Draft notice: This document is a starting template. Reglint is not a law firm. Before launching to paying customers, have a licensed attorney review for your jurisdiction and use case.
Privacy Policy
Last updated: 2026-05-15 · Reglint LLC · Entity ID 12015362
1. Who We Are
This Privacy Policy describes how Reglint LLC (“Reglint,” “we,” “our,” or “us”) collects, uses, and shares information about you when you use our services at reglint.ai (“the Service”).
Reglint LLC is a limited liability company registered in the Commonwealth of Virginia, USA (Entity ID: 12015362, registered May 11, 2026). For the purposes of the GDPR, Reglint LLC is the data controller.
Our Service is a two-layer AI compliance scanner:
- Layer 1 — Static code analysis: a GitHub Action that scans code repositories before deployment for regulatory patterns.
- Layer 2 — Runtime AI agent monitor: an API endpoint (POST /api/monitor/scan) that inspects AI agent outputs in real time against 27+ regulatory patterns spanning Finance, Healthcare, HR, Education, and General frameworks.
2. Information We Collect
We collect the minimum information necessary to operate the Service. We do not collect sensitive personal data categories (health, race, religion, etc.) about our customers; however, customer-submitted scan payloads may contain such data about their end users — see section 2.5 below.
2.1 Account Information
When you register, we collect: email address, full name, company name, and a bcrypt-hashed password. We never store your plaintext password.
2.2 Billing Information
Payments are processed by Stripe Inc. We store your Stripe customer ID and subscription status. We never store card numbers, CVVs, or full bank account details — that data goes directly to Stripe and is governed by their privacy policy.
2.3 Usage Data
We log: API call counts, request timestamps, the endpoint called, HTTP status codes, and response latency. This data is used for quota enforcement, abuse detection, and service reliability.
2.4 Scan Inputs — Layer 1 (Code Analysis)
When you use the static code analysis feature, we receive code snippets or repository content you submit. This content is processed to detect compliance violations and is subject to the retention schedule in Section 6.
2.5 Scan Inputs — Layer 2 (Runtime Monitor)
When your application calls POST /api/monitor/scan, we receive the prompt and AI output pair you submit. These payloads may contain personal data belonging to your end users. You are responsible for ensuring you have a lawful basis to share this data with Reglint for processing (e.g., a DPA, contractual necessity, or legitimate interest).
2.6 Audit Metadata
Each scan produces structured audit metadata (~28 fields), including: the compliance decision (BLOCK / REDACT / ALERT / PASS), violation pattern identifiers matched, regulatory framework, industry sector, scan mode, and timestamps. This metadata does not contain the original scan content after the raw payload is purged (see Section 6).
3. How We Use Your Information
- Provide the Service: authenticate you, run compliance scans, enforce quotas, and return results.
- Billing and account management: process payments, send receipts, notify of subscription changes.
- Security and fraud prevention: detect abuse, enforce the Acceptable Use Policy, and protect infrastructure.
- Product improvement: analyze anonymized scan metadata (never raw scan content) to improve detection accuracy and coverage.
- Legal compliance: retain billing records as required by tax law; respond to valid legal process.
- Communications: send transactional emails (API key issuance, payment failures, quota warnings). We do not send marketing email without explicit consent.
We do not use your data to train AI models (including the Anthropic Claude judgment layer). Scan payloads are processed transiently and not used as training data by Reglint or its sub-processors.
4. Sub-Processors
We use the following third-party processors. All are bound by data processing agreements consistent with applicable law.
| Processor | Location | Purpose |
|---|---|---|
| Amazon Web Services Inc. | us-east-1 (Virginia) | Hosting (Fargate/ECS), RDS PostgreSQL, ElastiCache (Valkey), Lambda, Bedrock Knowledge Base, Simple Email Service (SES) |
| Anthropic PBC | USA | Claude Haiku 4.5 API — judgment layer for compliance decisions |
| Stripe Inc. | USA / global | Payment processing, subscription management |
We will notify customers of any material changes to this sub-processor list with at least 30 days' notice via email or in-app notification.
5. No Advertising or Data Sale
Plain language: Reglint does not sell, rent, lease, or share your data with advertisers, data brokers, or any third party for marketing purposes. There are no advertising cookies or tracking pixels on any Reglint property. Your scan payloads are never monetized.
For California residents: we do not “sell” or “share” personal information as defined by the CCPA/CPRA. The opt-out right under CCPA Section 1798.120 is not applicable because no sale occurs.
6. Data Retention
- Account data (email, name, hashed password): retained until you delete your account, then purged within 30 days.
- Scan content containing PII (raw Layer 1 code snippets and Layer 2 prompt/output pairs): retained for 90 days, then automatically and irreversibly purged.
- Anonymized scan metadata (audit fields with no raw content): retained indefinitely for product improvement and model accuracy tracking. This data is not linkable to individual end users after the raw payload is purged.
- Billing records (invoices, payment history, Stripe customer IDs): retained for 7 years to comply with U.S. tax law (IRC § 6001) and Virginia recordkeeping requirements.
If you request deletion of your account, all categories above are purged on the schedule shown, except billing records required by law.
7. Your Rights
7.1 GDPR Rights (EU / EEA / UK Users)
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the GDPR / UK GDPR:
- Access: request a copy of the personal data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”): request deletion of your data, subject to legal retention obligations.
- Data portability: receive your data in a structured, machine-readable format.
- Restriction of processing: ask us to pause processing while a dispute is resolved.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email privacy@reglint.ai. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
7.2 CCPA / CPRA Rights (California Residents)
- Right to know: request the categories and specific pieces of personal information we have collected about you.
- Right to delete: request deletion of personal information we collected, subject to exceptions.
- Right to opt-out of sale: not applicable — we do not sell personal information.
- Right to non-discrimination: we will not discriminate against you for exercising any CCPA rights.
- Right to correct: request correction of inaccurate personal information.
California residents may submit requests to privacy@reglint.ai. We will respond within 45 days (extendable by 45 days with notice).
8. Cookies
We use only essential and functional cookies (session management, authentication tokens, and user preferences). We do not use advertising cookies or third-party tracking pixels. See our full Cookie Policy for details.
9. Security
We implement technical and organizational measures appropriate to the risk, including:
- Passwords stored as bcrypt hashes (never plaintext).
- All data in transit protected by TLS 1.2+ (HTTPS enforced).
- Database encryption at rest (RDS encrypted volumes).
- API authentication via signed tokens with 24-hour expiry.
- API keys hashed in the database; raw key shown once at issuance.
- Infrastructure hosted in AWS us-east-1 with VPC isolation.
No system is impenetrable. In the event of a data breach affecting your rights, we will notify you and relevant supervisory authorities within the timelines required by law (72 hours under GDPR, as applicable).
10. Children's Privacy
The Service is intended for business use by developers and compliance teams. We do not knowingly collect personal information from individuals under the age of 16. If you believe a minor's data has been submitted, contact privacy@reglint.ai and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes (e.g., new data categories, new sub-processors, changes to retention periods) will be communicated by email or prominent in-app notice at least 30 days before taking effect. Continued use of the Service after the effective date constitutes acceptance. The Last updated date at the top of this page reflects the current version.
12. Contact
For privacy questions, rights requests, or data breach reports:
- Privacy email: privacy@reglint.ai
- Legal email: legal@reglint.ai (confirm this address before launch)
- Company: Reglint LLC, Commonwealth of Virginia, USA