Privacy Policy

Last updated: April 5, 2026

1. Who we are

RegAid is a regulatory intelligence platform operated from Basel, Switzerland. We act as the data controller for personal data processed through our service.

For privacy-related inquiries, contact us at support@regaid.ch.

2. Data we collect

We collect and process the following categories of personal data:

Account data

Name, email address, company name, role, and profile picture — provided when you create an account or update your profile.

Workspace data

Project names, search queries, session history, saved results, and shared session links — generated through your use of the service.

Technical data

IP address, browser type, device information, and access timestamps — collected automatically when you access the service.

Payment data

Payment card details, billing address, and transaction history — collected and processed by our payment provider, Stripe. RegAid does not store full card numbers; Stripe handles all payment data as a PCI DSS Level 1 certified processor.

3. How we use your data

  • Providing the service — processing regulatory queries, generating cited answers, and managing your sessions and workspace.
  • Account management — authentication, profile settings, and workspace membership.
  • Billing — processing subscriptions and payments via Stripe.
  • Security — monitoring for unauthorized access, fraud prevention, and protecting service integrity.
  • Analytics — aggregate, anonymized usage metrics to improve the service. We do not use personal data for analytics.
  • Legal compliance — meeting obligations under Swiss and applicable EU data protection law.

4. Legal basis for processing

For users in the European Economic Area, we process personal data under the following legal bases (GDPR Art. 6):

  • Contract performance: Processing necessary to provide the service you subscribed to (queries, sessions, workspace features).
  • Legitimate interest: Security monitoring, fraud prevention, and aggregate analytics to improve the service.
  • Legal obligation: Retaining billing records as required by Swiss accounting law.

5. AI and your data

  • Your regulatory queries are processed by Google (Vertex AI) hosted in Zurich, Switzerland.
  • Google does not use paid API data to train or improve AI models. Your queries are not used for model training.
  • Query data is not retained by the AI provider beyond the time required to process your request.
  • No automated decisions with legal or significant effect are made. All AI outputs are informational only.
  • AI-generated answers may contain errors or omissions. They are not a substitute for professional regulatory advice.

6. Hosting and sub-processors

All application infrastructure is hosted in Switzerland (Google Cloud, Zurich region europe-west6). We use the following sub-processors:

Sub-processorPurposeLocation
Google Cloud (Vertex AI)AI query processingZurich, Switzerland
Google Cloud PlatformApplication hosting, storage, and databaseZurich, Switzerland
StripePayment processingIreland (EU)

7. International data transfers

Your data is stored and processed in Switzerland. AI processing runs in Switzerland (Zurich). Payment processing is handled by Stripe in the EU (Ireland), covered by the EU adequacy decision for Switzerland. Switzerland is recognized by the European Commission as providing an adequate level of data protection.

8. Data retention

  • Account data — retained while your account is active, plus 30 days after deletion to allow recovery.
  • Session and query data — retained while your account is active. Deleted when you delete your account.
  • Billing records — retained for 10 years as required by Swiss accounting law (OR Art. 958f).
  • Technical logs — retained for 90 days for security and debugging purposes.

9. Your rights

Under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:

  • Right to access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete personal data.
  • Right to deletion — request that we delete your personal data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to restriction — request that we limit processing of your data in certain circumstances (GDPR).

To exercise any of these rights, contact us at support@regaid.ch. We will respond within 30 days.

You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EU residents, your local supervisory authority.

10. Cookies

We use essential cookies only — for authentication sessions and locale preferences. We do not use third-party advertising or tracking cookies.

11. Security

We protect your data with encryption in transit (TLS 1.3) and at rest (AES-256), workspace-level data isolation, and role-based access controls. No employee has access to workspace content. We maintain internal security procedures but do not disclose architectural details publicly.

12. Data breach notification

In the event of a data breach that poses a high risk to your rights, we will notify the FDPIC as soon as possible and, where required under GDPR, the relevant EU supervisory authority within 72 hours. Affected users will be notified without undue delay.

13. Children

RegAid is not intended for users under 18 years of age. We do not knowingly collect personal data from minors.

14. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email. Non-material updates will be reflected on this page with an updated effective date.

15. Contact

For any questions about this Privacy Policy or your personal data, contact us at support@regaid.ch.