Privacy Policy
Last updated: June 2, 2026
Definitions
- Personal Data — any information relating to an identified or identifiable natural person (name, email, IP address, online identifier, etc.).
- Processing — any operation performed on Personal Data: collection, storage, use, disclosure, deletion, etc.
- Controller — the entity that determines the purposes and means of Processing (RegimeFlow / Cornel).
- Processor — a third party that processes Personal Data on the Controller's behalf (e.g. Supabase, Stripe).
- Data Subject — the natural person whose Personal Data is being processed (you, the visitor or user).
- Personal Data Breach — a security incident leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data.
1. Who we are
RegimeFlow ("we", "us", "our") operates the website at regimeflow.com, which provides AI-driven technical analysis tools and risk-management indicators for crypto and financial markets. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.
Data controller: RegimeFlow is currently in a free, pre-incorporation phase. The data controller is Cornel (natural person), Romania, pending the registration of a Romanian S.R.L. Once incorporated, the company will become the controller and its full registration details will be published in our Imprint.
For privacy-related questions, contact: founder@regimeflow.com.
2. Data we collect
Account data
- Email address (required for authentication)
- Password — only if you sign up with email/password; stored hashed by Supabase, never visible to us
- Display name and profile picture (if you sign in via Google)
- Authentication identifiers (Google sub, Supabase user UUID)
Disclaimer acceptance
- Timestamp, IP address, user-agent string, disclaimer version accepted
- Stored for legal defensibility (chargeback disputes, regulatory audit)
Technical data
- IP address (used for rate-limiting and abuse prevention)
- Browser type, device type, OS
- Pages visited, session duration (aggregated, cookieless via Vercel Analytics)
What we do NOT collect
- We do not have access to your exchange accounts, wallets, or private keys
- We do not collect payment card data directly — Stripe handles all billing
- We do not sell, rent, or share your personal data with advertisers
3. Legal basis for processing (GDPR)
- Contract: providing the platform you signed up for
- Legitimate interest: security, fraud prevention, service improvement
- Consent: optional analytics and marketing cookies (where applicable)
- Legal obligation: tax records, anti-money-laundering compliance
4. Sub-processors (third-party data processors)
We are required by GDPR Art. 28 to disclose every company with whom we share your personal data. The current list is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing, billing, invoices | US, EU |
| Supabase Inc. | Authentication, database (PostgreSQL), file storage | EU (Frankfurt) |
| Upstash Inc. | Rate-limiting (hashed IPs, 60-second TTL) | EU, US |
| Vercel Inc. | Hosting, edge network, cookieless analytics | Global |
| Hugging Face Inc. | AI model inference (price data only, no PII) | US, EU |
| Google LLC | Sign in with Google (authentication only) | US |
| Cookie-Script Ltd. | Cookie consent management (GDPR/CCPA) | EU (Lithuania) |
All sub-processors are bound by Data Processing Agreements (DPA). Transfers outside the EEA are protected by Standard Contractual Clauses (SCCs). We do not currently use OpenAI or any other third-party LLM provider; AI inference runs on our own Hugging Face Space with the model weights under our control.
We will update this list before adding any new sub-processor. Registered users are notified by email at least 14 days before changes affecting personal data take effect.
5. Data retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- Disclaimer acceptance log: retained for 6 years after account closure (statute of limitations for financial disputes).
- IP addresses in rate-limit cache: maximum 60 seconds.
- Aggregated analytics: indefinitely, but contains no personal identifiers.
6. Your rights
Under GDPR (EU/UK) and CCPA (California), you have the following rights:
Right to be forgotten (erasure)
You can delete your account at any time directly from the platform: user menu in the sidebar (bottom-left) → Delete account → type "DELETE" to confirm. This permanently removes from Supabase:
- Your
auth.usersentry (email, OAuth identifiers) - Your disclaimer acceptance history
- Your subscription record (the Stripe customer is canceled separately on request)
A minimal anonymized audit record (SHA-256 hash of your user ID + timestamp) is kept for 6 years for legal compliance with financial-services audit requirements.
Right of access
You can download a full export of your data in JSON format any time from /api/account/export while logged in. For records we no longer hold (deletion audit hash, archived invoices), email founder@regimeflow.com — we respond within 30 days at no cost.
Other rights
- Rectify inaccurate data
- Object to processing based on legitimate interest
- Port your data in a machine-readable format (JSON)
- Opt out of any data sale (we do not sell, but the right exists by law — California residents see the "Do Not Sell or Share My Personal Information" link in the footer; anyone can adjust consent via the cookie settings badge)
- Restrict processing in specific circumstances (GDPR Art. 18)
- Lodge a complaint with your local data protection authority (for Romanian residents: ANSPDCP, anspdcp.ro)
For all other requests, email founder@regimeflow.com. We respond within 30 days, free of charge.
7. International transfers
Data may be processed in the United States and the European Union. Transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) signed with each sub-processor.
8. Security
- All data in transit is encrypted (HTTPS/TLS 1.3)
- Database access protected by Row-Level Security (RLS) policies
- Service-role keys never exposed to client-side code
- Rate-limiting on all API endpoints to prevent abuse
9. Children
RegimeFlow is intended for users aged 18 or older. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us for immediate deletion.
10. Business transfers
If RegimeFlow is involved in a merger, acquisition, asset sale, or other business transfer, your Personal Data may be transferred to the acquiring entity as part of that transaction. We will notify registered users by email at least 30 days before any such transfer takes effect and before their Personal Data becomes subject to a different privacy policy. You retain the right to request deletion of your data prior to the transfer.
11. Links to other websites
The Platform may contain links to third-party websites (e.g. data sources, exchange documentation, external tools). This Privacy Policy applies only to regimeflow.com. We have no control over and assume no responsibility for the content or privacy practices of any third-party site. We encourage you to review the privacy policy of every site you visit.
12. Supervisory authority
If you believe your rights under GDPR have been violated, you may lodge a complaint directly with us or with the competent supervisory authority. For users in Romania:
- ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal
- Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 București, Romania
- Website: dataprotection.ro
- Submit a complaint: dataprotection.ro/complaints
Users in other EU member states may contact their local Data Protection Authority (DPA). The full list of EU DPAs is available at edpb.europa.eu.
13. Changes
We will update this policy as needed. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the current version.