Last updated: 2026-05-19 · See also Terms of Service · Operator info

This policy explains what we collect, why, who else sees it, and your rights. We comply with the EU General Data Protection Regulation (GDPR). The data controller is Fedor Stomakhin (Estonian FIE, registry code 17509015), contactable at support@euregs.dev. No designated DPO — service does not meet GDPR Art. 37(1) thresholds.

What we collect

Account data

Email address (required) and a PBKDF2 hash of your password (we never see the plaintext). Used to authenticate you. Legal basis: contract (GDPR Art. 6(1)(b)) — needed to provide the Service you signed up for.

API keys

We store an HMAC-SHA256 hash of each key (with a server-side pepper), plus the key prefix, your label, and the last-used timestamp. The raw key is never persisted — once you close the "shown once" dialog after issuance, only you have it. Legal basis: contract.

Usage events

Each call records: timestamp, tool name, response status code, latency, and a hashed version of your source IP (for abuse detection — we cannot reverse it to your IP). Legal basis: legitimate interest (Art. 6(1)(f)) for service operation, quota enforcement, and abuse defense.

check_compliance audit log

For paid-tier calls to check_compliance we store: your action description text, the retrieved clause IDs, the LLM model used, the raw and validated outputs, and the verdict. Retained 30 days for free tier, 12 months for paid (you can request earlier deletion). Legal basis: legitimate interest for service quality + dispute forensic; contract for the part you actually use as a deliverable.

Billing data

For paid subscribers: Stripe customer ID, subscription status, and the Stripe event log for your account. We do not store card numbers — Stripe handles that directly. Legal basis: contract + legal obligation (tax records).

Cookies

One HttpOnly session cookie (signed JWT) when you log in. One Cloudflare Turnstile cookie during signup (anti-bot). No third-party analytics, ad tracking, or fingerprinting.

Who else sees it (sub-processors)

• Cloudflare, Inc. (USA, EU-US Data Privacy Framework certified) — infrastructure: Workers compute, D1 database, Vectorize, R2 storage, KV cache, DDoS protection. EU DPA + SCCs in place.
• Stripe Payments Europe Ltd. (Ireland) — payment processing for paid tiers. Card data flows directly from your browser to Stripe, never through us.
• Resend (Trag Inc.) (USA) — transactional email (verification codes, account notices). EU SCCs in place.
• Anthropic, PBC (USA) — only for Pro tier check_compliance calls (Claude Sonnet synthesis). Indie tier uses Cloudflare's Workers AI exclusively. Your action description is sent to Anthropic for the duration of the call.

Where data is transferred outside the EU/EEA (Cloudflare, Stripe, Resend, Anthropic), we rely on Standard Contractual Clauses + the EU-US Data Privacy Framework where the recipient is certified.

Retention

• Account email + API keys: until account closure + 30 days
• Usage events: 12 months rolling
• check_compliance audit: 30 days (free) / 12 months (paid)
• Billing data: 7 years (Estonian tax law)
• Stripe webhook event log: 12 months

Your rights under GDPR

You have the right to:

• Access your data (Art. 15) — we'll send a JSON export
• Rectify inaccurate data (Art. 16)
• Erase your account + all related personal data (Art. 17). Billing records covered by Estonian tax retention obligations remain for 7 years from issuance, anonymized where possible.
• Restrict or object to processing (Art. 18, 21)
• Data portability (Art. 20) — JSON export of your data
• Lodge a complaint with your supervisory authority. In Estonia: the Estonian Data Protection Inspectorate (AKI).

Exercise any of these by emailing support@euregs.dev. We respond within 30 days as required by Art. 12(3). Requests are free unless manifestly unfounded or excessive.

Children

The Service is not directed at children under 16. We don't knowingly collect their data.

Security

Passwords are PBKDF2-hashed with a per-user salt. API keys are HMAC-hashed before storage. Connections are TLS-encrypted. Production infrastructure runs on Cloudflare's edge. We log access to admin interfaces.

If we become aware of a personal data breach, we notify affected users + the AKI per Art. 33-34 within 72 hours of discovery where feasible.

Changes

Material changes to this policy are announced by email + dashboard banner at least 14 days before taking effect. Material changes include: new sub-processors, broader data collection, or shorter retention.

Contact

support@euregs.dev