Effective March 30, 2026

Privacy Policy

Regfo provides AI-powered regulatory compliance analysis for biotech teams. This policy explains what data we collect, how we use it, and your rights.

1. Information We Collect

Account information: email address and password when you create an account.
Documents: preclinical study reports (PDF, DOCX) that you upload for analysis. These are scientific documents — we do not collect personal health information (PHI) or patient data.
Usage data: pages visited, features used, and basic analytics to improve the service.
We do not collect payment information directly. All payments are processed by third-party providers.

2. How We Use Your Data

To provide the compliance analysis service — your documents are processed by AI (Google Gemini) to extract structured data and check against ICH/FDA guidelines.
To maintain and improve the service.
To communicate with you about your account or service updates.
We do not sell your data. We do not use your documents to train AI models.

3. Document Processing

Uploaded documents are processed in real-time and stored encrypted at rest on Google Cloud infrastructure.
Documents are encrypted in transit (TLS) and at rest (AES-256).
AI processing is performed via Google Gemini API. Google does not use API inputs/outputs for model training per their API Terms of Service.
You can delete any document or workspace at any time. Deletion is permanent.

4. Data Sharing

We do not share your data with third parties except as needed to provide the service (cloud hosting, AI processing).
If you use the share link feature, anyone with the link can view that specific compliance report. You control who receives the link.
We may disclose data if required by law or to protect our rights.

5. Data Retention

Your account data is retained while your account is active.
Documents and analysis results are retained until you delete them.
If you delete your account, all associated data is permanently removed within 30 days.

6. Security

We use industry-standard security measures including encryption in transit and at rest, access controls, and regular security reviews.
Infrastructure is hosted on Google Cloud Platform.
No system is 100% secure. We cannot guarantee absolute security of your data.

7. HIPAA and Health Data

Regfo is not a HIPAA covered entity and does not process Protected Health Information (PHI).
The documents processed by Regfo are preclinical study reports — scientific data from animal and laboratory studies, not patient medical records.
If your organization requires HIPAA compliance for document handling, Regfo is not the appropriate tool for that data.

8. International Users (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, additional rights apply under GDPR.
Legal basis for processing: performance of a contract (providing the service) and legitimate interest (improving the service).
Cross-border transfers: your data is processed on Google Cloud infrastructure which may involve transfers outside the EEA. Google maintains appropriate safeguards (Standard Contractual Clauses) for such transfers.
Right to lodge a complaint with your local data protection authority.
Right to data portability: receive your data in a structured, machine-readable format.
Right to object to processing based on legitimate interest.
For GDPR-related requests: [email protected]

9. Your Rights

Access: request a copy of your data at any time.
Deletion: delete your documents, workspaces, or entire account.
Correction: update your account information.
Contact us at [email protected] for any privacy-related requests.

10. Cookies

We use essential cookies for authentication and session management.
We may use analytics cookies to understand how the service is used.
No advertising cookies or third-party tracking.

11. Changes

We may update this policy from time to time. Material changes will be communicated via email or a notice on the service.

12. Contact

For privacy questions or requests: [email protected]