Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is financialregulations.eu, a company registered in the Netherlands. As data controller, we determine the purposes and means of the processing of personal data collected through the Service. We are responsible for ensuring that all processing activities comply with the GDPR and other applicable data protection laws.

For all enquiries regarding data protection, please contact our Data Protection Contact at privacy@financialregulations.eu.

2. Data Collected

We collect and process the following categories of personal data in connection with the provision of the Service:

2.1 Account Data

When you create an account, we collect your email address, full name, and company or organisation name. This information is necessary for the creation and administration of your account and for communicating with you about the Service.

2.2 Uploaded Documents

When you upload documents to the Service for regulatory analysis, we process and store those documents for the duration necessary to provide you with the requested analysis and in accordance with our data retention policy described in Section 6 below.

Please note that documents you upload may contain personal data relating to third parties (e.g., names, signatures, or other identifying information of individuals referenced in contracts, prospectuses, or other regulatory documents). By uploading such documents, you confirm that you have a lawful basis to share this data with us for the purpose of regulatory analysis, and that you have fulfilled any applicable transparency obligations towards those third parties.

2.3 Regulatory Queries

We record the regulatory queries and questions you submit to the Service, together with the AI-generated outputs provided in response. This data is used to deliver the Service to you and to improve the quality of our analysis over time.

2.4 Usage Data

We automatically collect certain usage data, including the number of queries submitted, the timestamps of your interactions with the Service, and general usage patterns. This data is used for billing, capacity planning, and service improvement purposes.

2.5 Payment Data

Payment information, including credit card numbers, billing addresses, and transaction details, is collected and processed exclusively by our payment processor, Stripe. We do not store full credit card numbers or sensitive payment credentials on our systems. We receive from Stripe only a truncated card number, card type, and transaction confirmation for record-keeping purposes.

3. Processing Purposes

We process your personal data for the following purposes: providing and operating the Service, including account management, authentication, and user support; generating regulatory analyses, reports, and other outputs in response to your queries and uploaded documents; tracking usage for billing purposes and enforcing the usage limits associated with your subscription plan; processing payments and managing subscriptions through our payment processor Stripe; improving the Service, including enhancing the quality and accuracy of AI-generated outputs, optimising system performance, and developing new features; complying with legal obligations, including accounting, tax, and regulatory requirements applicable to our business; and protecting the security and integrity of the Service, including detecting and preventing fraud, abuse, or unauthorized access.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

4.1 Performance of a Contract (Article 6(1)(b) GDPR)

The processing of your account data, uploaded documents, regulatory queries, and usage data is necessary for the performance of the contract between you and financialregulations.eu, namely the provision of the Service in accordance with our Terms of Service. Without this processing, we would be unable to provide you with access to the Service or generate the regulatory analyses you have requested.

4.2 Legitimate Interest (Article 6(1)(f) GDPR)

We process certain data on the basis of our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving the quality and accuracy of the Service, ensuring the security and integrity of our systems, conducting internal analytics and reporting, and preventing fraud and abuse. We have conducted a balancing assessment for each processing activity based on legitimate interest and have determined that our interests do not override the rights of our users.

4.3 Consent (Article 6(1)(a) GDPR)

Where processing is not covered by the legal bases set out above, we will seek your explicit consent before processing your personal data. You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Consent may be sought, for example, for the use of your data in anonymised and aggregated form for research or benchmarking purposes.

5. Sub-processors

We engage the following third-party sub-processors to assist in the delivery of the Service. Each sub-processor processes personal data only to the extent necessary to perform the services described below, and each is bound by data processing agreements that require compliance with the GDPR.

We will notify you of any changes to the sub-processors listed above by updating this Privacy Policy. If we engage a new sub-processor that processes personal data in a manner materially different from what is described here, we will provide advance notice and an opportunity to object.

6. Data Retention

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Regulatory reports and AI-generated outputs are stored for a period of twelve (12) months from the date of generation to allow you to access and review your previous analyses. After this period, reports are automatically deleted from our systems.

Upon account closure, whether initiated by you or by us, all personal data associated with your account, including uploaded documents, regulatory queries, generated reports, and account information, will be deleted from our active systems within thirty (30) days. Residual copies in encrypted backups may persist for up to an additional ninety (90) days before being overwritten in the normal course of backup rotation.

Usage logs, including query counts and timestamps, are retained for a period of twenty-four (24) months for the purposes of billing reconciliation, capacity planning, and service improvement. After this period, usage logs are either deleted or irreversibly anonymised.

7. Your Rights Under the GDPR

Under the General Data Protection Regulation, you have the following rights with respect to your personal data:

7.1 Right of Access

You have the right to request confirmation of whether we are processing your personal data and, if so, to obtain a copy of that data together with information about the purposes of processing, the categories of data concerned, the recipients of the data, and the applicable retention periods.

7.2 Right to Rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data held about you.

7.3 Right to Erasure

You have the right to request the deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, where you withdraw your consent, where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed.

7.4 Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us, where processing is based on consent or contract performance and is carried out by automated means.

7.5 Right to Restriction of Processing

You have the right to request the restriction of processing of your personal data where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or where you have objected to processing pending verification of our legitimate grounds.

7.6 Right to Object

You have the right to object to the processing of your personal data where processing is based on our legitimate interests. Upon receiving such an objection, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.

7.7 How to Exercise Your Rights

To exercise any of the rights described above, please submit a request to our Data Protection Contact at privacy@financialregulations.eu. We will respond to your request within thirty (30) days of receipt. In exceptional circumstances, where the complexity or volume of requests necessitates additional time, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it within the initial thirty-day period.

8. International Data Transfers

Certain sub-processors engaged by financialregulations.eu are established in or process data in countries outside the European Economic Area ("EEA"), in particular the United States. Data may be transferred to the United States in connection with the processing performed by Anthropic (for large language model processing) and Stripe (for payment processing).

Where personal data is transferred outside the EEA to a country that has not been the subject of an adequacy decision by the European Commission, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include the execution of Standard Contractual Clauses ("SCCs") as adopted by the European Commission, supplemented by additional technical and organisational measures where necessary to ensure an essentially equivalent level of protection.

Where an adequacy decision of the European Commission applies to the relevant third country, including under the EU-U.S. Data Privacy Framework where applicable, we rely on such adequacy decision as the legal basis for the transfer. You may request a copy of the relevant SCCs or further information about international transfers by contacting our Data Protection Contact.

9. Cookies

financialregulations.eu uses only essential cookies that are strictly necessary for the operation of the Service. These essential cookies include authentication tokens that identify your logged-in session and ensure secure access to your account. Without these cookies, we would be unable to provide the Service or maintain the security of your session.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use cookies to build user profiles, serve targeted advertising, or track your browsing activity across other websites. As the cookies we use are strictly necessary for the provision of the Service, consent is not required under Article 5(3) of the ePrivacy Directive (2002/58/EC) as implemented in Dutch law.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to: encryption of data in transit using Transport Layer Security (TLS) for all communications between your browser and our servers; encryption of data at rest for all stored personal data, including uploaded documents and generated reports; strict access controls that limit access to personal data to authorised personnel on a need-to-know basis; regular security reviews and assessments of our systems, infrastructure, and sub-processors; and secure development practices, including code reviews and vulnerability testing.

While we take all reasonable precautions to protect your data, no system of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents in accordance with our obligations under the GDPR, including notification to the relevant supervisory authority and affected data subjects where required.

11. Data Protection Contact

Our Data Protection Contact can be reached at privacy@financialregulations.eu. The Data Protection Contact is responsible for overseeing our data protection strategy and implementation, ensuring compliance with the GDPR, and serving as the point of contact for data subjects and supervisory authorities regarding all matters related to the processing of personal data.

You may contact the Data Protection Contact at any time to raise questions, concerns, or complaints about our processing of your personal data, or to exercise any of the rights described in Section 7 of this Privacy Policy.

12. Supervisory Authority

The lead supervisory authority for financialregulations.eu under the GDPR is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Autoriteit Persoonsgegevens. The Autoriteit Persoonsgegevens can be contacted at:

You also have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if different from the Netherlands.