Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

Legal — Privacy Policy

Privacy Policy

Version 2.0 · Effective: 2026-05-19 · Last updated: 2026-05-19 · Document id: regunav-privacy-v2

Regunav Inc. ("Regunav", "we") operates the ReguNav™ Service. This Privacy Policy explains what Personal Data we collect when you visit our marketing surfaces or use the Service, why we collect it, how long we keep it, who we share it with, and the rights you have under GDPR, UK GDPR, the Swiss FADP, CCPA / CPRA, LGPD, DPDP Act, and the Saudi PDPL.

When the Service is used by a business customer to process data about its employees, customers, or other Data Subjects, the business is the Controller and we are the Processor — see the Data Processing Agreement.

1. Who is the Controller

Regunav Inc. (a Delaware corporation) is the Controller for Personal Data we collect about visitors to our marketing properties (regunav.com, codeconstitution.com, compliancetoarchitecture.com), prospects, account holders, and our own staff. For EU/EEA Data Subjects our representative under Art. 27 GDPR can be reached at privacy-eu@regunav.com; for UK Data Subjects the Art. 27 UK GDPR representative is privacy-uk@regunav.com.

2. Categories of Personal Data we collect

Account data: name, work email, employer, role, OAuth/SSO identifiers (GitHub, Microsoft Entra, Google Workspace).
Contact data: sales / support / abuse / security inbox correspondence.
Billing data: billing contact, address, tax id, Stripe customer id. We do not store payment-card numbers — Stripe is the PCI-DSS processor.
Usage data: service logs, feature usage events, error traces (correlated to account / installation id).
Cookies + similar: see /legal/cookies.
Customer Data: data Customer uploads or generates inside the Service. We act as Processor for this under the DPA.

3. Purposes and legal bases (Art. 6 GDPR)

Purpose	Categories	Legal basis
Operate the Service, authenticate users, deliver compliance verdicts	Account, Usage	Art. 6(1)(b) contract
Billing, tax, statutory bookkeeping	Billing	Art. 6(1)(c) legal obligation
Security monitoring, fraud + abuse prevention, integrity of the platform	Account, Usage	Art. 6(1)(f) legitimate interest (balanced)
Marketing communications to existing customers about similar products	Account, Contact	Art. 6(1)(f) + soft opt-in PECR / CASL
Marketing to prospects who opted in	Contact	Art. 6(1)(a) consent
Optional analytics cookies	Cookies	Art. 6(1)(a) consent
Responding to legal requests, defending claims	Any	Art. 6(1)(c) and/or (f)

We do not engage in automated decision-making producing legal effects under Art. 22 GDPR. We do not sell or share Personal Data for cross-context behavioral advertising as defined by CPRA §1798.140(ah).

4. Retention

Account data: lifetime of the account + 90 days export window + 7-year accounting retention for invoices and tax records.
Service logs: 30 days hot, 365 days cold, then deletion.
Security incident records: 5 years (regulatory + SOC 2 / ISO 27001 evidence requirement).
EU AI Act Annex IV technical documentation generated for Customer's AI systems: minimum 10 years from placing-on-market (Art. 18(1) EU AI Act), retained in Customer's BYOC vault.
Marketing contact data: until you unsubscribe or 24 months of inactivity, whichever is sooner.

5. Recipients and sub-processors

We share Personal Data with vetted sub-processors that operate parts of the Service on our instructions. The current list, with country and purpose, is published at /legal/sub-processors (also embedded in DPA Annex II by reference). We give 30 days' advance notice of new sub-processors via the in-product banner and the email on file. We disclose Personal Data to public authorities only where required by law and after challenging overbroad requests consistent with the Schrems II TIA framework.

6. International transfers

Where we transfer Personal Data outside the EU/EEA, UK, or Switzerland, we rely on adequacy decisions, the EU SCCs (Module 2 or 3, 2021/914), the UK IDTA, the Swiss FDPIC addendum, or — for US-based recipients certified to the EU-US Data Privacy Framework and its UK extension — the DPF. A copy of the relevant safeguards is available on request to privacy@regunav.com.

7. Your rights

Under GDPR / UK GDPR / FADP / CCPA / CPRA / LGPD / DPDP / PDPL you may have the right to:

access (a copy of your data + the meaningful processing context);
rectification;
erasure ("right to be forgotten");
restriction of processing;
data portability;
object to processing based on legitimate interest, including profiling;
withdraw consent at any time without affecting prior lawful processing;
not be discriminated against for exercising a CCPA / CPRA right;
lodge a complaint with your supervisory authority (in the EU, the DPA where you live, work, or where the alleged infringement took place; in the UK, the ICO; in the US, your state AG).

Exercise rights via the in-product DSAR flow (Settings → Privacy → Submit DSAR) or by emailing privacy@regunav.com. We respond within one month (Art. 12(3) GDPR), extendable by two months for complex requests with notice.

8. Security

TLS 1.2+ in transit, AES-256-GCM at rest, WORM SHA-256 hash-chained audit trail. Detailed measures are in DPA Annex II / our SOC 2 Type II report. Report a vulnerability under the VDP.

9. Children

The Service is not directed to children under 16 (or the local digital-consent age if higher). We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@regunav.com and we will delete it.

10. Cookies

See the Cookie Policy for the full list, purposes, durations, and how to opt out.

11. Changes

Material changes are notified at least 30 days in advance via the authenticated console and to your account email. Past versions are kept on request.

12. Contact

Privacy enquiries: privacy@regunav.com · DPO (where required): dpo@regunav.com · EU Art. 27 Representative: privacy-eu@regunav.com · UK Art. 27 Representative: privacy-uk@regunav.com.

Regunav Inc. · 2026.