Legal

Privacy Policy

Effective date: 28 February 2026 · Last updated: 28 February 2026

We take your privacy seriously. This policy explains what personal data we collect when you use Regumatrix, why we collect it, how long we keep it, and what rights you have. This policy complies with the General Data Protection Regulation (GDPR) and the Irish Data Protection Acts 1988–2018.

1. Who we are (Data Controller)

The data controller for Regumatrix is the operator of this service, reachable at support@caustic.app. Where GDPR applies, you have the rights set out in Section 9 below.

2. Data we collect

We collect only what is necessary to provide the service. The table below summarises each category.

Category	Data	Purpose	Legal basis	Retention
Account	Name, email address	Authentication; account management; transactional email	Contract	Until account deleted + 30 days
AI queries	Free-text system descriptions you submit	Generating compliance analyses; saving to History	Contract	Until you delete the record or close your account
Analysis results	Structured JSON output of each analysis	Displaying analysis history; PDF export	Contract	Same as AI queries above
Payments	Transaction ID, pack name, amount, timestamp	Credit allocation; purchase history display	Contract / Legal obligation	7 years (accounting law)
Credit events	Credit type, amount, timestamp	Credit balance management; dispute resolution	Contract	3 years
Analytics	Anonymised page views, session count, referrer	Understanding usage to improve the product	Legitimate interest / Consent (cookie)	26 months
Technical logs	IP address (truncated), user-agent, timestamp	Security; error diagnosis	Legitimate interest	30 days

We do not collect sensitive personal data (Article 9 GDPR categories) and we do not use your AI system descriptions for any purpose other than generating your compliance analysis and storing it in your History.

3. How we use your data

To create and manage your account.
To run compliance analyses against the EU AI Act corpus and return structured results.
To store your analysis history so you can revisit and export past results.
To process credit purchases and maintain your credit balance.
To send transactional emails (e.g. purchase confirmation, account-related notices). We do not send unsolicited marketing email.
To measure aggregate usage (page views, feature adoption) using anonymised analytics so we can improve the product.
To detect and prevent abuse, fraud, or unauthorised access.

4. Legal bases (GDPR Art. 6)

For each processing activity we rely on one of the following legal bases under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b)): Providing the analysis service, storing history, processing payments, and maintaining credit balances.
Legal obligation (Art. 6(1)(c)): Retaining financial records for the period required by Irish accounting and tax law.
Legitimate interests (Art. 6(1)(f)): Security logging (truncated IPs, error logs) and aggregate analytics where consent is not obtained via cookie preferences. Our legitimate interest is to protect the service and understand product usage. We have assessed that these interests are not overridden by your rights.
Consent (Art. 6(1)(a)): Analytics cookies placed by our analytics provider. You can withdraw consent at any time via the cookie preferences button on our website.

5. Third-party service providers

We share personal data with the following sub-processors strictly for the purpose of providing the service. All sub-processors are bound by data processing agreements.

Provider	Purpose	Location
Clerk	Authentication, user identity management	USA (SCCs + DPF)
Supabase / PostgreSQL	Database hosting (account data, analyses, transactions)	EU (eu-west-1)
Google (Gemini API)	AI analysis generation — queries are not used to train Google models under our enterprise terms	USA (SCCs)
PayPal	Payment processing — we receive only a transaction confirmation, not card details	USA (SCCs + DPF)
Vercel	Application hosting and edge infrastructure	EU + USA (SCCs)

We do not sell your personal data to third parties. We do not share your AI system descriptions or analysis results with any third party except the AI generation provider named above, which processes them solely to generate your analysis.

6. Analytics

We use privacy-friendly, cookieless page-view analytics to understand how the product is used — which pages are visited, how users navigate the analysis flow, and where sessions end. This data is aggregated and anonymised prior to storage; we cannot identify individual users from it.

If our analytics implementation uses cookies (first-party or third-party), it will only activate after you accept analytics cookies via the cookie consent banner. You can withdraw consent at any time via the cookie preferences button (bottom-left of the site).

Analytics data is retained for up to 26 months and is never shared with advertising networks.

7. Cookies

We use a minimal set of cookies. The table below describes each type.

Cookie / Storage	Type	Purpose	Expires
__clerk_*	Strictly necessary	Authentication session token (Clerk)	Session / 1 year
__session	Strictly necessary	Authenticated session (Clerk)	Session
eu_cookie_consent	Strictly necessary	Records your cookie preferences so we don't re-ask on every visit	1 year
eu_ai_last_description	Functional (localStorage)	Persists your last analysis description so you don't lose it on refresh	Until cleared
_analytics_*	Analytics (consent required)	Anonymised page-view and session analytics	26 months
theme	Functional (localStorage)	Remembers your light/dark mode preference	Indefinite

You can manage your cookie preferences at any time using the cookie settings button on the bottom-left of every marketing page, or by clearing cookies in your browser settings.

8. Data retention

We retain personal data only for as long as necessary for the purpose it was collected and to comply with applicable legal obligations. When you delete your account, all associated personal data (account details, analysis history, credit records) is deleted within 30 days, except financial transaction records which we retain for 7 years as required by law.

You can delete individual analyses at any time from your History page without closing your account.

9. Your rights (GDPR)

Under GDPR you have the following rights regarding your personal data. To exercise any right, email us at support@caustic.app. We will respond within 30 days.

Access (Art. 15): Request a copy of the personal data we hold about you.
Rectification (Art. 16): Ask us to correct inaccurate data.
Erasure (Art. 17): Ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
Restriction (Art. 18): Ask us to restrict processing while a dispute is pending.
Portability (Art. 20): Receive your data in a structured, machine-readable format.
Object (Art. 21): Object to processing based on legitimate interests, including profiling.
Withdraw consent (Art. 7(3)): Where processing is based on consent (e.g. analytics cookies), withdraw at any time via cookie preferences. Withdrawal does not affect prior lawful processing.
Lodge a complaint: You have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at www.dataprotection.ie, or with the supervisory authority in your EU member state.

10. International transfers

Some of our sub-processors are based outside the European Economic Area (EEA), specifically in the United States. Where transfers occur, we rely on one or more of the following safeguards:

EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914.
EU–US Data Privacy Framework (DPF) — for providers certified under the DPF.

You can request a copy of the relevant safeguards by contacting us at the address in Section 14.

11. Security

We implement technical and organisational measures appropriate to the risk including:

TLS encryption in transit for all data.
Encrypted storage provided by Supabase (AES-256 at rest).
Row-level security: each user can only access their own analyses.
Authentication delegated to Clerk, a dedicated identity provider with MFA support.
Access to production infrastructure is limited to authorised personnel only.

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at support@caustic.app.

12. Children

The service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy. Material changes will be notified by updating the effective date above and, where appropriate, by email to registered users. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14. Contact

For any questions about this policy or to exercise a data right, contact us at:

support@caustic.app

Supervisory authority: Data Protection Commission Ireland, 21 Fitzwilliam Square South, Dublin 2, D02 RD28.
www.dataprotection.ie

← Back to home Terms of Use