GDPR Compliance

1. Our Commitment

Regent Technologies, Inc. is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines how we comply with GDPR requirements and how you can exercise your rights as a data subject. We apply these protections to all users, regardless of their location.

2. Legal Basis for Processing

We process your personal data under the following legal bases as defined by Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Regent AI assistant service you have subscribed to, including email syncing, AI categorization, summarization, draft generation, and behavior analytics.
• Legitimate interest (Art. 6(1)(f)): Processing necessary for service improvement, security monitoring, fraud prevention, and maintaining service reliability. We conduct balancing tests to ensure our interests do not override your rights.
• Consent (Art. 6(1)(a)): Processing based on your explicit consent, such as connecting additional email accounts or enabling optional notification channels. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Processing necessary to comply with tax, accounting, and regulatory requirements.

3. Data We Process

4. Where Data is Stored

Your data is stored in Supabase PostgreSQL, hosted on Amazon Web Services (AWS) in the us-east-1 region (N. Virginia, United States). This location applies to:

• All email data, AI-generated content, and user profiles
• Encrypted credentials (AES-256-GCM)
• AI audit logs and usage records
• Vector embeddings for RAG retrieval

Redis (Upstash) is used for caching and job queuing only. No personally identifiable information is stored in Redis.

5. International Transfers

As our infrastructure is hosted in the United States, personal data of EU/EEA residents is transferred to the US. We rely on the following mechanisms to ensure adequate protection:

• EU-US Data Privacy Framework: Our infrastructure providers (AWS, Stripe) are certified under the EU-US Data Privacy Framework.
• Standard Contractual Clauses (SCCs): We maintain SCCs with all sub-processors that handle personal data of EU/EEA residents.
• Technical safeguards: AES-256-GCM encryption, TLS 1.3, and Row-Level Security ensure data protection regardless of storage location.

6. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. We honor these rights for all users, not just EU/EEA residents:

7. Data Protection Officer

Our Data Protection Officer can be contacted at dpo@regent.ai for any questions or concerns regarding the processing of your personal data. You also have the right to lodge a complaint with your local supervisory authority.

8. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf. Our current sub-processors include:

• Supabase -- Database hosting and authentication (AWS us-east-1)
• Stripe -- Payment processing
• Ollama Cloud -- AI inference (private infrastructure)
• Upstash -- Redis caching (no PII)
• Cloudflare -- CDN and security
• Twilio -- SMS notifications (if configured)

We will notify you before adding new sub-processors that handle personal data, giving you the opportunity to object.

9. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33)
• Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34)
• Document the breach, its effects, and remedial actions taken
• Take immediate steps to contain and remediate the breach

10. Automated Decision-Making

Regent uses AI-powered automated processing for the following purposes:

• Email categorization: Automated classification of emails into categories (work, personal, finance, urgent, etc.) using AI models
• Priority scoring: Automated assignment of priority levels to incoming emails
• Summarization: Automated generation of executive briefs from email content
• Draft reply generation: AI-suggested responses that require explicit user approval before sending
• Behavior analysis: Automated analysis of communication patterns and productivity metrics

None of these automated processes produce decisions that have legal or similarly significant effects on you. All AI-generated draft replies must be explicitly approved by you before any action is taken. Every AI decision is logged in our audit trail with full transparency, including the model used, confidence scores, and timestamps. You can review and contest any AI-generated output.

11. Data Retention Periods

12. Cookie Policy

Regent uses only essential cookies required for the Service to function:

• Session cookies: HttpOnly, Secure, SameSite=Strict. Required for authentication.
• Theme preference: Local storage of your dark/light mode selection.

We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie consent banner is required as we only use strictly necessary cookies (Recital 30, Art. 5(3) ePrivacy Directive).

13. How to Exercise Your Rights

You can exercise your GDPR rights through the following channels:

• Self-service: Use the data management tools in your account settings to export data, delete your account, or modify your preferences.
• Email: Contact our Data Protection Officer at dpo@regent.ai
• Written request: Mail your request to our registered address.

We will respond to all requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period along with the reason for the delay.

14. Contact

For GDPR-related inquiries or to exercise your rights: