Privacy Policy

1. Introduction

Regris ("Regris," "we," "us," or "our") is a corporation organized under the laws of the State of Delaware, operating under the legal name Regris, Inc. Regris operates the water utility compliance platform available at getregris.com. Regris guides America's water utilities through federal compliance obligations — including risk and resilience assessments, emergency response planning, data security assessments, and ongoing gap analysis and compliance tracking — delivering documentation that is report-ready and completable in a single session. This Privacy Policy describes how we collect, use, store, and protect information when you use our platform and is incorporated into and subject to Regris's Terms of Service. By accessing or using Regris, you agree to the practices described in this Policy.

Regris is designed to assist water utilities and community water systems in meeting their federal compliance obligations. This includes, but is not limited to, Risk and Resilience Assessments (RRAs) and Emergency Response Plans (ERPs) under America's Water Infrastructure Act (AWIA) Section 1433, data security assessments, and a utility's own internal compliance tracking and gap analysis. Some information processed through the platform may constitute sensitive operational data — including data governed by AWIA §1433(a)(5) — and we treat all such data accordingly.

2. Information We Collect

We collect the following categories of information:

• a. Account Registration Data. When you create an account, we collect your name, email address, job title, water system name, and system size (population served).
• b. Compliance Assessment Data. Information you enter during any water agency compliance assessment or tracking process — including descriptions of physical infrastructure, security vulnerabilities, operational procedures, emergency contacts, and gap analysis inputs — may constitute sensitive operational data. Where applicable, this includes data governed by AWIA §1433(a)(5) and analogous provisions under other federal or state compliance frameworks. This data is used solely to generate your compliance documentation and is not shared with third parties except as described in Section 5.
• c. Payment Information. Payment processing enabled in the Regris platform is provided by a third-party payment processor, Stripe, Inc. ("Stripe"). By using the site or services, you affirmatively agree to be bound by the following flow-down terms of Stripe: (a) Stripe Connect Platform Agreement at https://stripe.com/legal/ssa and https://stripe.com/legal/connect; and (b) Stripe Services Agreement at https://stripe.com/ssa (collectively, "Stripe Terms"). Further, as a condition to obtaining the payment processing services through Stripe, you hereby authorize Regris to share with Stripe, and authorize Stripe to collect, use, retain, and disclose: (x) your transaction and payment processing activity information; and (y) related customer or water agency data reasonably necessary to enable the payment processing services. Stripe's handling and processing of any Personal Data will be subject to Stripe's privacy policy at https://stripe.com/privacy. Regris does not collect, store, or have access to your payment card information.
• d. Usage and Analytics Data. We use Vercel Analytics to collect basic, anonymized usage data (e.g., page views and traffic patterns). We do not use Google Analytics or persistent third-party advertising cookies.
• e. Feedback Data. If you voluntarily submit feedback, ratings, or comments regarding the Regris platform, we may collect and retain that information for internal purposes only. Feedback submissions should not include sensitive operational data, including any information governed by AWIA §1433(a)(5) or any other federal compliance framework. Any such data inadvertently included in a feedback submission will be treated in accordance with Section 2(b) above.

3. How We Use Your Information

We use the information we collect to:

• Create and maintain your Regris account;
• Generate your RRA report, ERP documentation, gap analysis, remediation roadmap, and certification-support package;
• Process payments through Stripe;
• Communicate with you regarding your account, purchased services, regulatory deadline reminders, and customer support;
• Improve the Regris platform;
• Use voluntarily submitted feedback solely for internal product improvement, platform development, and customer support purposes; and
• Comply with applicable legal obligations.

4. AI-Powered Processing — Anthropic Claude API

The Regris platform uses the Anthropic Claude API to assist in generating compliance documentation. Information you submit during an assessment may be processed by Anthropic's API in order to produce your report. We do not use your compliance data to train AI models. Pursuant to Anthropic's API usage policies, Anthropic does not use data submitted through its API to train its models without the consent of the API operator. Anthropic's data handling practices for API users are governed by Anthropic's usage policies and privacy policy, available at anthropic.com/legal.

5. How We Share Your Information

We do not sell your personal information. We may share information in the following limited circumstances:

• Service Providers: We share data with Stripe (payment processing), Supabase (data storage and infrastructure), Vercel (hosting and analytics), and Anthropic (AI report generation), each acting as a service provider under contract with Regris.
• Legal Compliance: We may disclose information if required by law, regulation, court order, or lawful government request.
• Business Transfer: In the event of a merger, acquisition, or sale of substantially all assets, your information may be transferred as part of that transaction, subject to written notice to you.

We do not share your AWIA §1433(a)(5) sensitive operational data with any unauthorized party, and we do not make such data available to other users or the general public.

6. Data Storage and Security

Your data is stored on Supabase (PostgreSQL), hosted on Amazon Web Services (AWS) in the us-east-1 region. We implement the following security measures:

• Row-level, server-side access controls via Supabase;
• Transport Layer Security (TLS) encryption for all data in transit; and
• Stripe's PCI-compliant infrastructure for all payment data.

Important Notice: Regris has not obtained formal NIST, SOC 2, or equivalent third-party security certification at this time. While we implement reasonable technical safeguards, users should evaluate whether our current security posture meets the requirements of their own organizational policies and applicable regulations, including any cybersecurity obligations under AWIA §1433(b).

7. Data Retention

We retain your account and compliance data for as long as your account is active or as necessary to provide services. You may request deletion of your account and associated data by contacting us at customerservice@getregris.com. We will respond to deletion requests within 30 days. Note that certain records may be retained for a longer period where required by law or legitimate business purposes.

8. Your Rights and Choices

You may contact us to:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete information;
• Request deletion of your account data; or
• Opt out of non-transactional communications.

Depending on your state of residence, you may have additional rights under applicable state privacy laws. Regris operates in multiple states and will honor applicable rights requests in accordance with governing law.

9. Data Breach Notification

In the event of a security breach affecting your personal information, Regris will notify affected users in accordance with applicable state and federal breach notification laws. Where required by law, we will provide notice within the timeframe mandated by the applicable jurisdiction — and in no event later than sixty (60) days following discovery of the breach — by email to the address associated with your account or by prominent notice on getregris.com. The notice will describe the nature of the breach, the categories of information affected, and the steps we are taking to address it.

10. Commercial Use; Children's Privacy

The Regris platform and tools are intended for commercial use by utility professionals and government officials. We do not knowingly collect personal information from individuals under the age of 18. If you are using the platform or tools for personal use or if you are under the age of 18, please discontinue use of the platform or tools immediately.

11. Third-Party Links

Our platform may contain links to EPA resources and other third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or by posting a notice on getregris.com. The "Last Updated" date at the top of this Policy indicates when the most recent revision was made.

13. Governing Law

This Privacy Policy is governed by the laws of the State of Alabama, without regard to its conflict-of-law provisions.

14. Contact Us

Questions or requests regarding this Privacy Policy should be directed to:

Regris, Inc.
251 Little Falls Drive
Wilmington, Delaware 19808

customerservice@getregris.com
getregris.com