Skip to content
RegSpace
Book a demo

Last updated: 21 April 2026

Privacy policy

Template under legal review. This document is a working draft and has not yet been reviewed by qualified counsel. It must not be published externally without review and should not be relied upon as legal advice.

This policy explains how RegSpace Ltd ("RegSpace", "we") collects and uses personal data when you visit regspace.ai, request a demo, or use our regulatory intelligence services (the "Service").

1. Who we are

RegSpace Ltd is a company registered in England and Wales. For matters relating to your personal data, you can contact us at privacy@regspace.ai. For UK and EU matters, our representative is identified at the same address.

2. Personal data we collect

  • Account data— name, business email, employer, role, and authentication identifiers when you or a colleague signs up to the Service.
  • Submitted content— internal policies, contracts, and related documents you upload to the Service for analysis. Treated as client-confidential and covered by ADR 0002 of our architecture.
  • Usage data— pages visited, features used, and interactions with weekly digests, in aggregate and pseudonymous form.
  • Technical data— IP address, user agent, and device type, for security and abuse prevention.
  • Contact data— the information you provide when you request a demo or contact us, and any correspondence we exchange.

3. How and why we use personal data

We process personal data under the following UK GDPR / EU GDPR legal bases:

  • Performance of a contract— to provide the Service to your employer.
  • Legitimate interests— to secure, operate, and improve the Service; to contact prospective clients about regulatory intelligence services relevant to their business.
  • Consent— for optional marketing communications, where you have opted in.
  • Legal obligation— to comply with applicable laws and respond to valid legal process.

4. Model providers and sub-processors

We use large language models via enterprise endpoints (see our sub-processor list) under zero-retention terms where available. Client-submitted content is not used to train any model. For the full list of sub-processors and the scope of their access, please see our sub-processor page.

5. International transfers

Data residency is pinned per tenant. UK and EU tenant data remains in the UK/EU (europe-west2); US tenant data remains in the US (us-central1). Where any transfer outside the UK or EEA is necessary, we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, supplemented as required by the relevant transfer-impact assessment.

6. Retention

We retain personal data only for as long as necessary to provide the Service and meet our legal obligations. Client-submitted content is retained under the terms of the applicable Master Services Agreement and deleted within 30 days of termination unless extended by written request.

7. Your rights

Depending on your jurisdiction you may have rights to access, correct, delete, port, restrict, or object to our processing of your personal data. You can exercise these rights by writing to privacy@regspace.ai. You can also complain to your data protection authority (in the UK, the ICO).

8. Security

Security controls are described in our security page. In summary: schema-per-tenant isolation, per-tenant CMEK encryption, hash-chained audit trail, and zero-retention LLM endpoints.

9. Changes

We may update this policy from time to time. Material changes will be notified to account holders. The "Last updated" date above always reflects the current version.