deletion
- Waitlist data — retained until you unsubscribe or 12 months after last activity
- Scan results — retained while your account is active
- Analytics — aggregated data retained indefinitely; individual events deleted after 12 months
7. Your Rights
Under GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting prior processing
To exercise any of these rights, email hello@regulia.app. We respond within 30 days.
8. International Transfers
Some of our processors are based in the US. These transfers are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs) as applicable.
9. Security
We implement industry-standard security measures including encryption in transit (TLS), encrypted databases, rate limiting, SSRF protection, and security headers. Access to production systems is restricted to authorized personnel.
10. Children
Regulia is not intended for individuals under 16. We do not knowingly collect data from children.
11. Changes
We may update this policy. Material changes will be communicated via email or an in-app notice. The "last updated" date at the top reflects the latest revision.
12. Contact & Supervisory Authority
Data controller: Regulia · Barcelona, Spain
Email: hello@regulia.app
You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.