Privacy Policy
Last updated: October 13, 2025
Our Commitment to Your Privacy
At RegulaAI (operated by SME Analytica), we take your privacy very seriously. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.
We fully comply with the GDPR (General Data Protection Regulation) and Spain's LOPDGDD (Organic Law on Data Protection and Digital Rights).
Full Encryption
HTTPS/TLS 1.3 in transit
EU Servers
Frankfurt, Germany
No Tracking
We never sell your data
GDPR Compliant
All your rights protected
Full Control
Access, edit or delete your data
Regular Audits
SOC 2 Type II certification
Full Encryption
HTTPS/TLS 1.3 in transit
EU Servers
Frankfurt, Germany
No Tracking
We never sell your data
GDPR Compliant
All your rights protected
Full Control
Access, edit or delete your data
Regular Audits
SOC 2 Type II certification
Your Privacy Is Our Priority
We implement the strictest security measures to protect your data. Full GDPR compliance, EU data residency, and end‑to‑end encryption.
1. Information We Collect
1.1 Information You Provide Directly
- Account: Email, company name (optional)
- Questionnaire responses: Information about your AI systems
- AEPD checklist: Control responses, implementation notes
- Evidence: Files you upload (PDFs, screenshots, documents)
- Payment information: Processed by Stripe (we do not store card data)
1.2 Information Collected Automatically
- Usage data: Pages visited, time on site, interactions
- Technical information: IP address, browser type, operating system
- Cookies: Essential cookies for authentication and functionality
🍪 Cookies: We only use strictly necessary cookies for authentication and site functionality. We do not use third‑party cookies for advertising or tracking.
2. How We Use Your Information
We use your information to:
- Provide the Service: Generate audits, checklists, PDF reports
- Manage your account: Authentication, subscription management
- Payment processing: Billing and refunds (via Stripe)
- Communication: Respond to inquiries, send important updates
- Service improvement: Analyze aggregate usage to improve functionality
- Legal compliance: Comply with legal and regulatory obligations
⚠️ IMPORTANT: We never sell, rent, or share your personal information with third parties for marketing purposes. Never.
3. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance: To provide the Service you've requested
- Legitimate interest: To improve our service and prevent fraud
- Consent: For marketing communications (you can withdraw at any time)
- Legal obligation: To meet legal and tax requirements
4. Data Storage and Security
4.1 Where We Store Your Data
All your data is stored on Supabase servers located in the European Union (Frankfurt, Germany). Your data never leaves the EU.
4.2 Security Measures
- Encryption in transit (HTTPS/TLS 1.3)
- Encryption at rest for all data
- Row-Level Security (RLS) in the database
- Two-factor authentication available
- Regular security audits
- Role-based access control
4.3 Data Retention
- Account data: For as long as your account is active
- Audits and checklists: For as long as your account is active
- Evidence files: For as long as your account is active
- Billing data: 7 years (legal tax obligation)
- After cancellation: 90 days (then permanent deletion)
5. Third-Party Services
We use the following third-party services that may process your data:
Stripe (Payments)
We process payments through Stripe. We do not store credit card data. Stripe is PCI-DSS compliant.
View Stripe's privacy policy →
Supabase (Infrastructure)
We store data in Supabase (EU servers). Supabase is GDPR and SOC 2 Type II compliant.
View Supabase privacy policy →
Vercel (Hosting)
Our website is hosted on Vercel. Server logs are retained temporarily for diagnostics.
View Vercel privacy policy →
6. Your Rights (GDPR)
Under the GDPR, you have the following rights:
✓ Right of Access
Request a copy of all data we hold about you
✓ Right to Rectification
Correct inaccurate or incomplete data
✓ Right to Erasure
Request deletion of your personal data
✓ Right to Data Portability
Receive your data in a structured, readable format
✓ Right to Object
Object to the processing of your personal data
✓ Right to Restriction
Request restriction of processing of your data
How to Exercise Your Rights:
You can exercise any of these rights by contacting us at privacy@smeanalytica.dev. We will respond to your request within 30 days.
7. Children's Privacy
Our Service is not directed to individuals under 18. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected data from a minor, we will delete it immediately.
8. International Transfers
Your data is stored and processed exclusively within the European Union. We do not transfer data outside the EU/EEA.
9. Changes to This Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the 'Last Updated' date.
We encourage you to review this Privacy Policy periodically for any changes.
10. Data Protection Officer
If you have questions about this Privacy Policy or how we handle your personal data, you can contact our Data Protection Officer at:
Email: privacy@smeanalytica.dev
Postal: SME Analytica, [Address], Spain
11. Complaints
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the data protection authority:
Spanish Data Protection Agency (AEPD)
Website: www.aepd.es
Phone: +34 901 100 099
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Contact
If you have questions about this Privacy Policy, contact us:
Privacy Email: privacy@smeanalytica.dev
General Email: contact@smeanalytica.dev
Contact Form: regula-ai.com/contact