RegLegBrief › Privacy Policy

Privacy Policy

Effective date: 13 April 2026  ·  Last updated: 2026-06-16  ·  Verdus Technologies Pte. Ltd.  ·  Singapore

RegLegBrief is a freely-accessible research publication. The platform sets no first-party tracking cookies; analytics are cookieless. Personal data is collected through the right-of-reply form and the optional email-subscribe form. Google AdSense advertising and a Reader Revenue Manager rewarded-ads experience are wired into the platform; ad personalisation cookies fire only for non-EU/UK users by default and only with explicit consent for EU/UK users. This policy covers what we do today and what we will do if and when user accounts or paid subscription tiers are introduced. If anything here is unclear, email [email protected] and we will explain it directly.

1. Who we are

Verdus Technologies Pte. Ltd. is the data controller for personal data collected through RegLegBrief. We are incorporated in Singapore (UEN: 201616982R).

Contact: [email protected]

Note for EU and UK residents: This platform does not specifically target EU or UK residents. If you are an EU or UK resident accessing RegLegBrief, you do so voluntarily and your data is processed in accordance with GDPR and UK GDPR principles. We are not required to appoint an EU Representative at this time. If our EU or UK user base grows to warrant it, we will appoint one and update this policy accordingly.

2. Data we collect

Personal data we collect today:

Data itemWhen collectedWhy
Email address, name, organisation (optional), citation ID (optional)When you submit the right-of-reply formTo respond to your submission and route it to the relevant part of the Specialist Panel
Email address (and double-opt-in confirmation token)When you subscribe to email updatesTo deliver the briefings or alerts you opted in to; processed by Brevo (Sendinblue) as our email service provider
Email address (forwarded inbound)When you email admin@/partnership@/audit@/[email protected]To receive your message; Cloudflare Email Routing forwards inbound mail to a designated mailbox
IP address, browser and device data, request URL, timestampEvery request (server logs)Security, fraud prevention, debugging
Advertising identifiers and ad-interaction signals (where consented)When Google AdSense or Reader Revenue Manager serves an ad or rewarded experienceAd serving, frequency capping, fraud prevention, and (with consent) personalisation

Additional data we will collect only if and when user accounts, paid subscriptions, or advertising are introduced:

Data itemWhen collectedWhy
Account email and authentication tokenAt registration (future feature)Account creation and access
Subscription tier and preferencesAt signup (future feature)Service delivery
Payment dataAt subscription purchase (future feature)Billing — would be processed by Stripe; we would not store card details
Consent records (cookie + email)At each consent action (future feature)Legal compliance — proof of consent
Behaviour / cookie dataOnly with consent, only if AdSense or analytics are enabledAdvertising personalisation and analytics — subject to your explicit consent

We do not collect sensitive personal data (health data, biometric data, political opinions, religious beliefs, etc.).

3. Legal basis for processing

Processing activityLegal basis
Responding to right-of-reply submissionsPerformance of pre-contractual or editorial obligation; legitimate interests (GDPR Art. 6(1)(b) and 6(1)(f))
Server logs for security and fraud preventionLegitimate interests (GDPR Art. 6(1)(f))
Marketing or partnership outreach to a submitterConsent (GDPR Art. 6(1)(a)) — only if you opt in; you can withdraw at any time
Billing and payment records (future feature)Legal obligation — tax and accounting (GDPR Art. 6(1)(c))
Serving advertising (future feature, EU/UK users)Consent (GDPR Art. 6(1)(a)) — via certified consent management platform

Singapore residents: processing is conducted in accordance with the Personal Data Protection Act 2012 (PDPA).

4. AI processing disclosure

RegLegBrief uses AI systems (Anthropic Claude) as part of the research pipeline that produces published findings. AI systems are also the subject of testing: every published finding is the documented delta between a named AI subject's account of a regulation and the regulator's verbatim primary-source text. This is the entire point of the platform and is disclosed openly.

What we send to AI systems: Regulatory source text from official regulatory body documents. We do not send your personal data, email address, or any other identifying information to AI systems.

AI training: Your personal data is never used to train AI models. No personal data is sent to AI systems in any pipeline RegLegBrief operates.

5. Third-party processors

We use the following third-party processors today, or will use them if and when the corresponding feature is introduced. Each operates under standard contractual clauses or an equivalent data processing agreement:

ProcessorRoleData touchedLocationStatus
Hetzner Online GmbHServer and database hostingAll data hosted on our server (server logs, right-of-reply submissions, email-subscribe records)Nuremberg, GermanyActive
Cloudflare, Inc.CDN, DNS, edge caching, and Email Routing (inbound mail forwarding from @reglegbrief.com addresses to a designated mailbox)Request metadata (IP, URL, headers) for routing and caching; envelope addresses for email routingUnited States (SCCs in place; EU data residency available)Active
Umami Software, Inc. (self-hosted instance)Privacy-friendly web analytics (cookieless, no cross-site tracking). Hosted by us on our Hetzner server at analytics.reglegbrief.comHashed IP, page URL, user-agent string, referrer — no personal identifiers, no cookies, no fingerprintingSelf-hosted on Hetzner (Germany)Active
Sendinblue SAS (Brevo)Transactional and broadcast email delivery (right-of-reply acknowledgements, email-subscribe confirmations, opt-in broadcasts)Email address, email content, send/open/click metadataParis, France (EU)Active
Anthropic PBCAI content generation (research pipeline)Regulatory source text only — no personal dataUnited States (SCCs in place)Active
Google LLCAdSense advertising, Reader Revenue Manager (rewarded ads), and consent managementAdvertising identifiers, ad-interaction signals, cookie data (with consent), behaviour data (with consent)United States (SCCs in place)Active
Stripe, Inc.Payment processingPayment data, billing detailsUnited States (SCCs in place)Planned (future paid tiers)

We do not sell your data to third parties. We do not share your data with any party not listed above, except where required by law.

6. Data retention

Data itemRetention periodReason
Right-of-reply submission (email, name, org, text)Indefinite, or until you request deletionTo maintain an editorial record of submissions and the response trail
IP address logs90 days, then auto-purgedSecurity and fraud prevention
Request logs (URL, timestamp, user agent)30 days, then auto-purgedDebugging and abuse prevention
Consent records (future feature)7 yearsLegal obligation — proof of consent
Payment records (future feature)7 yearsLegal obligation — tax and accounting

7. Your rights

You have the following rights regarding your personal data. All rights are exercisable by emailing [email protected]. We will respond within 30 days.

Right of access

Request a copy of all personal data we hold about you. We will respond with a structured export within 30 days.

Right to rectification

Correct inaccurate data we hold about you. Email us with the correction.

Right to erasure

Request deletion of your personal data within 30 days. Consent records and any payment records are retained as required by law.

Right to restrict processing

Object to a specific processing activity. We will pause that processing while we assess your request.

Right to data portability

Receive your data in a structured, machine-readable format (JSON). Email us to request.

Right to object

Object to processing based on legitimate interests. Email us and we will assess your objection promptly.

Right to withdraw consent

Withdraw any consent you have given at any time, with the same ease as giving it.

Right to lodge a complaint

You may lodge a complaint with your local data protection authority. Singapore residents: PDPC (pdpc.gov.sg). EU residents: your national supervisory authority. UK residents: ICO (ico.org.uk).

8. Cookies and third-party advertising

First-party cookies. RegLegBrief itself sets no first-party tracking cookies. The right-of-reply form uses a short-lived session cookie only after a submission, to deliver the confirmation message; that cookie is strictly necessary and GDPR-exempt. The email-subscribe form uses a one-time confirmation token in the verification email; no persistent cookie is set.

Analytics. Our analytics provider is Umami, self-hosted by us at analytics.reglegbrief.com. Umami is explicitly cookieless: it does not set any identifier in your browser, does not fingerprint your device, and does not track you across sites. It records hashed IP, page URL, user agent, and referrer for aggregate traffic analysis.

Google AdSense and Reader Revenue Manager (third-party advertising)

RegLegBrief serves third-party advertising via Google AdSense (publisher ID ca-pub-5166833194375992) and the Reader Revenue Manager rewarded-ads experience. Standard publisher disclosures apply:

For EU and UK visitors, AdSense personalisation cookies are only set with your explicit consent, captured via a Google-certified consent management platform (Funding Choices). Until consent is captured, no AdSense personalisation cookies fire and non-personalised ads are served. You can withdraw or change consent at any time via the cookie preference centre in the platform footer.

Rewarded ads (Reader Revenue Manager). The rewarded-ads experience allows you to optionally view an advertisement in exchange for a defined benefit (for example, continued access to a piece of content, or removal of inline ads for a session). Participation is entirely voluntary; you may close any rewarded prompt at no cost and continue to access RegLegBrief's free content. When you engage with a rewarded ad, Google records the interaction (view-completion, reward redemption) to deliver the promised benefit and prevent fraud; this interaction data is governed by Google's advertising privacy notice.

The categories of cookie AdSense and Reader Revenue Manager may set include: identifiers used to attribute clicks and impressions, fraud-prevention cookies, frequency-capping cookies, reward-attribution cookies, and (with consent) personalisation cookies based on inferred interests.

9. Email communications

We send email only in response to a submission you initiate:

We do not currently send marketing emails, newsletters, or alert digests. If we introduce these in the future, they will be opt-in only with a one-click unsubscribe in every email.

10. Data breaches

In the event of a data breach that is likely to result in risk to your rights and freedoms, we will:

11. Children

RegLegBrief is a professional platform intended for adults. We do not knowingly collect data from persons under the age of 18. If you believe we have inadvertently collected data from a minor, please contact [email protected] and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. The current version is always available at reglegbrief.com/privacy. Material changes will be flagged in the alert box at the top of this page for at least 30 days from the effective date.

The effective date at the top of this page indicates when this version was last updated.

13. Contact and complaints

For any privacy-related questions, requests, or complaints:

Verdus Technologies Pte. Ltd.
Singapore
Email: [email protected]

We will acknowledge your request within 3 business days and respond substantively within 30 days. If you are not satisfied with our response, you have the right to complain to your local data protection authority.