Privacy policy
Last updated : 16 de julio de 2026
Reglyze helps European SMEs and MSPs reach NIS2 and regulatory compliance. We take data protection seriously — it is also our business. This policy covers the processing we carry out as data controller for the public site and account management.
Data controller
Cyril Poder, 35 rue des écoles, 78200 Mantes-la-Jolie, France. Data enquiries: [email protected].
For the data you enter about your organisation (assessments, documents, incidents, suppliers), Reglyze acts as a processor: see the Data Processing Agreement (DPA).
Data we collect
- Account: name, email, password (stored hashed, never in clear text).
- Organisation: name, country, sector, headcount, regulatory identifiers you provide.
- Compliance content: assessment answers, generated or uploaded documents, incidents, suppliers.
- Billing: handled by Stripe; we do not store card numbers.
- Technical: security logs, IP address, aggregate usage via our self-hosted analytics (Umami), with no advertising cookies or third-party tracking.
Purposes and legal bases
- Providing the service and your account: performance of the contract (Art. 6.1.b GDPR).
- Security, fraud prevention, logging: legitimate interest (Art. 6.1.f).
- Billing and accounting obligations: legal obligation (Art. 6.1.c).
- Product and sales communications: legitimate interest or consent, withdrawable at any time.
AI features
Some features use language models to generate or analyse documents. The necessary content is sent to our AI sub-processors for the duration of processing. We redact personal data before transmission where relevant.
Generation currently relies on Anthropic (United States); a migration to a sovereign European provider (Mistral AI, France) is under way. The up-to-date list is in our DPA.
Sub-processors and transfers outside the EU
We use the sub-processors listed in the DPA. Some are established in the United States (Anthropic, Voyage AI, Stripe, Cloudflare, Calendly). The corresponding transfers rely on appropriate safeguards (Standard Contractual Clauses and/or the EU-US Data Privacy Framework).
Retention
We keep account and compliance data while your account is active, then delete or anonymise it within a reasonable period after closure. Encrypted backups follow a rotation cycle. Billing data is kept per legal obligations.
Your rights
You have rights of access, rectification, erasure, restriction, objection and portability. Write to [email protected]. You may lodge a complaint with the French supervisory authority (CNIL, www.cnil.fr) or your local authority.
Security
Encryption in transit, hashed passwords, per-organisation isolation, encrypted EU backups, audit logging. See our trust page for the detail of our controls.