Privacy

This page describes the personal data Regulator Watch collects, the basis on which we process it, and the choices available to you.

Data we collect

• Account data. When you create an account we collect your email address and a salted hash of your password. We never store the plaintext password.
• Subscription preferences. The tags, regulators, entities, and jurisdictions you have subscribed to receive alerts about, plus your delivery cadence preference (instant, daily, weekly).
• API usage. If you hold an API key, we record per-day request counts attached to the key for billing and rate-limit enforcement.
• Server logs. Standard access logs (IP, user agent, URL, timestamp) retained for up to 30 days for security purposes.

Lawful basis

Processing of account data and subscription preferences is necessary for the performance of the contract between you and us when you sign up for an account (Article 6(1)(b) GDPR). Processing of marketing communications (newsletters and digest emails) is based on your consent (Article 6(1)(a) GDPR), which you can withdraw at any time.

Newsletters and digests

During an early phase of the service we may not send any marketing emails. When we begin to do so, you will receive a single confirmation email asking you to opt in. Anyone who does not actively opt in will not receive marketing emails.

Cookies

We use a small number of strictly-necessary cookies to keep you signed in and to remember your theme preference. We do not use third-party advertising cookies.

Processors

We use the following processors. Each processes data only on documented instructions. Standard data-processing agreements are in place with each.

• Hosting: Vercel (or self-hosted equivalent)
• Database: Neon (Postgres)
• Email: Resend
• Object storage: Cloudflare R2
• Translation: DeepL (no personal data is sent to translation)

Your rights

You have the right to access, correct, port, and delete your personal data, and to object to processing. To exercise these rights, write to privacy@regulator.watch.

Retention

Account data is retained for as long as your account is active. Server logs are retained for 30 days. API usage records are retained for billing reconciliation periods.

Last updated: 9 May 2026