Privacy Notice

This Privacy Notice describes how theregulationroom ("we", "us", "our") collects and processes your personal data when you use The Regulation Room website, web application, and related services (the "Service"). theregulationroom is the data controller for the personal data described in this notice.

If you have questions about this notice or how your data is handled, contact us through the support channels available inside the Service.

• Account data — email address, login credentials, display name, and authentication identifiers.
• Service content — mood and anxiety check-ins, breathing session records, journal notes, and AI coach conversations you create inside the Service.
• Usage and device data — pages viewed, features used, approximate location derived from IP address, browser type, device identifiers, and similar telemetry.
• Support data — messages and information you send us when requesting help.
• Order and billing data — handled by our payment provider Paddle (see "Sharing" below). We receive a record of your subscription status, but card details are processed by Paddle, not us.

• Provide the Service (performance of contract) — create and operate your account, save your check-ins, run the AI coach, deliver guides and breathing practices.
• Keep the Service secure (legitimate interests) — detect fraud, abuse, and security incidents.
• Improve the Service (legitimate interests) — analyse aggregated usage to fix bugs and improve features.
• Customer support (legitimate interests / contract) — respond to your questions and requests.
• Comply with the law (legal obligation) — meet tax, accounting, and other regulatory requirements.
• Marketing (consent, where required) — send product updates only where you have opted in or where permitted by law.

• Service providers (subprocessors) — hosting, database, AI model, analytics, and customer support providers who process data on our behalf under written agreements.
• Paddle.com Market Limited (Merchant of Record) — our online reseller Paddle handles all orders, subscription management, payments, tax compliance, invoicing, refunds, and related customer service inquiries. Paddle processes your billing data as an independent controller. See Paddle's Privacy Notice.
• Professional advisers — legal, accounting, and compliance advisers where reasonably necessary.
• Authorities — where required by law, legal process, or to protect the rights, property, or safety of users or the public.
• Business transfers — in connection with a merger, acquisition, or sale of assets, with appropriate safeguards.

We do not sell your personal data and we do not share your check-ins, journal entries, or AI coach conversations with advertisers.

Some of our service providers and Paddle may process your data outside your country of residence, including outside the UK and EEA. Where this happens we rely on appropriate safeguards such as Standard Contractual Clauses or applicable adequacy decisions.

We keep account and Service content for as long as your account is active. If you delete your account, we delete or anonymise your personal data within a reasonable period, except where we need to keep it to comply with legal obligations (for example, tax records relating to purchases made through Paddle), resolve disputes, or enforce our agreements.

We use appropriate technical and organisational measures to protect your data, including encryption in transit, access controls, and authentication. No system is perfectly secure — please use a strong, unique password and keep your credentials confidential.

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data;
• restrict or object to certain processing;
• request data portability;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local data protection authority.

To exercise these rights, contact us through the Service. We will respond within the time required by applicable law (one month under UK/EU GDPR).

We use essential cookies and similar technologies to keep you signed in and to operate the Service. We may also use limited analytics cookies to understand how the Service is used. You can manage cookies through your browser settings; disabling essential cookies may break parts of the Service.

The Service is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Privacy Notice from time to time. The "Last updated" date at the top indicates when it was last changed. Material changes will be communicated through the Service.