EU-27 · Market Access PlatformTalk to us →
Legal

Privacy Policy

Last updated 31 May 2026 · GDPR (EU 2016/679) · LOPDGDD 3/2018

1. Data controller

The controller of your personal data is Regonance. For any data-protection matter, contact us at support@regonance.com.

2. Data we collect

  • Account data — email, name, organisation, password hash, role.
  • Product and compliance data — catalogs, product URLs, technical files, photos and documents you upload for compliance scanning, plus the assessments and passports we generate.
  • Billing data — plan, invoices, billing email. Card numbers are processed by Stripe; we never store them.
  • Communications — email address and consent state for transactional messages and (separately) for the optional newsletter.
  • Usage and security data — pages viewed, scans run, error logs, IP address, user agent. Used for service operation and abuse prevention.
  • Referral data — referral codes you submit or receive.

3. Purposes and legal basis

PurposeLegal basis (GDPR Art. 6)
Providing the platform and running compliance assessmentsContract — Art. 6(1)(b)
Billing, accounting and tax obligationsContract + legal obligation — Art. 6(1)(b)(c)
Transactional emails (account, security, billing)Contract — Art. 6(1)(b)
Optional marketing newsletterConsent — Art. 6(1)(a); LSSI Art. 21
Service security, fraud and abuse preventionLegitimate interest — Art. 6(1)(f)
Product analytics (aggregate)Consent (cookies) / legitimate interest for first-party aggregate metrics
Defending or exercising legal claimsLegitimate interest — Art. 6(1)(f)

4. Sub-processors

We rely on a small set of vetted providers acting as processors under Data Processing Agreements:

  • Supabase / Lovable Cloud — database, authentication and file storage (EU region where available).
  • Cloudflare — application hosting, CDN and DDoS protection.
  • Stripe Payments Europe, Ltd. — subscription billing and payment processing.
  • Resend — transactional and newsletter email delivery.
  • AI inference providers — Google (Gemini) and OpenAI, accessed via the Lovable AI Gateway, to perform compliance analysis on the product / marketing data you upload. Inputs are sent only to fulfil your request and are not used to train third-party foundation models on identifiable customer content.
  • Sentry — error monitoring (stripped of payloads where feasible).

An up-to-date list is available on request.

5. International transfers

Some sub-processors are established outside the European Economic Area (notably the United States). Where this occurs, transfers are covered by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. A copy of the safeguards in place is available on request to support@regonance.com.

6. Retention

  • Account and product data: while your account is active.
  • After account closure: deleted or anonymised within 90 days, except where retention is required by law.
  • Invoices and accounting records: 6 years (Spanish Commercial Code Art. 30 and tax law).
  • Newsletter consent and proof: while consent is active and up to 3 years after withdrawal to evidence the prior opt-in.
  • Security and access logs: up to 12 months.
  • Uploaded files: can be deleted on demand from your dashboard.

7. Your rights (GDPR / LOPDGDD)

You have the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, objection, portability, and the right not to be subject to solely automated decisions producing legal effects. You may also withdraw any consent at any time without affecting the lawfulness of previous processing.

To exercise any right, email support@regonance.com from the address linked to your account. We respond within one month (extendable by two months for complex requests, per GDPR Art. 12.3).

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es.

8. Minimum age

In Spain, the minimum age to consent to processing of personal data by information society services is 14 (LOPDGDD Art. 7). The service is intended for businesses; we do not knowingly collect data from minors below that age.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Production access is restricted, audit-logged and reviewed periodically. We follow industry-standard organisational and technical measures (GDPR Art. 32). If a breach occurs that is likely to result in risk to your rights, we will notify the AEPD within 72 hours and the affected users without undue delay.

10. Cookies

See our Cookie Policy for details on cookies and similar technologies.

11. Changes to this policy

We may update this policy to reflect changes in the service or the law. Material changes will be communicated in-app or by email. The current version is always available at regonance.com/privacy with the "last updated" date.

12. Contact

Get in touch or email support@regonance.com for any privacy question.