Reglo LogoReglo
Legal

Privacy Policy

How we collect, use, share and protect your personal data when you use the Reglo Services.

Last updated: 14 May 2026·UK GDPR / Data Protection Act 2018

1. Who we are

This Privacy Policy explains how Softwarised Solutions 5000 Ltd (trading as Reglo) collects, uses, shares and protects your personal data when you use the Reglo website at useReglo.com, the Reglo application at app.useReglo.com, or otherwise interact with us (together, the “Services”).

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is:

  • Softwarised Solutions 5000 Ltd (trading as Reglo)
  • Registered in England and Wales, company number 15917897
  • Registered office: 1386 London Road, Leigh On Sea, Essex, England, SS9 2UJ
  • Email: info@useReglo.com

References to “we”, “us” or “our” in this Policy mean Softwarised Solutions 5000 Ltd. References to “you” mean the individual whose personal data we process.

2. Scope of this Policy

This Policy applies to personal data we process as a controller — for example, account holders, prospective customers, individual users of the Reglo application, website visitors, and people who contact us.

Where our business customers upload personal data into the Reglo platform about their own staff, contractors or third parties (for example as part of policy attestations, training records or audit logs), Reglo processes that personal data as a processor on behalf of the customer. In those cases, the customer is the controller and their own privacy notice applies; our role is governed by our Data Processing Agreement with that customer rather than by this Policy.

3. The personal data we collect

We collect and process the following categories of personal data:

Account & identity data

  • Full name, email address, username, password (stored only as a salted hash), profile photo
  • Job title, role within your organisation
  • Where you sign in via Google or Microsoft single sign-on: your unique provider ID, email address, name and profile picture as released by the provider

Organisation & subscription data

  • The organisation you belong to, your role within Reglo (e.g. org admin, staff)
  • Subscription tier, billing contact details, invoices and payment status (payment card details are handled by Stripe and are never stored by us)

Usage & technical data

  • IP address, user-agent, device and browser information
  • Pages and features accessed within the Services, in-app actions, request identifiers
  • Cookies and similar technologies necessary for the Services to function (see section 11)

Content data

  • Information you submit when using the Services, including policy drafts, attestations, training completions, support messages and audit-log entries
  • Content of communications you send to us (e.g. emails, support tickets)

Marketing data (where you have asked to receive it)

  • Email address, marketing preferences and engagement with our messages

We do not intentionally collect special category data (such as data revealing health, ethnicity or political opinions) or criminal-offence data. Please do not submit such data through the Services unless we have agreed to receive it in writing.

4. How we collect personal data

We collect personal data:

  • Directly from you — when you register an account, contact us, purchase a subscription, or use the Services
  • From your employer — where your organisation administrator creates an account on your behalf or invites you to join
  • From third-party identity providers — where you sign in using Google or Microsoft single sign-on
  • Automatically — through cookies, server logs and similar technologies when you use the Services

5. Why we use personal data and our lawful bases

Under UK GDPR we must have a lawful basis for processing your personal data. The bases we rely on are set out below.

PurposeLawful basis
To create and administer your Reglo account, authenticate you, and provide the Services to you and your organisationPerformance of a contract with you, or to take steps at your request prior to entering into a contract; and legitimate interests in administering our customer relationships
To process payments, issue invoices, manage subscriptions and prevent payment fraudPerformance of a contract; legal obligation (e.g. tax and accounting records); and legitimate interests in protecting our business from fraud
To respond to your enquiries and provide customer supportLegitimate interests in supporting our users; performance of a contract
To secure the Services, monitor for abuse, investigate incidents and maintain audit logsLegitimate interests in keeping the Services and our customers' data secure; legal obligation under UK GDPR Article 32
To improve the Services, develop new features, and produce aggregated / anonymised analyticsLegitimate interests in operating and improving our product
To comply with legal, regulatory and accounting obligations (e.g. responding to lawful requests, retaining records)Legal obligation
To send you service communications (e.g. security alerts, billing notices, material changes to the Services)Performance of a contract; legitimate interests
To send you marketing communications about Reglo where you have asked to receive them, or where permitted under the “soft opt-in” in regulation 22 of the Privacy and Electronic Communications Regulations (PECR)Consent, or legitimate interests under the soft opt-in. You can opt out at any time using the unsubscribe link in any marketing email or by emailing info@useReglo.com
To establish, exercise or defend legal claimsLegitimate interests; legal obligation

Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests are not overridden by your interests, rights or freedoms. You can request a copy of that assessment by contacting us.

6. Automated processing and AI features

The Reglo platform uses artificial intelligence (including large language models supplied by Anthropic and OpenAI) to assist with tasks such as drafting policies, mapping regulations, redlining and surfacing relevant compliance content.

The outputs of these AI features are advisory only. They are presented to a human user (you or a colleague in your organisation) for review, edit and approval before any decision is taken or any document is finalised. We do not use these features to make decisions about you that produce legal effects, or similarly significant effects on you, solely by automated means within the meaning of Article 22 UK GDPR.

We do not allow our AI sub-processors to use content you submit through the Services to train their public models.

7. Who we share personal data with

We share personal data only where necessary for the purposes set out above, and only with recipients that are subject to appropriate confidentiality and data-protection obligations. Recipients include:

Our sub-processors, including:

  • Amazon Web Services EMEA SARL — cloud infrastructure and database hosting (London, UK region)
  • Stripe Payments Europe Ltd — payment processing and subscription billing
  • Twilio Inc. / SendGrid — transactional and notification email delivery
  • Anthropic PBC — AI inference for in-product features
  • OpenAI Ireland Ltd / OpenAI LLC — AI inference and embeddings for in-product features
  • Functional Software, Inc. (Sentry) — error monitoring (EU region)
  • Axiom Inc. — application logging (EU region)
  • Vercel Inc. — frontend hosting and content delivery
  • Google LLC and Microsoft Corporation — where you choose to sign in with their single sign-on services

A current list of sub-processors is available on request. We carry out due diligence on each sub-processor and have written contracts in place that meet the requirements of UK GDPR Article 28.

Our professional advisers

Including lawyers, accountants, auditors and insurers, where reasonably necessary.

Authorities and other third parties

Where required by law, court order, or to establish, exercise or defend legal claims; or where strictly necessary to protect the vital interests of any person.

A successor entity

In connection with a merger, acquisition, restructuring or sale of all or part of our business. Where this happens we will take steps to ensure your personal data continues to be protected in line with this Policy.

We do not sell your personal data.

8. International transfers

Our primary hosting region is the United Kingdom (AWS London, eu-west-2). Some of our sub-processors (such as Sentry and Axiom) host data in the European Economic Area (EEA), and some (such as Anthropic, OpenAI, Stripe, SendGrid and Vercel) may process data in the United States or other countries outside the UK.

Where we transfer personal data outside the UK, we put appropriate safeguards in place as required by UK GDPR, including:

  • transfers to countries that are the subject of UK adequacy regulations (including the EEA); or
  • the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures identified by a transfer risk assessment.

You can request a copy of the safeguards we rely on by contacting info@useReglo.com.

9. How long we keep personal data

We keep personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, accounting or reporting requirements.

Indicative retention periods:

CategoryRetention period
Account data (active user)For the duration of your account, plus up to 12 months after closure
Billing and invoicing records7 years after the end of the relevant tax year (to satisfy HMRC and Companies Act 2006 requirements)
Support correspondenceUp to 3 years after the matter is closed
Server, audit and security logsUp to 2 years (or longer where required to investigate an incident)
Marketing dataUntil you unsubscribe, or 3 years of inactivity, whichever is sooner
BackupsRolling, overwritten on a cycle of up to 35 days

When personal data is no longer required, we will either securely delete it or irreversibly anonymise it.

10. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access — to obtain a copy of the personal data we hold about you
  • Right to rectification — to have inaccurate or incomplete personal data corrected
  • Right to erasure (“right to be forgotten”) — to ask us to delete personal data in certain circumstances
  • Right to restrict processing — to ask us to suspend processing in certain circumstances
  • Right to data portability — to receive certain personal data in a structured, commonly used, machine-readable format
  • Right to object — to object to processing based on our legitimate interests, and to object at any time to processing for direct marketing
  • Right to withdraw consent — where we rely on your consent, at any time, without affecting the lawfulness of processing before withdrawal
  • Rights in relation to automated decision-making — see section 6

To exercise any of these rights, please email info@useReglo.com. We will respond within one month, although in complex cases we may extend this by up to a further two months and will let you know if we need to do so. We may need to verify your identity before acting on a request.

If your personal data was entered into the Reglo platform by a Reglo customer (your employer, for example), we may need to forward your request to that customer, who is the controller of that personal data.

There is normally no charge for exercising your rights. We may charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive.

11. Cookies and similar technologies

We use a small number of cookies and similar technologies to make the Services work and to keep them secure. These include:

  • Strictly necessary cookies — for authentication, session management, security and load balancing. These are set on the basis of our legitimate interests and do not require your consent.
  • Functional cookies — to remember your preferences (e.g. UI state).
  • Analytics cookies — where used, only with your consent, and configured to minimise personal data collected.

You can control cookies through your browser settings. Blocking strictly necessary cookies may prevent the Services from working correctly.

12. Security

We take the security of your personal data seriously. We have implemented technical and organisational measures appropriate to the risk, including:

  • encryption of data in transit (TLS 1.2 or higher) and at rest
  • least-privilege access controls and multi-factor authentication for staff access
  • network segmentation, secrets management and audit logging
  • regular patching, dependency monitoring and vulnerability management
  • documented incident response, business continuity and backup procedures
  • staff training on data protection and information security

No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours where required, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk.

13. Children

The Services are intended for use by businesses and their staff. They are not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe we have collected personal data from a child, please contact info@useReglo.com and we will delete it.

14. Third-party websites

The Services may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices before providing any personal data.

15. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top of this Policy will indicate when it was last revised. If we make material changes we will give you reasonable advance notice — for example, by email or a prominent notice within the Services — before the changes take effect.

16. How to contact us and how to complain

If you have any questions about this Policy or about how we handle your personal data, please contact:

  • Email: info@useReglo.com
  • Post: Data Protection, Softwarised Solutions 5000 Ltd, 1386 London Road, Leigh On Sea, Essex, England, SS9 2UJ

We hope we can resolve any concern you may have, but you also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline: 0303 123 1113
  • Website: ico.org.uk

We would, however, appreciate the chance to deal with your concerns directly before you approach the ICO, so please contact us in the first instance.

Last updated: 14 May 2026

Have a privacy question? Contact us →