Legal

Privacy Policy

Last updated: 24 April 2026. Revision date will be posted with any future update.

Scope. This policy governs our self-serve plans (Basic, Starter, Pro, Business). Enterprise customers are covered by a separately-signed Data Processing Agreement (DPA) which lists per-tenant sub-processors, the contracted region, and any retention overrides. Where the DPA and this policy conflict, the DPA prevails.

1. Who is the controller

Regna Verkt is operated by an independent professional (Spanish autónomo) established in Spain (EU), acting as data controller for personal data processed in connection with the Regna Verkt website, API and associated services. Contact for data-protection matters: privacy@regnaverkt.com.

2. What we collect and why

We process three categories of personal data:

  • Account data. Email address and (optionally) organisation name. Collected at signup to provide the service, send transactional notifications (invoices, renewal reminders, failure dunning) and authenticate you. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
  • Billing data. Name, billing address and VAT number - collected by Stripe Managed Payments, our Merchant of Record. Regna Verkt receives only a customer reference and the subscription status from Stripe; we do not handle or store payment-card details. Legal basis: performance of contract + legal obligation for invoicing.
  • API usage data. We log each authenticated API call with API-key ID, endpoint path, response status and timestamp - for usage metering, abuse detection and product improvement. Logs are retained 90 days, aggregated usage counters indefinitely. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Analytics (optional). If you accept analytics cookies, Google Analytics 4 records anonymised usage patterns on the marketing site (page views, referrer, device class). IP addresses are anonymised by Google before being written to the property. Legal basis: consent (GDPR Art. 6(1)(a)); you can withdraw consent at any time via the cookie-settings banner at the bottom of every page.

3. Cookies

We use two classes of cookies:

  • Strictly necessary. Authentication session, CSRF token, language preference, cookie-consent record. These cookies are required for the site to work and are set without consent. Retention: up to 180 days.
  • Analytics. Google Analytics (`_ga`, `_ga_*`). Only set after you click "Accept analytics" on the cookie banner. Retention: up to 14 months.

We do not use advertising cookies, social-network widgets or cross-site trackers. Web fonts come from Google Fonts, which does not set cookies but does log the requesting IP. Contact us if you'd like to discuss alternatives.

4. Processors and third parties

We share personal data only with service providers acting as processors under a signed data-processing agreement:

  • Stripe (Managed Payments) - subscription billing, invoicing, and tax remittance. Acts as the Merchant of Record; collects and stores card details, billing address, and VAT number. Stripe privacy policy.
  • Resend - transactional email (welcome, dunning, password reset). Receives your account email and the message body. Resend privacy policy.
  • Hetzner Online GmbH - EU-based hosting in Finland for the self-serve stack. Personal data is stored within the EU; backups are encrypted at rest.
  • Amazon Web Services (AWS) - used in two places: (i) per-tenant Enterprise infrastructure (API Gateway, Lambda, DynamoDB, S3) provisioned in the AWS region the customer contracts (e.g. eu-north-1 Stockholm, eu-west-1 Dublin) for data-residency; (ii) the SQS webhook delivery queue used by self-serve customers who configure outbound webhook subscriptions. AWS is GDPR-compliant and ISO 27001 + SOC 2 Type II certified. AWS GDPR centre.
  • Google Analytics 4 - anonymised usage analytics, only loaded after consent. Google is a joint controller for some aspects of GA4 per its data-processing terms.

We use PostHog (hosted in the EU) for product analytics, including session replay. PostHog anonymises IP addresses and masks password and payment fields by default.

We never sell personal data. Material changes to this sub-processor list are announced at least 14 days before they take effect; you may object during that window by emailing privacy@regnaverkt.com.

5. International transfers

Stripe, AWS (in regions outside the EU, where contracted) and Google Analytics may involve transfers to the United States. Where applicable, we rely on the EU Standard Contractual Clauses, Module 2 (Controller-to-Processor), per Commission Decision 2021/914, supplemented by transfer-impact assessments. AWS, Stripe and Google all participate in the EU-US Data Privacy Framework as a primary basis. Where technically feasible we default to EU-region endpoints (Resend's EU region, Hetzner's Finland data centre, AWS eu-north-1 for Enterprise tenants who don't contract a different region).

6. Your rights

Under the GDPR and the Spanish Organic Law on Data Protection (LOPDGDD) you can, at any time, ask us to:

  • confirm what personal data we hold about you and receive a copy (access);
  • correct inaccurate or incomplete data (rectification);
  • delete your account and associated personal data (erasure) - live data is removed within 30 days; encrypted backups roll off within a further 90 days; billing records are retained for six years under Spanish accounting law (Spanish Commercial Code, Art. 30);
  • export your account data in a structured machine-readable format (portability);
  • restrict or object to certain kinds of processing.

Email privacy@regnaverkt.com and we will respond within 30 days. You also have the right to lodge a complaint with the Spanish data-protection authority (AEPD - Agencia Española de Protección de Datos).

7. Security

We host the service within the EU, encrypt traffic in transit and backups at rest, and restrict production access to a small number of engineers protected by hardware-token two-factor authentication.

8. Company data (not personal data)

The company dataset we serve (organisation numbers, financials, ownership, events) is aggregated from public Swedish registry filings. In some cases this includes the names of natural persons who are directors or shareholders of the company. We process that information as a data processor acting on behalf of the customer running the query; the controller is the customer. We do not enrich or cross-link this data with any other personal-data source.

9. Changes to this policy

Material changes will be announced via email to active customers at least 14 days in advance, and the revision date at the top of this page will be updated.