# ReguShield AI — Data Retention & Deletion *This document describes ReguShield AI's pilot environment as currently implemented. It is provided for customer due diligence and is not a warranty or certification.* --- ## 1. Purpose This document explains what customer data ReguShield AI stores during a pilot, where it is stored, how long it is kept, and how a customer can clear their workspace or request full deletion. --- ## 2. Controller / Processor Roles - The **customer is the data controller** for the operational records they upload. - **ReguShield AI acts as the data processor** for that customer-uploaded data, processing it on the customer's instructions to provide compliance analysis. A Data Processing Agreement (DPA) template is available in this pilot kit and on request. --- ## 3. What Data Is Stored & Where All customer data is stored **within the European Union**, on PostgreSQL via Supabase (Dublin / Amsterdam region). This includes: - **Uploaded operational records** — the CSV/Excel transaction and customer-signal fields a customer ingests for analysis (e.g. transaction amounts, KYC status, risk signals, jurisdiction fields). - **Analysis outputs & logs** — risk scores, rule hits, narratives and the in-app audit trail of uploads, actions, evidence and report generation. - **Evidence & document uploads** — files uploaded to the Evidence/Document panels, stored in Supabase Storage in per-user folders. - **Workspace & profile data** — organisation profile, frameworks in scope, members and activation status. Case analysis outputs reference anonymised transaction fields; customers should not upload personal identifiers or special-category data that are not required for analysis (see the GDPR Privacy Notice in this kit). Data is protected by Postgres Row-Level Security keyed to the verified Supabase session email, so each workspace is isolated to its owner. --- ## 4. Retention During the Pilot - **Pilot workspace data: 90-day default retention.** Pilot data is retained for the duration of the pilot, with a 90-day default for workspace data. - **Enterprise / paid engagements:** retention is configurable per the Data Processing Agreement. Retention periods can be discussed and agreed in the pilot or DPA terms. --- ## 5. Clearing Your In-App Workspace A customer can remove data from their own workspace directly in the application: - Delete or clear records, evidence and actions through the relevant pilot pages (e.g. uploads/history, evidence, action centre). - Because Supabase is the source of truth, removing data in-app removes it from the EU-hosted database under that workspace's RLS scope. The browser's local cache is a separate convenience layer (see Section 6) and does not hold the authoritative copy. --- ## 6. Local Device Cache Behaviour For fast loading, the browser keeps a `localStorage` cache of workspace state on the device. This cache: - Is **purged on logout**. - Is **purged on inactivity timeout**. - Is **replaced if a different user signs in on the same device** (owner-change purge). The cache is never the authoritative store. Clearing it does not delete cloud data, and clearing cloud data does not depend on the cache being present. --- ## 7. Requesting Full Deletion To request full deletion of a workspace and its underlying cloud data: 1. Email **hello@regushield.ai** from the workspace owner's email address, stating the workspace/organisation and that you request deletion. 2. We will confirm the request and delete the associated case data, analysis logs, audit records and evidence files held in the EU-hosted Supabase database and storage. 3. Residual copies may persist temporarily within the managed platform's **backups** (Supabase-managed) until those backups age out on the platform's normal cycle. We do not retain a separate independent copy outside that managed environment. As processor, ReguShield AI will action deletion on the controller's documented instruction. Where the customer is exercising data-subject rights on behalf of an individual, see the GDPR Privacy Notice in this kit. --- ## 8. Support / Deletion Contact For retention questions or deletion requests: **hello@regushield.ai**