Privacy Policy
Your privacy matters. RegShield is designed with data minimisation at its core. We collect only what is necessary and process it solely for compliance purposes within the European Union.
1. Who We Are
RegShield is an AI-powered regulatory compliance platform operated by Lucas Carneiro, trading as RegShield, based in Luxembourg. We act as a data processor for fund managers (data controllers) and as a data controller for our own website and contact form data.
2. How We Use Your Data
For platform users:
- To provide access to the RegShield compliance platform
- To maintain an immutable audit log of compliance actions
- To send service-related notifications and alerts
- To provide customer support
For investors:
- To conduct MiFID II suitability assessments
- To perform AML risk screening
- To manage the investor onboarding workflow
- To generate compliance documentation
For website visitors:
- To respond to your enquiry via email
3. Legal Basis for Processing
- Contract performance — processing necessary to provide the RegShield platform to fund managers
- Legal obligation — processing required by MiFID II, GDPR, DORA, and CSSF regulations
- Legitimate interests — responding to contact form enquiries and maintaining platform security
- Consent — where explicitly requested for optional features
4. Data Pseudonymisation
All investor personal data is pseudonymised using a unique system. Investor names and contact details are stored separately from compliance records. This means that even if the audit log were accessed, it would not directly reveal investor identities.
5. Where Your Data is Stored
All data is stored and processed within the European Union. No personal data is transferred to third countries outside the EU/EEA. No fund or investor data is shared with third parties except as required by applicable law.
6. Data Retention
- Investor personal data — retained for the duration of the fund relationship plus the legally required retention period (minimum 5 years under Luxembourg law)
- Audit log records — retained permanently (immutable by design, required by DORA Article 17)
- Platform user data — retained for the duration of the service agreement plus 2 years
- Contact form submissions — retained for 12 months
7. GDPR Erasure Rights
RegShield supports GDPR Article 17 erasure requests for investor personal data. When an erasure request is processed:
- All personal identifiers (name, email, date of birth, etc.) are permanently wiped
- The pseudo_id and compliance records are preserved (required by law)
- The erasure action is recorded in the immutable audit log
To request erasure, contact: hello@regshield.lu
8. Your Rights Under GDPR
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data (subject to legal retention requirements)
- Restriction — request that we limit processing of your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Human review — request human review of any automated AI decision
To exercise any of these rights, contact: Regshieldlu@gmail.com
9. AI and Automated Decision-Making
RegShield uses AI for suitability assessments and AML risk scoring. In accordance with GDPR Article 22 and the EU AI Act:
- No fully automated decisions with legal effect are made without human review
- All AI outputs include plain-language explanations (EU AI Act Article 13)
- Compliance officers can override any AI determination
- Investors have the right to request human review of their assessment
No personal data is used to train our AI models.
10. Cookies
The RegShield landing page (regshield.lu) does not use cookies. The platform (app.regshield.lu) uses only essential session cookies required for authentication. No tracking, advertising, or analytics cookies are used.
11. Security
RegShield implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
12. Third-Party Services
- SendGrid — used for transactional email delivery (invite emails, password resets). Processes email addresses only.
- European Cloud — EU-based infrastructure provider. Processes all platform data.
- Anthropic (Claude API) — used for AI suitability and AML analysis. Only anonymised assessment data is sent. No personal identifiers are transmitted.
13. Data Protection Officer
RegShield does not currently have a formally appointed Data Protection Officer. For all data protection enquiries, contact: hello@regshield.lu
You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), Luxembourg's data protection authority, at cnpd.public.lu.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify active users by email of any significant changes. The date at the top of this page indicates when it was last updated.
15. Contact
RegShield · Luxembourg · Regshieldlu@gmail.com