Version: 1.0
Effective from: 2026-03-12
Scope: all Customers using the platform and uploading personal data
1.1. Data processor: Regrally Technologies, UAB, company code 306341431, registered office at Mėsinių g. 5, Vilnius, LT-01133 (hereinafter – the Processor).
1.2. Data controller: each legal or natural person (Customer) that determines the purposes and means of processing and/or uploads / submits content containing personal data on the platform (hereinafter – the Controller).
1.3. The Processor processes personal data only on the documented instructions of the Controller, as set out in these personal data processing terms.
2.1. The subject matter of the processing is platform services enabling the Controller to:
The Processor processes personal data only for the following purposes:
3.1. to enable the Controller to submit (upload) content and use the platform’s functionalities (questionnaires, evidence collection, review, export);
3.2. to perform AI-assisted analysis and provide the Controller with results (summaries, findings, recommendations, results of checks);
3.3. to ensure the security and stability of the platform, bug fixing, incident investigation and customer support, to the extent necessary for the provision of the service.
The Processor may perform the following operations (to the extent necessary for the service):
As the content is provided by the Controller itself, the data subjects depend on the Controller’s activities, but most commonly include:
6.1. Account and administration data: first name, last name, email address, role/permissions, authentication attributes, login and activity logs (audit trail).
6.2. Controller Content (Customer Content): questionnaire responses, comments, uploaded documents and files (e.g., policies, procedures, registers, reports, evidence) and the personal data contained therein.
6.3. AI-generated output (Output): summaries, findings, recommendations, results of checks, conclusions, structured “finding” records linked to the content provided by the Controller.
6.4. Technical data: device / session metadata, IP address (if applicable), system logs, error records.
6.5. Special categories of data (GDPR Art. 9) / data under GDPR Art. 10: the platform does not require them as mandatory, however, they may be included only to the extent that the Controller itself uploads them (e.g., in the content of documents). In such case, the Processor processes them only to the extent necessary to provide the service and in accordance with the Controller’s instructions.
7.1. AI is used to analyze the content provided by the Controller and prepare a structured output.
7.2. No use of data for model training: the Controller’s data are not used to train AI models and are not shared for any purposes unrelated to the provision of the service.
7.3. AI results are assistive only – the Controller reviews them and independently makes decisions regarding compliance actions.
8.1. The following may have access to personal data:
8.2. The Processor maintains and updates a list of subprocessors. The exact list of subprocessors is available to the Controller upon request.
8.3. The Controller grants the Processor a general prior authorization to engage subprocessors, unless the Parties agree otherwise.
8.4. The Processor ensures that a written agreement is entered into with each subprocessor imposing data protection obligations no less protective than those set out in these terms (including the requirements of GDPR Art. 28), and remains liable to the Controller for the performance of the subprocessor’s obligations.
9.1. Controller Content may be processed and stored in the EEA and/or other countries indicated in the list of subprocessors or in the service documentation.
9.2. If transfers outside the EEA take place, they are carried out only in compliance with GDPR Chapter V (e.g., SCCs or another appropriate transfer mechanism under the GDPR).
10.1. The Processor retains Controller Content and related outputs for the duration of the service provision (for as long as the Controller’s account / agreement remains in force), unless the Controller instructs earlier deletion.
10.2. Upon termination of the contractual relationship or receipt of the Controller’s instruction, the Processor enables:
10.3. Data contained in backups are deleted in accordance with the backup lifecycle as set out in the Processor’s internal procedures / security documentation.
The Processor applies appropriate technical and organizational measures, including (without limitation):
12.1. The Controller’s instructions and requests (including for deletion / export) are submitted via [support channel / email / ticketing system].
12.2. Processor contact for data processing matters: regrally@regrally.com
12.3. If the Processor believes or becomes aware that the Controller’s instruction infringes the GDPR or other applicable EU or national legal requirements, the Processor shall inform the Controller thereof without undue delay and shall have the right to suspend the relevant processing to the extent necessary to ensure compliance with the law.
13.1. Exercise of data subject rights. Taking into account the nature of the processing, the Processor assists the Controller in fulfilling its obligation to respond to data subject requests under GDPR Chapter III by providing technical functionalities (e.g., search, export, deletion) and/or by providing information reasonably necessary to assess and fulfil the request. If the Processor receives a data subject request directly, it forwards it to the Controller without undue delay and does not respond to such request independently unless required by applicable law.
13.2. Personal data breaches. The Processor shall, without undue delay, but no later than within 24 hours of becoming aware, notify the Controller of a personal data breach relating to the Controller’s data and provide the information available to it: (i) the nature of the breach; (ii) the approximate number of affected data subjects and records; (iii) the likely consequences; (iv) the measures taken or proposed to address the breach and mitigate its consequences; (v) a contact person for further information. The Processor cooperates with the Controller in investigating the breach and, at the Controller’s request, provides additional information required for notifications under GDPR Arts. 33 and/or 34.
13.3. Assistance in meeting the requirements of GDPR Arts. 32–36. Taking into account the nature of the processing and the scope of information available to it, the Processor assists the Controller in complying with its obligations under GDPR Arts. 32–36, including by providing information on the applied technical and organizational security measures, assisting with carrying out a data protection impact assessment (DPIA) and, where applicable, assisting in the process of prior consultation with the supervisory authority.
14.1. Upon the Controller’s reasonable request, the Processor provides the information necessary to demonstrate compliance with these terms and the requirements of GDPR Art. 28, and enables an audit / inspection carried out by the Controller or its mandated auditor.
14.2. Audits shall be carried out at reasonable intervals, with the scope, date and confidentiality and information security requirements agreed in advance, so as not to unreasonably disrupt the Processor’s operations or disclose the data of other customers (controllers). The Processor may reasonably propose audit alternatives (e.g., third-party compliance reports or summaries) if they sufficiently demonstrate compliance.
15.1. The Processor may update these Personal Data Processing Terms if the functionality of the service or the nature of the processing changes. The new version shall be published on the website and shall enter into force on the date of its publication.