RegCheck Privacy Policy

Effective date: 22/01/2026

This Privacy Policy explains how RegCheck (“RegCheck”, “we”, “us”) collects and processes personal data when you use our website and services (the “Service”).

1) Data controller and contact

Data controller: Dr. Jamie Cummins, Fabrikstrasse 8, 3012 Bern, Switzerland.

Contact for privacy questions or deletion requests: jamie.cummins@unibe.ch

We do not currently appoint a data protection officer (DPO).

We act as the data controller for personal data processed to operate the Service. Our cloud infrastructure providers and the model provider you select generally act as processors (or sub-processors) when processing data on our behalf; in some cases they may act as independent controllers under their own terms.

2) Scope and important note about uploaded documents

The Service is intended for academic use. You may upload documents (e.g., papers, preregistrations) that can contain personal data (names, emails, acknowledgements, participant information, etc.).

Please do not upload sensitive personal data (e.g., health data, political opinions) unless you have a lawful basis to do so and it is strictly necessary. If feasible, redact sensitive content before uploading.

Data minimisation: Upload only what is necessary for the comparison and report generation.

3) Personal data we process and why

We process the following categories of data:

A. Content you upload (documents)

What: Papers, preregistrations, and related files you upload.

Why: To run the comparison and generate your report.

Temporary storage under load: Under high traffic, uploaded files may be temporarily written to AWS S3 to support reliable processing. Files remain in S3 only while the comparison process is running and are automatically deleted once processing finishes. We do not intentionally create backups of uploaded files (subject to the underlying cloud provider’s standard technical operations).

B. Model prompts and outputs (processing data)

What: Prompts derived from your uploaded content and the resulting model outputs needed to generate the report.

Why: To generate report findings and quotations.

Where this goes: We send prompts/inputs to the model provider you select (see Section 5).

C. Reports and shareable report data (persistence)

What: Report content and quotations shown in the report viewer and any shareable report link.

Why: To let you view and share reports after processing.

We store this in an encrypted Redis database so that reports can remain accessible via their link until you request deletion.

D. Optional survey responses

What: Any feedback or survey responses you voluntarily submit.

Why: Product improvement and research/quality feedback.

Survey responses are stored separately and we do not intentionally link survey responses to specific uploads or report links. Please avoid including identifying or sensitive information in free-text fields.

E. Minimal operational and security data (logs)

What: Basic server and application logs (e.g., timestamps, request paths, error traces; may include IP addresses and user-agent strings as part of standard web/server operation).

Why: Security, abuse prevention, debugging, and reliability.

We do not use third-party analytics. We do not use advertising cookies. We do not require user accounts.

F. Local storage (device preferences)

What: Client-side local storage (e.g., UI preferences) and similar browser technologies.

Why: Convenience and usability.

We do not use advertising cookies.

4) Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, our legal bases are:

  • Performance of a contract (Art. 6(1)(b)): to provide the Service you request (processing uploads, sending prompts to your chosen model provider, generating and displaying reports, enabling report sharing).
  • Legitimate interests (Art. 6(1)(f)): to maintain security, prevent abuse, troubleshoot, and ensure service reliability (including minimal logging).
  • Consent (Art. 6(1)(a)): for optional survey responses (you can choose not to provide them).

We do not intentionally process special categories of personal data (Art. 9). If you upload such data, you are responsible for ensuring you have a lawful basis to do so.

Switzerland: We are based in Switzerland and process personal data in accordance with the Swiss Federal Act on Data Protection (nFADP), in addition to any other applicable laws.

5) Model providers and how they handle data

When you run a comparison, you choose which language model provider receives the prompts/inputs derived from your uploaded documents. These providers may process data in different jurisdictions and under different terms. Providers’ practices can change; you should review the provider documentation before choosing a provider.

6) Sharing and public access via report links

Reports may be accessible via a long, random token link (an “unguessable URL”). Anyone with the link can access the report.

Do not share report links publicly or include sensitive information in uploads if you plan to share the resulting report.

7) Retention

  • Uploaded files in S3 (when used): stored only while the comparison process runs; deleted automatically when processing finishes.
  • Reports and quotations in Redis: retained indefinitely to keep reports accessible and shareable until you request deletion.
  • Survey responses: retained indefinitely unless you request deletion.
  • Server logs: retained for 1 day, then deleted.

Because we do not use user accounts, we may not be able to locate a specific report or survey record without the report link or other identifying details you provide.

8) Security

We use reasonable technical and organisational measures, including:

  • Encryption in transit (TLS) where supported.
  • Encrypted Redis storage for persisted reports.
  • Access controls limited to essential systems/personnel.

No method of transmission or storage is 100% secure; however, we aim to use safeguards appropriate to the risk.

9) International data transfers

RegCheck is operated from Switzerland, but data may be processed in other countries depending on the infrastructure and the model provider you choose.

Where required, we rely on appropriate transfer mechanisms (e.g., contractual safeguards offered by providers). If you choose a provider that processes data in jurisdictions without an adequacy decision, your use of that provider may involve additional risks, and the transfer may be necessary to provide the Service you request using that provider.

10) Your rights and choices

Depending on your location and applicable law (including GDPR/UK GDPR and Swiss nFADP), you may have the right to:

  • Request access to personal data we hold about you,
  • Request deletion,
  • Request correction (where applicable),
  • Object to or request restriction of certain processing (where applicable),
  • Withdraw consent for optional survey processing at any time (without affecting processing already performed).

Response timeline: Where required, we aim to respond to rights requests within 30 days.

Deletion requests: Email jamie.cummins@unibe.ch with the report link (or identifying details) and we will delete the relevant persisted report data and/or survey responses.

Local storage: You can clear local storage via your browser settings.

Complaints: You may lodge a complaint with your local supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home.html.

11) Changes to this policy

We may update this Policy from time to time. We will post the updated version and change the effective date above.