Verdus Technologies Pte. Ltd. is the data controller for personal data collected through RegLegBrief. We are incorporated in Singapore (UEN: 201616982R).
Contact: [email protected]
Note for EU and UK residents: This platform does not specifically target EU or UK residents. If you are an EU or UK resident accessing RegLegBrief, you do so voluntarily and your data is processed in accordance with GDPR and UK GDPR principles. We are not required to appoint an EU Representative at this time. If our EU or UK user base grows to warrant it, we will appoint one and update this policy accordingly.
Personal data we collect today:
| Data item | When collected | Why |
|---|---|---|
| Email address, name, organisation (optional), citation ID (optional) | When you submit the right-of-reply form | To respond to your submission and route it to the relevant part of the Specialist Panel |
| Email address (and double-opt-in confirmation token) | When you subscribe to email updates | To deliver the briefings or alerts you opted in to; processed by Brevo (Sendinblue) as our email service provider |
| Email address (forwarded inbound) | When you email admin@/partnership@/audit@/[email protected] | To receive your message; Cloudflare Email Routing forwards inbound mail to a designated mailbox |
| IP address, browser and device data, request URL, timestamp | Every request (server logs) | Security, fraud prevention, debugging |
| Advertising identifiers and ad-interaction signals (where consented) | When Google AdSense or Reader Revenue Manager serves an ad or rewarded experience | Ad serving, frequency capping, fraud prevention, and (with consent) personalisation |
Additional data we will collect only if and when user accounts, paid subscriptions, or advertising are introduced:
| Data item | When collected | Why |
|---|---|---|
| Account email and authentication token | At registration (future feature) | Account creation and access |
| Subscription tier and preferences | At signup (future feature) | Service delivery |
| Payment data | At subscription purchase (future feature) | Billing — would be processed by Stripe; we would not store card details |
| Consent records (cookie + email) | At each consent action (future feature) | Legal compliance — proof of consent |
| Behaviour / cookie data | Only with consent, only if AdSense or analytics are enabled | Advertising personalisation and analytics — subject to your explicit consent |
We do not collect sensitive personal data (health data, biometric data, political opinions, religious beliefs, etc.).
| Processing activity | Legal basis |
|---|---|
| Responding to right-of-reply submissions | Performance of pre-contractual or editorial obligation; legitimate interests (GDPR Art. 6(1)(b) and 6(1)(f)) |
| Server logs for security and fraud prevention | Legitimate interests (GDPR Art. 6(1)(f)) |
| Marketing or partnership outreach to a submitter | Consent (GDPR Art. 6(1)(a)) — only if you opt in; you can withdraw at any time |
| Billing and payment records (future feature) | Legal obligation — tax and accounting (GDPR Art. 6(1)(c)) |
| Serving advertising (future feature, EU/UK users) | Consent (GDPR Art. 6(1)(a)) — via certified consent management platform |
Singapore residents: processing is conducted in accordance with the Personal Data Protection Act 2012 (PDPA).
RegLegBrief uses AI systems (Anthropic Claude) as part of the research pipeline that produces published findings. AI systems are also the subject of testing: every published finding is the documented delta between a named AI subject's account of a regulation and the regulator's verbatim primary-source text. This is the entire point of the platform and is disclosed openly.
What we send to AI systems: Regulatory source text from official regulatory body documents. We do not send your personal data, email address, or any other identifying information to AI systems.
AI training: Your personal data is never used to train AI models. No personal data is sent to AI systems in any pipeline RegLegBrief operates.
We use the following third-party processors today, or will use them if and when the corresponding feature is introduced. Each operates under standard contractual clauses or an equivalent data processing agreement:
| Processor | Role | Data touched | Location | Status |
|---|---|---|---|---|
| Hetzner Online GmbH | Server and database hosting | All data hosted on our server (server logs, right-of-reply submissions, email-subscribe records) | Nuremberg, Germany | Active |
| Cloudflare, Inc. | CDN, DNS, edge caching, and Email Routing (inbound mail forwarding from @reglegbrief.com addresses to a designated mailbox) | Request metadata (IP, URL, headers) for routing and caching; envelope addresses for email routing | United States (SCCs in place; EU data residency available) | Active |
| Umami Software, Inc. (self-hosted instance) | Privacy-friendly web analytics (cookieless, no cross-site tracking). Hosted by us on our Hetzner server at analytics.reglegbrief.com | Hashed IP, page URL, user-agent string, referrer — no personal identifiers, no cookies, no fingerprinting | Self-hosted on Hetzner (Germany) | Active |
| Sendinblue SAS (Brevo) | Transactional and broadcast email delivery (right-of-reply acknowledgements, email-subscribe confirmations, opt-in broadcasts) | Email address, email content, send/open/click metadata | Paris, France (EU) | Active |
| Anthropic PBC | AI content generation (research pipeline) | Regulatory source text only — no personal data | United States (SCCs in place) | Active |
| Google LLC | AdSense advertising, Reader Revenue Manager (rewarded ads), and consent management | Advertising identifiers, ad-interaction signals, cookie data (with consent), behaviour data (with consent) | United States (SCCs in place) | Active |
| Stripe, Inc. | Payment processing | Payment data, billing details | United States (SCCs in place) | Planned (future paid tiers) |
We do not sell your data to third parties. We do not share your data with any party not listed above, except where required by law.
| Data item | Retention period | Reason |
|---|---|---|
| Right-of-reply submission (email, name, org, text) | Indefinite, or until you request deletion | To maintain an editorial record of submissions and the response trail |
| IP address logs | 90 days, then auto-purged | Security and fraud prevention |
| Request logs (URL, timestamp, user agent) | 30 days, then auto-purged | Debugging and abuse prevention |
| Consent records (future feature) | 7 years | Legal obligation — proof of consent |
| Payment records (future feature) | 7 years | Legal obligation — tax and accounting |
You have the following rights regarding your personal data. All rights are exercisable by emailing [email protected]. We will respond within 30 days.
Request a copy of all personal data we hold about you. We will respond with a structured export within 30 days.
Correct inaccurate data we hold about you. Email us with the correction.
Request deletion of your personal data within 30 days. Consent records and any payment records are retained as required by law.
Object to a specific processing activity. We will pause that processing while we assess your request.
Receive your data in a structured, machine-readable format (JSON). Email us to request.
Object to processing based on legitimate interests. Email us and we will assess your objection promptly.
Withdraw any consent you have given at any time, with the same ease as giving it.
You may lodge a complaint with your local data protection authority. Singapore residents: PDPC (pdpc.gov.sg). EU residents: your national supervisory authority. UK residents: ICO (ico.org.uk).
First-party cookies. RegLegBrief itself sets no first-party tracking cookies. The right-of-reply form uses a short-lived session cookie only after a submission, to deliver the confirmation message; that cookie is strictly necessary and GDPR-exempt. The email-subscribe form uses a one-time confirmation token in the verification email; no persistent cookie is set.
Analytics. Our analytics provider is Umami, self-hosted by us at analytics.reglegbrief.com. Umami is explicitly cookieless: it does not set any identifier in your browser, does not fingerprint your device, and does not track you across sites. It records hashed IP, page URL, user agent, and referrer for aggregate traffic analysis.
RegLegBrief serves third-party advertising via Google AdSense (publisher ID ca-pub-5166833194375992) and the Reader Revenue Manager rewarded-ads experience. Standard publisher disclosures apply:
For EU and UK visitors, AdSense personalisation cookies are only set with your explicit consent, captured via a Google-certified consent management platform (Funding Choices). Until consent is captured, no AdSense personalisation cookies fire and non-personalised ads are served. You can withdraw or change consent at any time via the cookie preference centre in the platform footer.
Rewarded ads (Reader Revenue Manager). The rewarded-ads experience allows you to optionally view an advertisement in exchange for a defined benefit (for example, continued access to a piece of content, or removal of inline ads for a session). Participation is entirely voluntary; you may close any rewarded prompt at no cost and continue to access RegLegBrief's free content. When you engage with a rewarded ad, Google records the interaction (view-completion, reward redemption) to deliver the promised benefit and prevent fraud; this interaction data is governed by Google's advertising privacy notice.
The categories of cookie AdSense and Reader Revenue Manager may set include: identifiers used to attribute clicks and impressions, fraud-prevention cookies, frequency-capping cookies, reward-attribution cookies, and (with consent) personalisation cookies based on inferred interests.
We send email only in response to a submission you initiate:
We do not currently send marketing emails, newsletters, or alert digests. If we introduce these in the future, they will be opt-in only with a one-click unsubscribe in every email.
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will:
RegLegBrief is a professional platform intended for adults. We do not knowingly collect data from persons under the age of 18. If you believe we have inadvertently collected data from a minor, please contact [email protected] and we will delete it promptly.
We may update this Privacy Policy from time to time. The current version is always available at reglegbrief.com/privacy. Material changes will be flagged in the alert box at the top of this page for at least 30 days from the effective date.
The effective date at the top of this page indicates when this version was last updated.
For any privacy-related questions, requests, or complaints:
Verdus Technologies Pte. Ltd.
Singapore
Email: [email protected]
We will acknowledge your request within 3 business days and respond substantively within 30 days. If you are not satisfied with our response, you have the right to complain to your local data protection authority.