Reglyze

Privacy policy

Last updated : 16 de julio de 2026

Reglyze helps European SMEs and MSPs reach NIS2 and regulatory compliance. We take data protection seriously — it is also our business. This policy covers the processing we carry out as data controller for the public site and account management.

Data controller

Cyril Poder, 35 rue des écoles, 78200 Mantes-la-Jolie, France. Data enquiries: [email protected].

For the data you enter about your organisation (assessments, documents, incidents, suppliers), Reglyze acts as a processor: see the Data Processing Agreement (DPA).

Data we collect

  • Account: name, email, password (stored hashed, never in clear text).
  • Organisation: name, country, sector, headcount, regulatory identifiers you provide.
  • Compliance content: assessment answers, generated or uploaded documents, incidents, suppliers.
  • Billing: handled by Stripe; we do not store card numbers.
  • Technical: security logs, IP address, aggregate usage via our self-hosted analytics (Umami), with no advertising cookies or third-party tracking.

Purposes and legal bases

  • Providing the service and your account: performance of the contract (Art. 6.1.b GDPR).
  • Security, fraud prevention, logging: legitimate interest (Art. 6.1.f).
  • Billing and accounting obligations: legal obligation (Art. 6.1.c).
  • Product and sales communications: legitimate interest or consent, withdrawable at any time.

AI features

Some features use language models to generate or analyse documents. The necessary content is sent to our AI sub-processors for the duration of processing. We redact personal data before transmission where relevant.

Generation currently relies on Anthropic (United States); a migration to a sovereign European provider (Mistral AI, France) is under way. The up-to-date list is in our DPA.

Sub-processors and transfers outside the EU

We use the sub-processors listed in the DPA. Some are established in the United States (Anthropic, Voyage AI, Stripe, Cloudflare, Calendly). The corresponding transfers rely on appropriate safeguards (Standard Contractual Clauses and/or the EU-US Data Privacy Framework).

Retention

We keep account and compliance data while your account is active, then delete or anonymise it within a reasonable period after closure. Encrypted backups follow a rotation cycle. Billing data is kept per legal obligations.

Your rights

You have rights of access, rectification, erasure, restriction, objection and portability. Write to [email protected]. You may lodge a complaint with the French supervisory authority (CNIL, www.cnil.fr) or your local authority.

Security

Encryption in transit, hashed passwords, per-organisation isolation, encrypted EU backups, audit logging. See our trust page for the detail of our controls.