1. Scope and Applicability
This Privacy Policy applies when you:- Visit our websites, including
regentra.ioanddocs.regentra.io(the “Websites”) - Register for, access, or use our platform at
app.regentra.io(the “Platform”) - Interact with us through email, support channels, events, or sales engagements
- Receive communications from us
2. Personal Information We Collect
2.1 Information You Provide
| Category | Examples |
|---|---|
| Account & Identity | Name, email address, phone number, job title, company name |
| Billing & Financial | Payment method details (processed by our payment provider — we do not store payment card numbers), billing address, transaction history |
| Communications | Support requests, feedback, survey responses, correspondence with our team |
| Professional | Industry, organization type, role within your organization |
2.2 Information Collected Automatically
| Category | Examples |
|---|---|
| Device & Technical | IP address, browser type and version, operating system, device identifiers |
| Usage Data | Pages visited, features used, timestamps of actions, referral URLs |
| Log Data | Authentication events, session metadata, access logs |
2.3 Information from Third Parties
We may receive personal information from partners and resellers who refer you to our services, identity providers when you authenticate via Single Sign-On (SSO), and publicly available business contact sources for business-to-business engagement purposes.2.4 Cookies and Similar Technologies
We use only cookies that are strictly necessary to operate the Platform. We do not use advertising cookies, third-party tracking pixels, behavioral analytics cookies, social-plugin cookies, or any technology that participates in cross-context behavioral advertising.| Cookie | Purpose | Type | Duration |
|---|---|---|---|
__Secure-next-auth.session-token (production) / next-auth.session-token (development) | Authenticate the signed-in user. | Strictly necessary | Up to 4 hours |
next-auth.csrf-token | Cross-Site Request Forgery protection on authentication endpoints. | Strictly necessary | Session |
authjs.state.*, authjs.pkce.*, authjs.nonce.* | Integrity parameters for the OAuth handshake during sign-in. | Strictly necessary | Up to 10 minutes |
__Secure-ciq-refresh (production) / ciq-refresh (development) | Refresh-token cookie used to renew sessions without re-login. | Strictly necessary | Up to 14 days |
next-auth.callback-url | Stores the post-login redirect target. | Strictly necessary | Session |
3. How We Use Personal Information
We use the personal information we collect to:- Provide, maintain, operate, and improve the Platform;
- Create and manage your account and process transactions;
- Communicate with you about your account, including transactional notifications, security alerts, and service updates;
- Provide customer support and respond to your inquiries;
- Enforce security measures, detect fraud, and protect against abuse;
- Send product updates, feature announcements, and educational content (with the ability to opt out — see Section 11);
- Facilitate optional AI-powered features within the Platform (see Section 4);
- Conduct internal analytics to understand usage patterns and improve the Platform;
- Comply with applicable legal and regulatory obligations.
4. Artificial Intelligence Features
Regentra offers optional AI-powered features, including assistance with support ticket responses, compliance analysis, and content classification. These features are powered by third-party AI service providers under contract.- AI features process only data within the requesting organization’s tenant.
- Customer Data is not used to train, retrain, fine-tune, or evaluate any AI or machine-learning model — whether operated by Regentra or by any third party.
- AI-generated outputs are intended as suggestions and are subject to human review.
- AI features may be disabled at the organization level by an administrator.
5. How We Share Personal Information
We do not sell, rent, or trade your personal information. We do not share personal information for cross-context behavioral advertising, and we do not engage in targeted advertising. We may disclose personal information to the following categories of recipients: Service Providers (Subprocessors). We engage third-party service providers — including cloud hosting, database management, payment processing, email delivery, identity authentication, AI processing, and real-time communications — to perform functions on our behalf. These providers are contractually obligated to protect personal information and may only process it in accordance with our instructions. Our current list of subprocessors is published at docs.regentra.io/subprocessors. You may subscribe to subprocessor change notifications at that page. We provide at least 30 days’ notice before engaging a new subprocessor that processes personal information. Customers who object to a new subprocessor for legitimate data-protection reasons may terminate the affected subscription per the DPA. Professional Advisors. We may share information with our legal, accounting, insurance, and other professional advisors as necessary. Business Transfers. In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice of any such transfer via email and/or a prominent notice on the Platform. Legal Requirements. We may disclose personal information if required by law, regulation, legal process, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and prevent fraud. Where permitted by law, we will attempt to notify the affected party before making such disclosures. With Your Consent. We may share personal information with third parties when you have given us explicit consent to do so. California “Shine the Light” (Cal. Civ. Code § 1798.83). Regentra does not share personal information with third parties for those parties’ own direct marketing purposes.6. Data Security
We maintain a comprehensive security program that includes technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest (AES-256-GCM with AAD binding for tenant credential storage), multi-factor authentication, logical tenant isolation, role-based access controls, account lockout mechanisms, append-only audit logging, vulnerability management, and industry-standard security headers and input validation. Regentra is currently pursuing SOC 2 Type II certification. While we are committed to protecting your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information.7. Data Retention
We retain personal information for the periods set out below, after which we delete or anonymize it. Where deletion is not immediately feasible (for example, because information is stored in backup archives), we securely isolate the information from further processing until deletion is possible.| Category | Retention period |
|---|---|
| Account profile data | Duration of subscription + 90 days |
| Audit logs (security and compliance) | 7 years from creation |
| Marketing email send logs | 30 days |
| Support tickets and replies | Duration of subscription + 1 year |
| Billing records | 7 years (consistent with U.S. tax record-keeping obligations) |
| Database backups | Up to 30 days |
| Customer Data after termination | Available for export 30 days post-termination (60 days for customers with a Business Associate Agreement covering Protected Health Information) |
8. International Data Transfers
Personal information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. Where we transfer personal information outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms, including:- The European Commission’s 2021 Standard Contractual Clauses (Modules 2 and 3 as applicable);
- The UK International Data Transfer Agreement and the UK Addendum to the SCCs;
- The Swiss Federal Data Protection and Information Commissioner-approved version of the SCCs.
9. Your Privacy Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information.EEA / UK / Switzerland
If you are located in the EEA, UK, or Switzerland, you have the right to access, rectify, erase, restrict the processing of, or port your personal information; the right to object to processing based on legitimate interests; and the right to withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal. You also have the right to lodge a complaint with your local data protection authority.United States — Comprehensive State Privacy Laws
The following rights are available to residents of states with comprehensive privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Florida (FDBR), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Minnesota (MCDPA), Maryland (MODPA), Kentucky, and Rhode Island (collectively, “applicable state privacy laws”):- Right to know / access the categories and specific pieces of personal information we have collected, sources, business purposes, and recipients.
- Right to correct inaccurate personal information.
- Right to delete personal information we have collected.
- Right to portability — receive your information in a structured, commonly used format.
- Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share personal information as those terms are defined under any applicable state privacy law.
- Right to limit the use and disclosure of sensitive personal information under California CPRA. We use sensitive personal information only for purposes permitted under Cal. Code Regs. tit. 11, §§ 7027(m)(1)–(8) and do not exceed those purposes.
- Right to non-discrimination for exercising your privacy rights.
Sec-GPC HTTP header). Receipt of a GPC signal is treated as a valid request to opt out of any sale or sharing where applicable. Colorado, California, Connecticut, Texas, Oregon, Montana, Delaware, and New Jersey require honoring such signals; we apply the same treatment in all jurisdictions for consistency.
Authorized Agents. California, Colorado, and Virginia residents may use an authorized agent to submit a request. We may require proof of authorization (for example, a power of attorney or signed authorization).
Verification and Response Window. We will verify your identity using information already associated with your account. We respond to verifiable consumer requests within 45 days, with one 45-day extension where reasonably necessary.
Appeal. If we decline a privacy rights request in whole or in part, you may appeal by replying to our written response within 60 days. We will respond to your appeal within 60 days. If we deny the appeal, we will provide instructions to lodge a complaint with the relevant state Attorney General or, in California, the California Privacy Protection Agency.
Other Jurisdictions
We respect the privacy rights of individuals under applicable laws globally, including the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and the Australian Privacy Principles (APPs). To exercise any right described in this Section, please contact us at privacy@regentra.io.10. Sensitive Personal Information
We do not collect sensitive personal information (as defined under applicable privacy laws, including the CCPA/CPRA) beyond what is necessary to provide the Service — for example, account credentials for authentication purposes. We do not use or disclose sensitive personal information for purposes other than those permitted under Cal. Code Regs. tit. 11, §§ 7027(m)(1)–(8), and we do not use sensitive personal information to infer characteristics about individuals. Where a Regentra customer has executed a Business Associate Agreement (see Section 13) and uses the Service to process Protected Health Information (“PHI”) as defined under HIPAA, that PHI may meet the definition of “sensitive personal information” under state law. Such processing is governed by the BAA, which controls over this Privacy Policy with respect to PHI.11. Email Communications
Transactional Messages
As part of operating the Service we send transactional and relationship messages — for example, account-creation confirmations, password resets, multi-factor authentication codes, invoice and payment notifications, ticket replies, security alerts, and material service updates. These messages are exempt from CAN-SPAM’s commercial-email requirements under 15 U.S.C. § 7702(17) and are necessary to operate the Service. You cannot opt out of transactional messages while you maintain an active account.Marketing Messages
Lifecycle, product, educational, and changelog emails are commercial messages under 15 U.S.C. § 7702(2). Each marketing email:- Identifies Emry Networks, LLC (operating as Regentra) as sender;
- Contains our valid physical postal address;
- Contains a clear and conspicuous unsubscribe link that does not require login or payment to use.
Your Preferences
You can review and adjust your marketing-email preferences in Settings → Notification Preferences. Opting out of marketing communications does not affect transactional messages.Multi-Tenant Context (MSPs and their End Users)
Where a Regentra customer (such as a managed-service-provider organization) configures the Service to send messages to its own end users, the customer is the “sender” under 15 U.S.C. § 7702(16) for those messages and is responsible for content accuracy, recipient consent (where required), and honoring opt-outs. Regentra acts as the technological provider; the customer’s CAN-SPAM, TCPA, GDPR, ePrivacy, and other applicable obligations are addressed in the applicable service agreement and DPA.SMS / Text Messaging (when offered)
If we offer SMS-based features and you elect to enroll, your consent and our use will comply with the U.S. Telephone Consumer Protection Act (47 U.S.C. § 227) and FCC implementing rules. SMS communications require prior express written consent, will identify the sender, and will support STOP and HELP keywords. Standard message and data rates apply. We do not send SMS between 9:00 PM and 8:00 AM the recipient’s local time, and we honor STOP requests immediately.12. Multi-Tenant and Enterprise Data
Regentra provides a multi-tenant platform designed for organizations managing services across multiple client entities. The relationships and respective responsibilities between Regentra, our customers, and their end users are defined in the applicable service agreement and our Data Processing Addendum, which is auto-incorporated into the Terms of Service and available at docs.regentra.io/data-processing-addendum. The DPA includes the 2021 EU Standard Contractual Clauses (Modules 2 and 3 as applicable), the UK Addendum to the SCCs, and the Swiss-FDPIC-approved version, where applicable.13. HIPAA / Protected Health Information
Regentra provides tools that may be used by HIPAA-regulated organizations. If your use of the Platform involves the storage or processing of Protected Health Information (“PHI”) as defined in 45 C.F.R. § 160.103:- A Business Associate Agreement must be executed with Regentra before any PHI is uploaded or processed.
- Use of the Platform for PHI must be limited to features identified as HIPAA-Eligible at docs.regentra.io/hipaa-eligibility.
- The Customer remains responsible for the customer-side implementation responsibilities listed at that page (encryption practices, access controls, audit-log review).
14. Children’s Privacy
The Platform is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.15. Third-Party Links and Services
The Platform may contain links to third-party websites, services, or applications that are not operated or controlled by us. This Privacy Policy does not apply to information collected by third parties through such links. We encourage you to review the privacy policies of any third-party services you access.16. Accessibility
Regentra is committed to making the Platform accessible to all users. We target conformance with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. Our current accessibility statement and any published Voluntary Product Accessibility Templates (VPATs) are available at docs.regentra.io/accessibility.17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the Last Updated date at the top of this page and provide appropriate notice, which may include posting a notice on the Platform or sending a notification to account administrators. Where required by applicable law, we will obtain your consent to material changes.18. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices:- Privacy Inquiries: privacy@regentra.io
- Legal, DPA, and BAA Requests: legal@regentra.io
- Postal Address: Emry Networks, LLC — physical mailing address published at docs.regentra.io/contact
- EEA / UK Article 27 Representative: see docs.regentra.io/eu-representative