Privacy Policy

Effective April 18, 2026

1. Who we are

RegsGuard ("we", "us") is a compliance-tracking SaaS operated from Minnesota, USA. This policy explains what personal data we collect, why, how we use it, who we share it with, and your rights. Contact: brendan@rebooked.org.

2. Data we collect

  • Account data: name, email, password (managed by our auth provider Clerk), profile photo if you upload one.
  • Business profile: business name, address, phone, license numbers, insurance carrier and policy number, surety bond details, EIN/tax ID if you provide it.
  • Compliance content: documents and photos you upload, deadlines you create, regulations you track.
  • Billing data: handled by Stripe — we never see your full card number. We store your Stripe customer ID, plan, and subscription status.
  • Usage data: pages visited, actions taken, IP address, browser type, timestamps. Used for security and to improve the product.
  • Cookies and local storage: session cookies (essential, set by Clerk), theme preference, and the cookie-consent choice itself.

3. Why we use it (legal basis under GDPR)

  • To deliver the Service (contract): account, billing, deadline tracking, document generation, notifications you opt into.
  • To keep the Service secure (legitimate interest): rate-limiting, abuse detection, audit logs.
  • To improve the Service (legitimate interest): aggregate usage analytics. You can opt out.
  • To comply with law (legal obligation): tax records, lawful requests from authorities.
  • Marketing emails (consent): only if you opt in. Transactional emails (deadline alerts, billing) are not marketing.

4. Sub-processors we share data with

  • Clerk — authentication and user management (US, GDPR DPA available).
  • Supabase — Postgres database hosting (US-East AWS region).
  • Stripe — payments and billing (global, GDPR DPA).
  • Resend — transactional email delivery (US, GDPR-compliant).
  • Cloudflare — DNS, CDN, DDoS protection (global edge).
  • Sentry (when enabled) — error monitoring (US, EU region available).

We do not sell your data. We do not share data with advertisers. We disclose data only to the sub-processors above and only as required to deliver the Service.

5. Where data is stored

Data is stored on servers located in the United States. If you are in the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to the US under Standard Contractual Clauses with our sub-processors.

6. How long we keep it

  • Active account data: for as long as your account is active.
  • After account deletion: personal data is deleted within 30 days, except where retention is required by law (e.g. tax records — 7 years).
  • Backups: rolling 30-day backups; deleted records age out within 30 days of deletion.
  • Audit logs: kept 12 months for security and dispute resolution, then aggregated or deleted.

7. Your rights

You have the right to:

  • Access a copy of your data.
  • Correct inaccurate data (most fields are editable in your profile).
  • Delete your account and data.
  • Port your data — we provide a JSON export on request.
  • Object to processing based on legitimate interest.
  • Withdraw consent for optional cookies and marketing email at any time.
  • Lodge a complaint with your local data-protection authority (e.g. ICO in the UK, your DPA in the EU).

Email brendan@rebooked.org to exercise any of these rights. We respond within 30 days.

8. Cookies

We use a small number of cookies. The cookie-consent banner lets you choose between:

  • Essential only — session, authentication, security. Always set; required for the Service to work.
  • Accept all — also enables anonymous product analytics so we can improve the app.

We do not use advertising or third-party tracking cookies. To change your choice, clear site data in your browser and reload — the banner will appear again.

9. Security

All traffic is encrypted in transit with TLS 1.2+. The database is hosted on Supabase with encryption at rest. Authentication is handled by Clerk with optional MFA. Access to production systems is restricted and audited. We follow industry best practices but no system is 100% secure — please use a strong, unique password.

10. Children

RegsGuard is not directed to children under 16 and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided data, contact us and we will delete it.

11. Changes

We may update this policy. Material changes will be communicated by email or in-app notice at least 14 days before they take effect.

12. Contact

For privacy questions, data subject requests, or to exercise your rights, contact brendan@rebooked.org.