Privacy
Privacy Policy
Effective: June 11, 2026 · Last updated: June 11, 2026
This policy describes what RegLens collects about you, how we use it, who else processes it on our behalf, and what choices you have. It's written in plain English. We follow Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and Quebec's Law 25 — the same laws RegLens helps customers assess against. Holding ourselves to them is a baseline, not a marketing claim.
Scope
This policy covers personal information collected through the RegLens web application (reglens.io and lovable.app preview/published URLs) and related transactional emails. It applies to people who sign up for an account, complete an assessment, or browse our public marketing pages.
What we collect
- Account identifiers. Email address, display name, and an OAuth-provided user ID when you sign in with Google. Hashed password only if you choose email/password sign-in.
- Organization profile. Entity type, sector, incorporation and operating jurisdictions, business attributes you enter (e.g. "serves EU residents", "handles cardholder data"). Used to determine which regulations apply to your organisation.
- Assessment responses. The answers you give to questions in each regulatory assessment, the resulting scores, and any documents you upload as evidence.
- Security and audit metadata. IP address (from
cf-connecting-ip/x-forwarded-for), user-agent string, session start and last-activity timestamps, MFA enrolment status, and audit-log entries for every privileged or consent-bearing action. - Consent record. The commercial-email choices you made on the welcome screen plus the IP, user agent, timestamp, and policy version at the moment you chose — retained as the CASL audit trail.
How we use it
- Service provision. Run the assessment, generate reports, deliver the board one-pager, and show you which regulations apply to your organisation.
- Security. Rate-limit and detect abusive activity, gate admin actions behind MFA, and produce the audit log needed to investigate incidents.
- Aggregated analytics. Understand usage patterns at an aggregated, anonymised level (e.g. which jurisdictions are most assessed). We don't profile or rank individual customers.
- Transactional emails. Send the emails that make the product work — security alerts, password resets, MFA codes, billing receipts, assessment-related notifications.
- Commercial emails. Send the regulatory-change digest and product-update emails — only if you expressly opted in.
We don't sell your data to third parties, and we don't share it with anyone except the sub-processors listed below.
Sub-processors
We use the following processors to operate RegLens. The canonical list with security postures lives on the Trust page.
- Supabase — database, authentication, storage. Hosts all customer data.
- Cloudflare — application hosting (Workers), edge network, DNS.
- Resend — transactional and commercial email delivery.
- Google Analytics 4 — traffic analytics on the public marketing pages only. Never loaded on authenticated customer routes.
- Stripe (planned) — payment processing for paid plans.
Retention
- Active accounts. Your data is retained while your account is active.
- Deletion requests. When you request deletion, your account is marked for deletion and the data is irreversibly deleted or anonymised within 30 days, in line with our admin user-lifecycle process.
- Assessment data. Retained while the originating account is active; deleted with the account.
- Audit log. Retained for security and compliance purposes, including after account deletion in aggregated, non-identifying form.
Your rights
Under PIPEDA, Quebec Law 25, and equivalent laws elsewhere, you have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or incomplete.
- Request deletion of your account and associated data.
- Receive a portable copy of your data in a machine-readable format.
- Withdraw consent for any commercial email at any time.
To exercise any of these rights, email support@reglens.io. We respond within 30 days.
CASL — commercial email
Under Canada's Anti-Spam Legislation, we send commercial emails only with your express opt-in consent. After signup we show a one-time preferences screen where both commercial categories — the regulatory change digest and product updates — default to off. You can change either at any time from Settings → Notifications.
For each opt-in we record the choice, the timestamp, your IP address, your user agent, and the policy version. Every commercial email includes a one-click unsubscribe link and our physical address.
Transactional emails — security alerts, password resets, MFA codes, billing receipts, and assessment-related notifications — are exempt under CASL §6(6) and can't be turned off.
Children
RegLens is a B2B compliance tool and is not directed at children. We don't knowingly collect personal information from anyone under 18. If you believe a child has signed up, email support@reglens.io and we'll delete the account.
Changes to this policy
We may update this policy as the product evolves. Material changes are communicated by email to account holders and posted here with a new effective date. Continued use of the service after a material change indicates acceptance.
Contact
Privacy questions, access requests, deletion requests, and complaints: support@reglens.io.
Mailing address: RegLens — Toronto, Canada · Canadian federal corporation.