Privacy Policy.

1. Scope and Relationship to the Platform.

This Privacy Policy applies to information RegLeg collects through regleg.com, our marketing and sales activities, partner program interactions, events we host or attend, and correspondence you send to us. It also describes the limited information RegLeg processes as a controller in connection with administering the RegLeg platform.

When an end customer accesses the RegLeg platform through a RegLeg partner, the customer’s content and personal information are processed by RegLeg under the partner agreement and the RegLeg Data Processing Addendum. In that context the partner or end customer is the controller, and RegLeg acts as a processor on the controller’s behalf. The customer’s own privacy notice governs the relationship between that customer and its end users. This Privacy Policy does not replace or modify those agreements.

2. Information We Collect.

We collect information in three ways: you provide it to us, it is generated automatically when you interact with our website or platform, and we receive it from partners, data providers, and publicly available sources. The categories we collect include:

1. Identifiers. Name, work email, phone number, job title, employer, mailing address, and online identifiers such as IP address, device identifiers, and account usernames.
2. Professional and commercial information. Role, industry, vertical, jurisdiction of operation, purchase history, partner affiliation, and records of your interactions with us.
3. Internet and network activity. Pages visited, referring and exit pages, features used, timestamps, browser type, operating system, and similar technical signals.
4. Audio, electronic, visual, or similar information. Recordings of webinars or events you attend with notice, photographs you submit for an event, and information you share in videos or calls.
5. Inferences. Profiles drawn from the categories above to understand your likely role, interests, and buying stage.
6. Content you submit. Information you provide in forms, support inquiries, partner applications, career applications, and correspondence with us.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under applicable state privacy laws.

3. How We Use Information.

We use the information we collect for the following business purposes:

1. To operate and secure regleg.com and the RegLeg platform.
2. To respond to your inquiries, support requests, partner applications, and career applications.
3. To route commercial inquiries to the appropriate RegLeg partner for your vertical and jurisdiction.
4. To communicate with you about products, services, events, research, and company updates you have asked to receive.
5. To administer, monitor, and improve the RegLeg platform, including measuring retrieval quality, reliability, and feature adoption.
6. To prevent and investigate fraud, abuse, security incidents, and violations of our terms or applicable law.
7. To comply with legal obligations, contractual commitments, subpoenas, court orders, and regulatory requirements.
8. To evaluate, structure, negotiate, and execute corporate transactions, including financings and acquisitions, subject to appropriate confidentiality protections.

4. How Long We Keep Information.

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with our legal, accounting, tax, and contractual obligations, to resolve disputes, and to enforce our agreements. Retention periods vary by category and by the type of relationship, and are set by reference to applicable law, industry standards, the sensitivity of the information, and the legitimate business need.

When information is no longer needed, we delete it, anonymize it, or render it inaccessible, consistent with our records schedule.

5. Sensitive Information.

RegLeg does not seek sensitive personal information. We do not knowingly collect Social Security numbers, financial account credentials, precise geolocation, genetic or biometric identifiers, or information about racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, sexual orientation, or health status except where it is (a) volunteered by you in direct correspondence and necessary to respond to your inquiry, (b) required by applicable law, or (c) processed under a signed data processing agreement with a partner or end customer for platform purposes.

If we receive sensitive personal information in any of those contexts, we use it only for the purpose for which it was provided or as required by law.

6. How We Collect Information.

We collect information through the following methods:

1. Directly from you. Through forms on regleg.com, correspondence, partner applications, career applications, conference registrations, event sign in sheets, and interactions with our sales and support teams.
2. Automatically. Through cookies and similar technologies on regleg.com, server logs, and analytics platforms. See Section 12 for details.
3. From partners and customers. Through authorized introductions, referrals, partner submitted opportunity registrations, and account administration.
4. From third parties. Including business information providers, publicly available sources such as regulator websites and public professional directories, and service providers that enrich contact records with professional profile data.

7. How We Combine Information.

We may combine information we collect from the sources listed above to maintain accurate records, improve the quality of our communications, route opportunities to the right partner, and analyze the effectiveness of our marketing and product activities. We do not combine information in ways that create sensitive inferences about you, and we do not sell combined information.

8. Security Measures.

RegLeg maintains administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These safeguards include role based access controls, encryption of data in transit and at rest where appropriate, logging and monitoring, secure development practices, vendor risk review, and periodic testing of our controls. No security program is impenetrable. Where required by law or contract, RegLeg will notify you of a security incident affecting your personal information.

9. Where Information Is Stored.

RegLeg operates in the United States, and information we collect may be processed in the United States or in other jurisdictions where our service providers operate. Where applicable law requires a lawful basis for international transfers, we rely on approved transfer mechanisms, including Standard Contractual Clauses with our service providers and partners. Our Data Processing Addendum describes the transfer mechanisms that apply to customer platform data.

10. When We Disclose Information.

We disclose personal information in the following circumstances:

1. Partners. When you are an end customer, end user, or prospect of a RegLeg partner, we share information with that partner to enable their sales, service, and support of the RegLeg platform.
2. Service providers. Vendors that help us operate our business, including cloud hosting, communications, customer relationship management, analytics, payment processing, fraud prevention, and professional advisors, each bound by appropriate confidentiality and data protection obligations. A current list of platform subprocessors appears on our Trust page.
3. Affiliates. RegLeg affiliates and subsidiaries that support our operations.
4. Corporate transactions. In connection with the evaluation, negotiation, or completion of a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or similar transaction, subject to appropriate confidentiality protections.
5. Legal obligations and protection. To comply with applicable law, regulatory demands, subpoenas, court orders, or other valid legal process; to enforce our agreements; to investigate suspected fraud, abuse, or security incidents; and to protect the rights, property, or safety of RegLeg, our partners, customers, users, employees, or the public.
6. With your consent or at your direction. For purposes other than those described above, when you ask us to share or give us permission.

11. Marketing Choices.

You may opt-out of RegLeg marketing communications at any time by following the unsubscribe instructions in the communication or by emailing privacy@regleg.com. Opting out of marketing communications will not stop transactional or account related messages that are necessary to support an ongoing relationship or to respond to your request. Where required by law, we will obtain your consent before sending marketing communications.

12. Cookies and Tracking Tools.

regleg.com uses cookies and similar technologies to operate the site, remember preferences, measure usage, and support our marketing efforts. Our Cookie Notice describes the categories of cookies, the purposes they serve, how long they persist, and the third parties that set them. You may manage your preferences through the cookie consent mechanism on the site or through your browser settings.

RegLeg does not use tracking technologies on authenticated portions of the platform in a manner that would compromise tenant isolation or route tenant content to external analytics providers.

13. AI Features and Model Training.

The RegLeg platform incorporates artificial intelligence and machine learning features. We describe how those features use information in three parts.

Tenant scoped models trained for you.

For each customer tenant, RegLeg can build models that learn that tenant’s content, taxonomy, voice, regulatory posture, and reviewer feedback, so the platform can produce tailored outputs such as regulatory change briefs, policy updates, training video scripts, and board summaries. Tenant learning stays inside the tenant. Outputs generated for one customer are not used to produce outputs for another customer.

Foundation model guardrails.

Tenant content is not sent to train third party foundation models. Tenant content does not cross tenant boundaries through inference or training. Tenant data is not routed to consumer model endpoints or to unapproved providers. Approved model providers are contractually bound to confidentiality and use restrictions, and are listed as subprocessors on our Trust page.

How we improve the platform.

RegLeg improves the platform using system telemetry, retrieval quality signals, anonymized and aggregated usage metrics, derived information that cannot be traced to a tenant, public domain regulatory and authority content, and tenant contributions where the customer has contractually elected to share. Improvements flow back to customers as platform capability, not as shared data.

The RegLeg platform is designed to support, not replace, professional judgment. AI generated outputs should be reviewed by appropriately qualified personnel before being relied on for regulatory, legal, or business decisions.

14. Jurisdiction Specific Rights (United States).

Depending on the state you reside in, you may have the following rights with respect to your personal information. Where the rights vary by state, we honor the applicable state’s rules.

California (CCPA and CPRA).

California residents have the right to know what personal information we collect, use, disclose, and sell or share; to access the specific pieces of personal information we hold; to request correction; to request deletion; to limit the use and disclosure of sensitive personal information; to opt-out of the sale or sharing of personal information; and to be free from unlawful discrimination for exercising these rights. RegLeg does not sell personal information and does not share personal information for cross-context behavioral advertising. A “Do Not Sell or Share My Personal Information” link is available on our website for the avoidance of doubt.

Colorado, Connecticut, Montana, Oregon, Texas, Utah, Virginia, and other applicable states.

Residents of these and other states with comprehensive privacy laws may have rights to confirm whether we process their personal data, to access and obtain a copy of their personal data, to correct inaccuracies, to delete personal data, to opt-out of the sale of personal data, to opt-out of targeted advertising, to opt-out of certain profiling, and to appeal the denial of a rights request. The specific rights and procedures are defined by each state’s law.

Other states.

We honor applicable rights in other states as they come into force. If you reside in a state not listed above and you believe you have a rights request under applicable law, please contact us.

15. EEA, UK, and Swiss Rights.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation and equivalent laws grant you the rights to access, rectify, erase, restrict, and object to the processing of your personal data, to portability, to withdraw consent where processing is based on consent, and to lodge a complaint with a supervisory authority. Our lawful bases for processing include performance of a contract, legitimate interests, compliance with legal obligations, and consent where required. For transfers outside the EEA, UK, or Switzerland, we rely on approved transfer mechanisms, including Standard Contractual Clauses where applicable.

16. How to Exercise Your Rights.

To exercise any of the rights described in this Privacy Policy, email privacy@regleg.com with your request. We will verify your identity using information reasonably necessary to confirm that the request is authentic, and we will respond within the timeframes required by applicable law. If you are an end customer of a RegLeg partner, we may direct your request to that partner when the partner is the controller of your information.

You will not be discriminated against for exercising a privacy right.

17. Third Party Representatives and Agents.

You may designate an authorized agent to submit a rights request on your behalf, subject to applicable law. We will require the agent to provide documentation of their authority and will contact you directly where required to verify the request.

18. Children’s Privacy.

regleg.com and the RegLeg platform are not directed to children under the age of 16, and we do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, please contact us at privacy@regleg.com and we will take appropriate steps to delete it.

19. Third Party Sites and Links.

regleg.com may contain links to third party websites, services, and content. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third party before providing personal information.

20. Updates to This Privacy Policy.

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of the policy and, where required by law, provide additional notice. Your continued use of regleg.com or the RegLeg platform after the effective date of an updated Privacy Policy constitutes acceptance of the updated policy.

21. Contact Us.

For questions about this Privacy Policy or to exercise a privacy right, contact us at:

RegLeg Solutions, Inc.
Attn: Privacy Team
30 N Gould Street, Suite #64894, Sheridan, WY 82801
Email: privacy@regleg.com

Formal legal notices regarding this Privacy Policy must be addressed to the Chief Legal Officer, RegLeg Solutions, Inc., at the notice address published on our Contact page.