Privacy Policy

1. Introduction

Regulance (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, disclose, and protect personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws.

2. Scope

This Policy applies to all personal data processed by Regulance in connection with our website, platform, products, and related business activities — including communications with clients, prospects, partners, suppliers, and users.

3. Data Controller and Processor Roles

Regulance, operated by Continuum Solutions Limited, Nairobi, Kenya, acts as:

• Data Controller – for personal data we collect directly (e.g., customer accounts, marketing, billing).
• Data Processor – when processing data on behalf of our customers through the Regulance platform (e.g., compliance evidence, screenshots, policies, or uploaded documents).

When acting as a processor, we process personal data only under the customer’s documented instructions and in accordance with our Data Processing Agreement (DPA).

Contact:
Privacy Officer - Regulance
Nairobi, Kenya
[email protected]

EU Representative:
To be appointed – EU Representative details will be published here once designated

4. Personal Data We Collect

We collect only the data necessary to deliver and improve our services.

Categories of data include:

• Identity Data: full name, organization, job title, profile photo.
• Contact Data: email address, phone number, company address, and country of operation.
• Professional Data: business name, position, compliance-related roles.
• Technical Data: IP address, browser type, device identifiers, login data, and time zone.
• Usage Data: pages visited, access times, referring websites, feature interactions.
• Financial Data: billing details, transactions, and payment records.
• Marketing Data: preferences, opt-in status, communications history.
• Uploaded Content: documents, screenshots, or files you upload to the platform for compliance automation (which may contain personal data).

5. How We Collect Data

We collect data through:

• Direct interactions (e.g., account registration, inquiries, support requests)
• Automated technologies (e.g., cookies, analytics, and logging systems)
• Third-party sources (e.g., integrations, public data, business partners)

6. Purposes and Legal Bases for Processing

Purpose - Legal Basis

1. Account creation, authentication, and service delivery - Performance of a contract
2. Customer support and communication- Legitimate interest
3. Billing and financial transactions - Legal obligation and contract
4. Platform security, fraud detection, and abuse prevention - Legitimate interest
5. Usage analytics and service improvement - Legitimate interest
6. Marketing communications - Consent
7. AI document analysis and automation - Legitimate interest (or consent if optional feature)
8. Compliance with legal obligations - Legal obligation

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

7. Use of AI and Automated Processing

We use AI systems (e.g., OpenAI) to assist in analyzing compliance documents, policies, and screenshots to automate compliance checks.

• Data sent to AI subprocessors may include text or images you upload for analysis.
• We apply data minimization and redaction where feasible before sharing.
• AI processing is assisted - no decisions with legal or significant effects are made without human review.

We do not use profiling or automated decision-making that produces legal or similarly significant effects on individuals.

8. Sharing of Personal Data

We may share data with the following categories of recipients:

• Subprocessors and service providers who support our operations under contractual agreements.
• Professional advisors (e.g., auditors, legal counsel).
• Authorities and regulators where required by law.
• Corporate affiliates or successors in case of merger or acquisition.

All subprocessors are bound by strict data-processing and confidentiality agreements.

9. Subprocessors

We engage the following subprocessors and infrastructure providers to deliver our services:

Subprocessor

Purpose

Location / Transfer Mechanism

DigitalOcean

Cloud hosting (Amsterdam region)

EEA

Cloudflare, Inc.

Content delivery, DDoS protection

US – SCCs / DPF

OpenAI, L.L.C.

AI document analysis and automation

US – SCCs / DPF

Pipedream, Inc.

Secure workflow integrations

US – SCCs / DPF

Google Workspace

Email and document management

EU/US – SCCs

Slack Technologies

Internal communications

US – SCCs / DPF

Stripe, Inc.

Payment processing

US – SCCs / DPF

GitHub, Inc.

Code and infrastructure management

US – SCCs / DPF

A full and current list of subprocessors is available at https://regulance.io/subprocessors.
Customers will be notified before any material changes to subprocessors.

10. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Privacy Framework (DPF) participation, where applicable.
• Transfer Impact Assessments to evaluate risks and ensure protection.

11. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy, or as required by law.

Data Category - Retention Period

1. Account data - Active period + 90 days after closure
2. Billing and financial records - 7 years (legal requirement)
3. Support correspondence - 24 months
4. Usage logs - 12 months
5. Uploaded compliance evidence - Retained for the duration of the customer’s subscription or upon deletion request

After expiry of these periods, data is securely deleted or anonymized.

12. Security Measures

We implement organizational and technical measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access control and MFA for staff
• Continuous vulnerability scanning and security monitoring
• Regular penetration testing and incident response plans
• Annual security and privacy reviews

13. Cookies and Tracking

We use cookies and similar technologies for authentication, analytics, and performance optimization.

Non-essential cookies (e.g., analytics or marketing) are only set with your consent. You can manage cookie preferences through your browser or via our Cookie Management Tool available on the website.

For more information, see our Cookie Policy.

14. Your Rights

Under GDPR and other applicable laws, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase data (“right to be forgotten”)
• Restrict or object to processing
• Obtain a copy of your data (data portability)
• Withdraw consent at any time
• Lodge a complaint with your local supervisory authority

15. Exercising Your Rights

To exercise your rights, contact:

[email protected]
We will respond within one month, as required under GDPR.

If you are located in the EU, you may also contact our EU Representative (details to be added once appointed).

16. Children’s Data

Our services are intended for business use and are not directed to children under 16.
Where our customers process personal data of minors (e.g., EdTech use cases), Regulance acts solely as a data processor and processes such data only under their documented instructions.

17. Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their respective privacy policies.

18. Changes to This Policy

We may update this Policy periodically. The “Last updated” date reflects the latest revision. Continued use of our services after changes take effect constitutes acceptance of the updated Policy.

19. Contact Us

If you have questions, concerns, or complaints about this Policy or our data-handling practices, please contact:

Regulance

Continuum Solutions Limited
Nairobi, Kenya
[email protected]