Book Demo

Privacy Policy

Privacy Policy for RegAhead – Global Risk and Compliance Management Platform​

Effective Date: 1-April-2025
Last Updated: 12-Jul-2025

RegAhead (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data processed through our Risk and Compliance management platform and website (www.regahead.com). This Privacy Policy describes how we collect, use, disclose, and protect personal information in accordance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy frameworks.

1. About This Policy

1.1 Scope and Application

This Privacy Policy applies to:

  • Our website at www.regahead.com
  • RegAhead Risk and Compliance management platform delivered via SaaS model
  • RegAhead Risk and Compliance management platform deployed in dedicated private cloud environments
  • All related services, applications, and communications

1.2 Controller Information

Data Controller: RegAhead
Data Protection Officer: [email protected]

1.3 Legal Basis for Processing

We process personal data based on the following legal grounds as required by applicable data protection laws:

  • Performance of Contract: To provide our Risk and Compliance management services
  • Legitimate Interests: For security monitoring, fraud prevention, and service improvement
  • Legal Compliance: To meet regulatory requirements and legal obligations
  • Consent: Where explicitly provided for specific processing activities

2. Information We Collect

2.1 Personal Data Categories

In accordance with comprehensive privacy legislation requirements, we collect the following categories of personal information:

2.1.1 Account and Identity Information

  • Full name and professional title
  • Business email address and phone number
  • Company name and business address
  • Username and authentication credentials
  • Professional certifications and qualifications

2.1.2 Technical and Usage Data

  • IP addresses and device identifiers
  • Browser type and operating system information
  • Log files and access timestamps
  • Platform usage patterns and feature utilization
  • System performance and error data

2.1.3 Compliance and Risk Data

  • Risk assessment responses and evaluations
  • Audit trail information and compliance records
  • Control effectiveness measurements
  • Incident and exception reporting data
  • Regulatory framework mappings

2.1.4 Communication Data

  • Support ticket communications
  • Training session recordings (with consent)
  • Feedback and survey responses
  • Meeting notes and consultation records

2.2 Data Collection Methods

We collect personal data through:

  • Direct provision during account registration and platform usage
  • Automated collection via cookies and tracking technologies
  • Integration with third-party systems and data sources
  • Communication channels including support and sales interactions

2.3 Special Categories of Data

Our platform may process special categories of personal data in specific GRC contexts, including data related to legal proceedings, regulatory investigations, or compliance violations. Such processing is conducted under strict safeguards and appropriate legal bases.

3. How We Use Your Information

3.1 Primary Processing Purposes

We use personal data for the following business purposes:

3.1.1 Service Delivery

  • Providing Risk and Compliance management platform functionality
  • Maintaining user accounts and access controls
  • Delivering requested reports and analytics
  • Facilitating audit and assessment processes

3.1.2 Security and Integrity

  • Monitoring platform security and preventing unauthorized access
  • Detecting and preventing fraudulent activities
  • Maintaining data integrity and availability
  • Implementing role-based access controls (RBAC)

3.1.3 Compliance and Legal Obligations

  • Meeting regulatory reporting requirements
  • Responding to legal requests and investigations
  • Maintaining audit trails for compliance purposes
  • Ensuring data protection law compliance

3.1.4 Service Improvement

  • Analyzing platform usage patterns and performance
  • Developing new features and functionality
  • Conducting user experience research
  • Providing customer support and training

3.2 Automated Decision-Making

Our platform may employ automated decision-making processes for risk scoring, control effectiveness assessment, and compliance monitoring. Users have the right to request human review of automated decisions that significantly affect them.

3.3 Artificial Intelligence and Machine Learning

Where our platform incorporates AI or machine learning technologies, we ensure appropriate safeguards including data minimization, purpose limitation, and algorithmic transparency. AI processing is conducted in accordance with emerging AI governance frameworks.

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We may share personal data with carefully vetted service providers who assist in platform operation, including:

  • Cloud infrastructure providers (AWS, Azure, Google Cloud)
  • Security monitoring and incident response services
  • Customer support and communication platforms
  • Analytics and performance monitoring tools

All third-party processors are bound by comprehensive Data Processing Agreements (DPAs) that include appropriate technical and organizational measures.

4.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction, subject to appropriate safeguards and user notification requirements.

4.3 Legal Disclosures

We may disclose personal data when required by law, including:

  • Responses to court orders, subpoenas, or legal process
  • Compliance with regulatory investigations
  • Protection of our rights, property, or safety
  • Prevention of fraud or illegal activities

4.4 Data Sharing Transparency

For California residents, we provide detailed information about data sharing practices in compliance with CCPA requirements. We do not sell personal information as defined by applicable privacy laws.

5. International Data Transfers

5.1 Cross-Border Data Processing

Our platform operates globally and may transfer personal data across international borders. We ensure appropriate safeguards for all international transfers through:

  • Adequacy Decisions: Transfers to countries with adequate data protection levels
  • Standard Contractual Clauses (SCCs): EU-approved contractual protections
  • Binding Corporate Rules (BCRs): Internal data protection frameworks
  • Certification Mechanisms: Industry-standard privacy certifications

5.2 Data Residency Options

For enterprise clients, we offer data residency controls allowing specification of geographic locations for data storage and processing, supporting compliance with local data protection requirements.

5.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for international data transfers to ensure adequate protection levels are maintained throughout the data lifecycle

6. Data Security

6.1 Technical Safeguards

We implement comprehensive security measures including:

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Multi-factor authentication (MFA) and role-based permissions
  • Network Security: Firewalls, intrusion detection systems, and security monitoring
  • Infrastructure Security: Secure cloud hosting with industry-standard certifications

6.2 Organizational Measures

Our security framework includes:

  • Regular security assessments and penetration testing
  • Employee security training and awareness programs
  • Incident response and breach notification procedures
  • Vendor security assessments and ongoing monitoring

6.3 Compliance Certifications

Our platform maintains relevant security certifications including:

  • SOC 2 Type II for security and availability
  • ISO 27001 for information security management
  • Cloud security certifications from major providers

Industry-specific compliance frameworks (as applicable)

7. Data Retention

7.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, considering:

  • Legal and regulatory requirements
  • Business needs and operational requirements
  • User account status and activity
  • Statutory limitation periods

7.2 Retention Periods

Data Category

Account Information

Usage and Technical Data

Compliance Records

Communication Data

Audit Trails

Retention Period

Duration of service + 7 years

24 months

As required by applicable regulations

3 years

7 years or as required by law

Legal Basis

Contractual and legal compliance

Legitimate interests

Legal obligation

Business needs and support

Legal and regulatory compliance

7.3 Data Deletion

Upon expiration of retention periods, we securely delete or anonymize personal data using industry-standard methods. Users may request accelerated deletion subject to legal and regulatory constraints.

8. Your Rights and Choices

8.1 Data Subject Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1.1 Access and Portability

  • Right to access personal data we hold about you
  • Right to receive data in a structured, machine-readable format
  • Right to transmit data to another controller

8.1.2 Correction and Deletion

  • Right to correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) subject to legal constraints
  • Right to restrict processing in certain circumstances

8.1.3 Control and Objection

  • Right to object to processing based on legitimate interests
  • Right to withdraw consent (where applicable)
  • Right to opt-out of data sales or sharing (where applicable)

8.2 Exercising Your Rights

To exercise your rights, contact us at:

We will respond to requests within applicable timeframes (typically 30 days for GDPR, 45 days for CCPA).

8.3 Verification and Authentication

We may require verification of your identity before processing rights requests to prevent unauthorized access to personal data.

9. Cookies and Tracking Technologies

9.1 Cookie Usage

Our website and platform use cookies and similar technologies for:

  • Essential Cookies: Platform functionality and security
  • Analytics Cookies: Usage analysis and performance monitoring
  • Functional Cookies: User preferences and customization
  • Marketing Cookies: Relevant content and communications (with consent)

9.2 Cookie Management

Users can manage cookie preferences through:

  • Browser settings and controls
  • Our cookie preference center
  • Opt-out mechanisms for non-essential cookies

9.3 Do Not Track Signals

We respect Do Not Track (DNT) browser signals where technically feasible and legally required.

10. Third-Party Services and Integrations

10.1 Platform Integrations

Our platform may integrate with third-party services including:

  • Identity providers (SSO/SAML)
  • Document management systems
  • Communication platforms
  • Regulatory databases and frameworks

10.2 Third-Party Responsibilities

We carefully evaluate third-party services for data protection compliance and maintain appropriate agreements governing data processing activities.

10.3 Data Processing Agreements

All third-party processors are required to enter into comprehensive DPAs that include:

  • Processing instructions and limitations
  • Security and confidentiality obligations
  • Incident notification requirements

Audit and inspection rights

11. Children's Privacy

Our platform is designed for business use and is not intended for children under 16 years of age. We do not knowingly collect personal information from children without appropriate parental consent.

12. Changes to This Policy

12.1 Policy Updates

We may update this Privacy Policy to reflect:

  • Changes in applicable laws and regulations
  • New platform features and functionality
  • Evolving privacy practices and technologies
  • Feedback from users and regulators

12.2 Notification of Changes

We will notify users of material changes through:

  • Email notifications to registered users
  • Prominent website notices
  • In-platform notifications
  • Updated effective date on this policy

12.3 Continued Use

Continued use of our platform after policy changes constitutes acceptance of the updated terms, subject to applicable legal requirements for explicit consent.

13. Regional Privacy Information

13.1 European Union/EEA

For users in the EU/EEA, additional protections apply under the GDPR, including enhanced rights and stricter consent requirements.

13.2 United States

For users in specific US states, additional rights may apply under state privacy laws including CCPA (California), VCDPA (Virginia), and other emerging state regulations.

13.3 Other Jurisdictions

We comply with applicable privacy laws in all jurisdictions where we operate, including Canada (PIPEDA), Australia (Privacy Act), and other relevant frameworks.

14. Contact Information

14.1 Privacy Inquiries

For privacy-related questions or concerns:

14.2 Data Protection Officer

Our Data Protection Officer can be contacted at:

14.3 Regulatory Authorities

You have the right to lodge complaints with relevant supervisory authorities in your jurisdiction regarding our data processing activities.

This Privacy Policy represents our commitment to data protection and regulatory compliance. We regularly review and update our practices to ensure alignment with evolving privacy standards and user expectations.