LEGAL
Privacy Policy
Controller: MMS Ventures SAS (trading as Regumint) — SIREN 989 692 355 — Paris, France
Contact : contact@regumint.com
Lead Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)
Last Updated: March 2026
1.Who We Are
Regumint is a legal analysis platform operated by MMS Ventures SAS, a French simplified joint-stock company (société par actions simplifiée) registered in Paris under SIREN 989 692 355. For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), MMS Ventures SAS is the data controller for personal data collected through this website and the Regumint platform.
We do not have a formally appointed Data Protection Officer (DPO). As a company currently below the threshold that triggers mandatory DPO appointment under Article 37 GDPR, privacy matters are handled directly by our team. All privacy inquiries should be sent to contact@regumint.com.
2.Personal Data We Collect and Our Legal Bases
We process personal data only where we have a valid legal basis under Article 6 of the GDPR. The table below sets out each processing activity, the data involved, the purpose, and the applicable legal basis.
| Processing activity | Data involved | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|---|
| Contact and demo request forms | Name, email, company name, phone (optional), message | Responding to enquiries; scheduling product demonstrations | Art. 6(1)(b) — pre-contractual steps at your request |
| Waitlist and free trial signup | Name, email, company name | Managing early-access and trial programmes | Art. 6(1)(b) — pre-contractual steps |
| Newsletter subscription | Email address, first name | Sending product updates, platform news, and editorial content | Art. 6(1)(a) — consent |
| Platform account management | Username, email address, password hash, role | Providing, administering, and securing your subscription | Art. 6(1)(b) — performance of contract |
| Platform usage analytics | Search queries, feature usage logs, API call logs, session data | Improving platform reliability, quality, and functionality | Art. 6(1)(f) — legitimate interest |
| Uploaded documents (Enterprise) | Proprietary documents and files you upload | Delivering the document analysis and reasoning service | Art. 6(1)(b) — performance of contract |
| Website analytics | IP address, browser type, device type, pages visited, referral source, session duration | Understanding how the website is used; improving user experience | Art. 6(1)(f) — legitimate interest |
| Advertising and retargeting cookies | Cookie identifiers, browsing behaviour, conversion events | Measuring and optimising paid marketing campaigns | Art. 6(1)(a) — consent |
| Legal and regulatory compliance | Categories above as relevant | Complying with applicable law; responding to lawful authority requests | Art. 6(1)(c) — legal obligation |
Legitimate interest: Where we rely on legitimate interest under Art. 6(1)(f), we have carried out a balancing assessment and concluded that our interests in operating and improving our services do not override the fundamental rights and freedoms of the individuals concerned, taking into account the nature of the data, the reasonable expectations of users, and the safeguards we apply.
You may object to processing based on legitimate interest at any time (see Section 8).
3.Cookies and Tracking Technologies
We use cookies and similar technologies on our website. Cookies are grouped into the following categories:
Strictly necessary cookies — Essential for the website and platform to function correctly. These include session management tokens and security cookies. These are set without consent as they are technically required.
Analytics cookies — Used to understand how visitors navigate and interact with our website (via Google Analytics, managed through Google Tag Manager). These cookies collect pseudonymised data. Set only with your prior consent.
Marketing and advertising cookies — Used for targeted advertising, retargeting, and conversion tracking across Google Ads, YouTube Ads, LinkedIn, Instagram, and Facebook networks. Set only with your prior consent.
You can manage and update your cookie preferences at any time via the consent banner displayed on your first visit (powered by CookieYes) or by clicking “Cookie Settings” in the footer. You may also control cookies through your browser settings, though disabling certain cookies may affect website functionality.
Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
4.Third-Party Data Processors
We share personal data with third-party processors who provide infrastructure, marketing, and technical services necessary to operate Regumint. All processors are bound by written data processing agreements (DPAs) that require them to process data only on our instructions, apply appropriate security measures, and comply with applicable data protection law.
| Processor | Service | Data transferred | Location | Transfer mechanism |
|---|---|---|---|---|
| HubSpot, Inc. | CRM, contact form submissions, email marketing (newsletter and demo requests) | Name, email address, company, phone, enquiry content | USA | EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) |
| Google Ireland Limited | Google Analytics, Google Tag Manager, Google Ads, YouTube Ads | Pseudonymised usage data, cookie identifiers, conversion events | EEA / USA | EEA processing (adequacy); USA transfers via SCCs |
| Vercel Inc. | Website and platform hosting and infrastructure | Server access logs, user session metadata | USA | EU Standard Contractual Clauses |
| Commercial LLM API providers (Tier 1) | AI language model inference — public regulatory corpus only. Client-uploaded documents are never processed by these providers. | Publicly available regulatory document content only | Varies — may include USA | EU Standard Contractual Clauses where processing occurs outside EEA |
| EEA-hosted LLM infrastructure (Tier 2) | AI language model inference — client-uploaded and sensitive documents | Client document content | France / EEA | No international transfer — EEA processing only |
| CookieYes Ltd. | Consent management platform | Cookie consent preferences and records | EU/UK | GDPR-compliant (EEA processing) |
| Meta Platforms Ireland Ltd. | Instagram and Facebook advertising pixels | Cookie identifiers, pseudonymised event data | EEA / USA | SCCs for USA onward transfers |
| LinkedIn Ireland Unlimited Company | LinkedIn advertising and conversion tracking | Cookie identifiers, pseudonymised event data | EEA / USA | SCCs for USA onward transfers |
We do not sell personal data to any third party. We do not share personal data with third parties for their own marketing purposes.
5.International Data Transfers
Some of our third-party processors are located or process data outside the European Economic Area (EEA), in particular in the United States of America. Where personal data is transferred to a country not covered by an adequacy decision issued by the European Commission, we rely on EU Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914 as the lawful transfer mechanism under Article 46(2)(c) GDPR.
We conduct transfer impact assessments where required and implement supplementary technical and contractual measures to ensure that transferred data receives a level of protection essentially equivalent to that guaranteed within the EEA.
Copies of the SCCs applicable to any specific processing relationship are available upon request at contact@regumint.com.
6.Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by applicable law.
| Data category | Retention period |
|---|---|
| Contact form and demo request submissions | 3 years from date of submission |
| Newsletter subscriber data | Until consent is withdrawn; deleted within 30 days of withdrawal |
| Waitlist and trial signup data | 12 months from submission, unless converted to an active account |
| Platform user account data | Duration of active subscription + 90 days following termination |
| Enterprise uploaded documents | Deleted within 30 days of contract termination or upon written request |
| Platform usage logs and analytics | 12 months |
| Consent records (cookies and marketing) | 5 years (to demonstrate compliance) |
| Website analytics data (Google Analytics) | 14 months (default Google Analytics retention) |
| Legal compliance records | As required by applicable law (typically up to 10 years under French commercial law) |
Following the expiry of the applicable retention period, data is securely deleted or anonymised.
7.AI and Automated Processing
7.1 How AI is Used
Regumint operates a two-tier AI processing architecture. The processing environment applied to any given document is determined by its sensitivity and origin.
Tier 1 — Public regulatory corpus
Analysis of publicly available documents — legislation, regulation, case law, and official guidance — is performed using commercial large language model APIs. Providers may operate infrastructure partially or entirely outside the EEA; where this is the case, EU Standard Contractual Clauses are in place (see Section 5). Only documents already in the public domain are processed in this tier.
Tier 2 — Client-uploaded and sensitive documents
Documents uploaded by clients — including proprietary documents, internal analyses, and any documents that may contain confidential or personal information — are processed using large language models deployed on infrastructure located within France and the EEA. This may include self-hosted open-source models operated by Regumint, or European AI providers whose processing is contractually restricted to EEA infrastructure. No client-uploaded document content is transmitted to providers whose infrastructure is located outside the EEA. Data does not leave the EEA in this processing tier.
On-premise deployment
Enterprise clients requiring that all AI processing occur within their own infrastructure — with no data leaving their environment — may request an on-premise deployment configuration under a separate Enterprise agreement.
7.2 Personal Data Safeguards
- Data minimisation: We apply technical measures to prevent the inclusion of identifiable personal data in AI inference calls. Documents submitted for analysis are processed in isolated, ephemeral sessions.
- No model training: Client data — including uploaded documents, analytical outputs, and queries — is not used to train, fine-tune, benchmark, or otherwise improve AI models, by Regumint or any of its AI sub-processors. This is contractually guaranteed with each AI provider.
- Data isolation: AI processing occurs in secure, isolated environments with no cross-client data access.
7.3 No Binding Automated Decisions
Regumint does not make legally binding or similarly significant automated decisions about individuals. All platform outputs are analytical tools to support human professional judgment. Article 22 GDPR (rights related to automated individual decision-making) does not apply to Regumint's processing. All analytical outputs require review and validation by the user before any professional or legal reliance is placed on them.
8.Your Rights Under GDPR
As a data subject, you have the following rights. You may exercise any of them by contacting us at contact@regumint.com.
- Right of access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy of it.
- Right to rectification (Art. 16): Have inaccurate or incomplete personal data corrected.
- Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legal ground for continued retention.
- Right to restriction of processing (Art. 18): Restrict processing in certain circumstances (e.g., where you contest the accuracy of data, pending resolution).
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
- Right to object (Art. 21): Object to processing based on legitimate interest, including for direct marketing. Where you object to processing for direct marketing, we will cease that processing immediately.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent to marketing emails, use the unsubscribe link in any marketing email. To withdraw cookie consent, use the Cookie Settings panel.
We will respond to all rights requests within 30 days of receipt. Where requests are complex or numerous, we may extend this by a further two months, in which case we will notify you within the initial 30-day period with reasons for the extension.
We will not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee.
9.Right to Lodge a Complaint
If you consider that our processing of your personal data infringes the GDPR or applicable national data protection law, you have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
As a French-registered data controller, our lead supervisory authority is:
Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
www.cnil.fr | +33 (0)1 53 73 22 22
We nonetheless encourage you to contact us directly first at contact@regumint.com, so that we can address your concern promptly.
10.Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest
- Role-based access controls and principle of least privilege
- Audit logging of access to sensitive data
- Regular security assessments
No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly notifying you and the relevant supervisory authority in the event of a personal data breach that poses a risk to your rights and freedoms.
11.Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or service offerings. The date at the top of this page indicates the most recent version.
For material changes, we will provide advance notice via a prominent notice on our website or, where appropriate and where we hold your email address, by direct email notification.
Contact : contact@regumint.com | Contact us