Privacy Policy

1. Introduction

Regulatory Signals ("we," "us," or "our") operates as a compliance monitoring platform that helps users monitor website compliance, detect changes, and collect evidence. This Privacy Policy describes how we collect, use, and protect information when you use our service.

Regulatory Signals provides compliance monitoring and analysis tools. We do not provide legal advice. Please consult qualified legal counsel for compliance decisions.

2. What Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (for authentication and communication)
• Account preferences and settings
• Subscription tier information

2.2 Website Scanning Data

When you use our scanning tool, we collect and store:

• Website URLs you submit for analysis
• Technical data detected from scanned websites (cookies, trackers, technologies)
• Generated documentation drafts
• Scan timestamps and results

2.3 Usage Analytics

We collect generic usage information including:

• Pages viewed and features used
• Session duration and interaction patterns
• Browser type, device type, and operating system (generic)
• Referring URLs and navigation patterns

2.4 What We Do NOT Collect

• Payment card details are processed directly by Stripe; we do not store credit card information
• Personal identification documents
• Precise geolocation data
• Biometric information

3. How We Use Your Information

We use collected information to:

• Provide our service: Process website scans, generate documentation drafts, and manage your account
• Communicate with you: Send service updates, respond to inquiries, and provide support
• Improve our service: Analyze usage patterns to enhance features and performance
• Ensure security: Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations: Meet regulatory requirements and respond to lawful requests

3.1 Legal Basis for Processing (GDPR Art. 6)

For users in the EU/EEA, we process personal data under the following legal bases:

4. Cookies and Tracking Technologies

Regulatory Signals uses cookies and similar technologies for:

• Essential cookies: Required for authentication and core functionality
• Analytics cookies: Help us understand how users interact with our service
• Preference cookies: Remember your settings and preferences

You can control cookies through your browser settings. Note that disabling essential cookies may limit functionality.

5. Third-Party Services and Tracking Technologies

We use the following third-party services that may collect or access information:

• Stripe: Payment processing. Stripe may set cookies and collect payment-related data. See Stripe's Privacy Policy.
• Anthropic (Claude API): AI-powered scan analysis and document generation. Technical scan data (detected technologies, cookies, trackers) is transmitted to Anthropic to produce tailored compliance drafts. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — providing the core service you signed up for. No personal data about your end-users is included in prompts.
• Google Tag Manager / Google Analytics: We use Google Tag Manager (googletagmanager.com) to load analytics scripts, and Google Analytics (google-analytics.com) to understand how visitors use our site. These services may set cookies and collect usage data. Google Analytics is loaded only after cookie consent is given.
• Cloudflare Web Analytics: We use Cloudflare's privacy-first analytics (static.cloudflareinsights.com) for anonymised page-view data. Cloudflare does not set persistent tracking cookies and does not fingerprint individual users.
• Railway: Application hosting and managed PostgreSQL database. Data is stored within Railway's infrastructure.
• Resend / Forward Email: Transactional email delivery (magic links, notifications).

These services operate under their own privacy policies. We encourage you to review their respective policies.

5a. International Data Transfers

Some of our third-party service providers — including Anthropic, Stripe, Google, and Cloudflare — are based in or operate infrastructure in the United States and other countries outside the European Economic Area (EEA). Where we transfer personal data outside the EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR), incorporated by reference in our Data Processing Agreements with each sub-processor;
• Adequacy decisions where applicable (e.g., the EU–US Data Privacy Framework for processors that have self-certified).

You may request a copy of the relevant transfer safeguards by emailing [email protected].

6. Data Retention

We retain your information:

• Account data: Until you delete your account or as required by law
• Scan results: Until you delete them or close your account
• Generated documents: Until you delete them or close your account
• Usage logs: Typically retained for 90 days for security and debugging purposes

7. Your Rights (GDPR / UK GDPR)

If you are in the EU/EEA or UK, you have the following rights under GDPR Art. 13–21:

• Access (Art. 15): Request a copy of the personal data we hold about you.
• Correction (Art. 16): Request correction of inaccurate or incomplete information.
• Deletion (Art. 17): Request erasure of your data, subject to legal retention obligations.
• Portability (Art. 20): Receive your data in a structured, machine-readable format. You can download a JSON export of all data we hold about you at any time from your account settings or via this direct link (requires login).
• Object to processing (Art. 21): Object at any time to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
• Withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent for analytics cookies, clear your browser's local storage for this site — the cookie notice will reappear on your next visit.
• Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Lodge a complaint (Art. 77): You may lodge a complaint with the data protection authority in your country of residence. EU/EEA authorities: edpb.europa.eu. UK residents: ico.org.uk.

To exercise any of these rights, email [email protected]. We will respond within 30 days (one-month extension permitted under Art. 12(3) for complex requests).

7a. Automated Decision-Making and Profiling

We do not make decisions that produce legal or similarly significant effects on you solely through automated means (GDPR Art. 22). Our AI analysis (powered by Anthropic Claude) processes technical scan data — detected cookies, trackers, and technologies — to generate compliance drafts. This analysis does not evaluate personal characteristics, creditworthiness, or any profile of you as an individual, and no automated decision with legal effect is made about you.

7b. CCPA / CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know (§1798.110): Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete (§1798.105): Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Opt Out of Sale or Sharing of Personal Information (§1798.120): You have the right to direct us to not sell or share your personal information. We do not sell or share personal information for cross-context behavioural advertising, so this right is already satisfied. If you nonetheless wish to submit an opt-out request, email [email protected] with the subject line "CCPA Opt-Out Request" and we will confirm our non-sale status in writing.
• Right to Correct (§1798.106): Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information (§1798.121): We do not collect or use sensitive personal information beyond what is necessary to provide the service.
• Right to Non-Discrimination (§1798.125): We will not discriminate against you for exercising any of your CCPA/CPRA privacy rights. This means we will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you will receive a different price or rate for goods or services as a result of exercising your rights under §1798.125.

To exercise your CCPA rights, email [email protected] with the subject line "CCPA Rights Request."

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including encryption of data in transit and at rest. However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Data Protection Contact & DPO (GDPR Art. 13(1)(b))

Data Protection Officer (DPO): Regulatory Signals does not meet the thresholds requiring appointment of a formal Data Protection Officer under GDPR Art. 37 (we are not a public authority and do not carry out large-scale, systematic monitoring of individuals or large-scale processing of special-category data). As required by GDPR Art. 13(1)(b), we disclose this expressly: no DPO has been appointed.

For all data protection enquiries, rights requests, and complaints, the responsible contact is:

We aim to respond to all data protection requests within 30 days. If you are unsatisfied with our response, you have the right to escalate to your national supervisory authority (see Section 7 above).