Privacy

Privacy Policy

Effective: June 11, 2026 · Last updated: June 11, 2026

This policy describes what RegLens collects about you, how we use it, who else processes it on our behalf, and what choices you have. It's written in plain English. We follow Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and Quebec's Law 25 — the same laws RegLens helps customers assess against. Holding ourselves to them is a baseline, not a marketing claim.

01

Scope

This policy covers personal information collected through the RegLens web application (reglens.io and lovable.app preview/published URLs) and related transactional emails. It applies to people who sign up for an account, complete an assessment, or browse our public marketing pages.

02

What we collect

  • Account identifiers. Email address, display name, and an OAuth-provided user ID when you sign in with Google. Hashed password only if you choose email/password sign-in.
  • Organization profile. Entity type, sector, incorporation and operating jurisdictions, business attributes you enter (e.g. "serves EU residents", "handles cardholder data"). Used to determine which regulations apply to your organisation.
  • Assessment responses. The answers you give to questions in each regulatory assessment, the resulting scores, and any documents you upload as evidence.
  • Security and audit metadata. IP address (from cf-connecting-ip / x-forwarded-for), user-agent string, session start and last-activity timestamps, MFA enrolment status, and audit-log entries for every privileged or consent-bearing action.
  • Consent record. The commercial-email choices you made on the welcome screen plus the IP, user agent, timestamp, and policy version at the moment you chose — retained as the CASL audit trail.
03

How we use it

  • Service provision. Run the assessment, generate reports, deliver the board one-pager, and show you which regulations apply to your organisation.
  • Security. Rate-limit and detect abusive activity, gate admin actions behind MFA, and produce the audit log needed to investigate incidents.
  • Aggregated analytics. Understand usage patterns at an aggregated, anonymised level (e.g. which jurisdictions are most assessed). We don't profile or rank individual customers.
  • Transactional emails. Send the emails that make the product work — security alerts, password resets, MFA codes, billing receipts, assessment-related notifications.
  • Commercial emails. Send the regulatory-change digest and product-update emails — only if you expressly opted in.

We don't sell your data to third parties, and we don't share it with anyone except the sub-processors listed below.

04

Sub-processors

We use the following processors to operate RegLens. The canonical list with security postures lives on the Trust page.

  • Supabase — database, authentication, storage. Hosts all customer data.
  • Cloudflare — application hosting (Workers), edge network, DNS.
  • Resend — transactional and commercial email delivery.
  • Google Analytics 4 — traffic analytics on the public marketing pages only. Never loaded on authenticated customer routes.
  • Stripe (planned) — payment processing for paid plans.
05

Cookies & analytics

The signed-in app uses a session cookie (set by Supabase) and localStorage entries for active organisation selection and similar UI state. These are strictly necessary and don't require consent.

On the public marketing pages we run Google Analytics 4 with Google Consent Mode v2 defaults set to "denied". The cookie banner (also reachable any time from the "Cookie preferences" link in the footer) is the only path to turn analytics on. Analytics is never loaded on the signed-in app — a defence-in-depth design so customer activity is never shipped to Google even if a future banner regression occurred.

06

Retention

  • Active accounts. Your data is retained while your account is active.
  • Deletion requests. When you request deletion, your account is marked for deletion and the data is irreversibly deleted or anonymised within 30 days, in line with our admin user-lifecycle process.
  • Assessment data. Retained while the originating account is active; deleted with the account.
  • Audit log. Retained for security and compliance purposes, including after account deletion in aggregated, non-identifying form.
07

Your rights

Under PIPEDA, Quebec Law 25, and equivalent laws elsewhere, you have the right to:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate or incomplete.
  • Request deletion of your account and associated data.
  • Receive a portable copy of your data in a machine-readable format.
  • Withdraw consent for any commercial email at any time.

To exercise any of these rights, email support@reglens.io. We respond within 30 days.

08

CASL — commercial email

Under Canada's Anti-Spam Legislation, we send commercial emails only with your express opt-in consent. After signup we show a one-time preferences screen where both commercial categories — the regulatory change digest and product updates — default to off. You can change either at any time from Settings → Notifications.

For each opt-in we record the choice, the timestamp, your IP address, your user agent, and the policy version. Every commercial email includes a one-click unsubscribe link and our physical address.

Transactional emails — security alerts, password resets, MFA codes, billing receipts, and assessment-related notifications — are exempt under CASL §6(6) and can't be turned off.

09

Children

RegLens is a B2B compliance tool and is not directed at children. We don't knowingly collect personal information from anyone under 18. If you believe a child has signed up, email support@reglens.io and we'll delete the account.

10

Changes to this policy

We may update this policy as the product evolves. Material changes are communicated by email to account holders and posted here with a new effective date. Continued use of the service after a material change indicates acceptance.

11

Contact

Privacy questions, access requests, deletion requests, and complaints: support@reglens.io.

Mailing address: RegLens — Toronto, Canada · Canadian federal corporation.