Privacy Policy

1. Who We Are

RegShield is an AI-powered regulatory compliance platform operated by Lucas Carneiro, trading as RegShield, based in Luxembourg. We act as a data processor for fund managers (data controllers) and as a data controller for our own website and contact form data.

Contact: hello@regshield.lu

2. What Data We Collect

From fund managers and compliance officers (platform users):

• Name, email address, and role
• Login activity and session data
• Actions taken on the platform (recorded in the audit log)

From investors (via the onboarding flow):

• Full name, email address, nationality, country of residence
• Date of birth, phone number (optional)
• Investor type and preferred language
• Suitability questionnaire answers
• Investment amount

From website visitors (regshield.lu):

• Name and email address submitted via the contact form
• Company name, fund type, and message (optional)

3. How We Use Your Data

For platform users:

• To provide access to the RegShield compliance platform
• To maintain an immutable audit log of compliance actions
• To send service-related notifications and alerts
• To provide customer support

For investors:

• To conduct MiFID II suitability assessments
• To perform AML risk screening
• To manage the investor onboarding workflow
• To generate compliance documentation

For website visitors:

• To respond to your enquiry via email

4. Legal Basis for Processing

• Contract performance — processing necessary to provide the RegShield platform to fund managers
• Legal obligation — processing required by MiFID II, GDPR, DORA, and CSSF regulations
• Legitimate interests — responding to contact form enquiries and maintaining platform security
• Consent — where explicitly requested for optional features

5. Data Pseudonymisation

All investor personal data is pseudonymised using a unique pseudo_id system. Investor names and contact details are stored separately from compliance records. The audit log references only the pseudo_id — never the investor's real name. This means that even if the audit log were accessed, it would not directly reveal investor identities.

6. Where Your Data is Stored

All data is stored and processed within the European Union on Hetzner Cloud infrastructure based in Germany. No personal data is transferred to third countries outside the EU/EEA. No fund or investor data is shared with third parties except as required by applicable law.

7. Data Retention

• Investor personal data — retained for the duration of the fund relationship plus the legally required retention period (minimum 5 years under Luxembourg law)
• Audit log records — retained permanently (immutable by design, required by DORA Article 17)
• Platform user data — retained for the duration of the service agreement plus 2 years
• Contact form submissions — retained for 12 months

8. GDPR Erasure Rights

RegShield supports GDPR Article 17 erasure requests for investor personal data. When an erasure request is processed:

• All personal identifiers (name, email, date of birth, etc.) are permanently wiped
• The pseudo_id and compliance records are preserved (required by law)
• The erasure action is recorded in the immutable audit log

To request erasure, contact: hello@regshield.lu

9. Your Rights Under GDPR

You have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate personal data
• Erasure — request deletion of your personal data (subject to legal retention requirements)
• Restriction — request that we limit processing of your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Human review — request human review of any automated AI decision

To exercise any of these rights, contact: hello@regshield.lu

10. AI and Automated Decision-Making

RegShield uses AI for suitability assessments and AML risk scoring. In accordance with GDPR Article 22 and the EU AI Act:

• No fully automated decisions with legal effect are made without human review
• All AI outputs include plain-language explanations (EU AI Act Article 13)
• Compliance officers can override any AI determination
• Investors have the right to request human review of their assessment

No personal data is used to train our AI models.

11. Cookies

The RegShield landing page (regshield.lu) does not use cookies. The platform (app.regshield.lu) uses only essential session cookies required for authentication. No tracking, advertising, or analytics cookies are used.

12. Security

RegShield implements the following security measures:

• All data transmitted over HTTPS with TLS encryption
• JWT-based authentication with automatic session expiry
• Cryptographic hash chain protecting the audit log from tampering
• PostgreSQL database with access controls and daily encrypted backups
• Error monitoring via Sentry

13. Third-Party Services

• SendGrid — used for transactional email delivery (invite emails, password resets). Processes email addresses only.
• Hetzner Cloud — EU-based infrastructure provider. Processes all platform data.
• Anthropic (Claude API) — used for AI suitability and AML analysis. Only anonymised assessment data is sent. No personal identifiers are transmitted.

14. Data Protection Officer

RegShield does not currently have a formally appointed Data Protection Officer. For all data protection enquiries, contact: hello@regshield.lu

You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), Luxembourg's data protection authority, at cnpd.public.lu.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users by email of any significant changes. The date at the top of this page indicates when it was last updated.

16. Contact

RegShield · Luxembourg · hello@regshield.lu