Privacy Policy
How RegFin collects, uses, and protects your information. We handle regulated financial data — privacy isn’t a feature, it’s the foundation.
01 Introduction
RegFin Compliance (“RegFin,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance platform, visit our website, or interact with our services. RegFin processes sensitive financial, regulatory, and personal data on behalf of registered investment advisors — privacy and data protection are foundational to our platform, not optional features.
For purposes of applicable data protection laws, RegFin acts as a data processor with respect to the compliance data, client records, and communications you store on the platform. Your organization is the data controller. We process this data only as necessary to provide the Services and as described in this Policy.
Because the platform handles nonpublic personal information (“NPI”) of your advisory clients, RegFin maintains safeguards consistent with the Gramm-Leach-Bliley Act (GLBA) and SEC Regulation S-P. Your organization remains responsible for providing required privacy notices to your own clients under these regulations.
02 Information We Collect
Information you provide directly
- Account Information: Name, email address, phone number, job title, role
- Company Information: Firm name, SEC/state registration details, AUM, office address
- Employee Records: Name, email, phone, title, department, hire date, termination date, home and branch addresses
- Billing Information: Payment card details and billing address (processed and stored by our PCI-compliant payment processor — we do not store full card numbers)
- Authentication Data: Password (stored as a one-way hash), two-factor authentication secrets (encrypted), backup codes (encrypted)
- Client Personal Information: Name, email, phone number, date of birth, Social Security Number, home address, spouse relationships
- Financial Accounts: Account numbers, account types, balances, custodian details, advisor assignments
- Transactions: Trade data including security, quantity, price, transaction type, and date
- Holdings: Current and historical security positions and balances
- Preclearance Requests: Security, quantity, transaction type, approval status, and reviewer identity
- Household Data: Household membership, relationship types, aggregated assets
- Email: Full email content including headers (from, to, CC, BCC), subject, body, and attachments. Raw email content is stored in immutable (WORM) storage
- Text Messages: SMS, iMessage, and MMS content including sender/recipient phone numbers, message body, timestamps, and attachments. Raw message files stored in WORM storage
- Social Media: Posts, messages, comments, reactions, and other content from connected social media platforms. Raw data stored in WORM storage
- Website Content: Snapshots of firm websites and blog content captured for regulatory archival
- Documents: Files uploaded to the platform, document text content, version history, and cryptographic file fingerprints
- Form ADV Data: Regulatory filing data including AUM, disciplinary history, business activities, and advisory personnel information
- Vendor Records: Vendor names, contacts, risk tiers, due diligence questionnaires, SOC 2 and compliance attestations
- Marketing Materials: Submitted marketing content, AI analysis results, reviewer approvals and comments
- Recordings & Transcriptions: Audio recordings of meetings (if uploaded), automated transcriptions, speaker identification data
- AI Conversations: Full text of conversations with the AI compliance assistant, including questions, AI responses, and any cited documents
Information collected automatically
- Usage Data: Pages visited, features used, time spent on platform, search queries
- Device Information: Browser type, operating system, device type, screen resolution
- Log Data: IP address, access times, referring URLs, request URLs, user agent strings
- Authentication Logs: Sign-in timestamps, sign-in IP addresses, sign-in count, failed login attempts
- Audit Trail: Every action taken on the platform is logged with the user identity, timestamp, IP address, user agent, and a record of changes made. This comprehensive audit trail is required for regulatory compliance and cannot be disabled
- Cookies: Session cookies and preference cookies (see Cookie Policy below)
- API Usage: API token usage, request timestamps, and source IP addresses
Information collected from third parties
- Email Providers: When you connect your organization’s email account, we receive email content and metadata via OAuth-authorized API access
- Financial Data Providers: When you connect bank or custodial accounts through our financial data aggregation partner, we receive account details, balances, and transaction history. Our partner’s own privacy policy governs their collection of your bank credentials
- Social Media Platforms: When you authorize social media archiving, we receive content from connected accounts via OAuth-authorized access
03 How We Use Your Information
We use the information we collect to:
- Provide the Services: Operate, maintain, and deliver compliance, archiving, trade monitoring, CRM, document management, vendor due diligence, and AI-assisted features
- Regulatory Compliance: Archive communications, generate audit trails, and maintain records as required by SEC Rules 17a-4 and 204-2, and applicable state regulations
- AI Processing: Process your data through artificial intelligence systems to provide compliance analysis, keyword scanning, document search, form drafting, and conversational assistance (see Section 4 for details)
- Trade Monitoring: Automatically check transactions against your firm’s compliance rules and flag potential violations
- Communication Scanning: Scan archived emails and text messages for compliance-relevant keywords and patterns
- Document Delivery: Deliver compliance documents to your clients and track acknowledgment
- Account Management: Process billing, send notices, updates, and support messages
- Security: Detect, investigate, and prevent unauthorized access, fraud, and abuse
- Improvement: Monitor usage trends and improve platform functionality and user experience
04 AI and Third-Party Data Processing
RegFin uses artificial intelligence to provide compliance analysis, conversational assistance, document embeddings, and content review. You should understand how your data flows through these systems:
- AI Providers: We use third-party AI language model providers to process text for chat responses, compliance analysis, marketing review screening, form generation, and document search (vector embeddings). When you interact with the AI copilot or when the platform performs automated analysis, relevant text is sent to our AI provider’s API for processing
- Data Sent to AI: This may include conversation messages, document text, email content (for compliance scanning), and form field data. We send the minimum context necessary for the specific task
- AI Data Retention: Under our enterprise agreements with AI providers, data sent via their APIs is not used to train, fine-tune, or improve their models. RegFin does not use Customer Data to train any machine learning or AI models, whether proprietary or third-party. Providers may retain API inputs and outputs for a limited period for abuse monitoring, after which they are deleted
- Vector Embeddings: Document text is converted to mathematical vector representations for search functionality. The text is sent to our AI provider to generate these embeddings, and the resulting vectors are stored in our database
- AI Token Tracking: We log every AI API call including the feature used, model, token count, and cost for billing and audit purposes
AI-generated outputs (compliance analysis, drafted text, search results) are tools to assist your compliance team — they do not constitute legal, regulatory, or professional advice.
05 Data Security
We implement technical and organizational measures appropriate for the sensitivity of the data we process:
- Encryption in Transit: All data transmitted between your browser and our servers is encrypted via TLS
- Encryption at Rest: Data is encrypted at rest using industry-standard encryption. Sensitive fields (OAuth tokens, two-factor authentication secrets, API access tokens) use application-level encryption in addition to storage-level encryption
- WORM Storage: Archived communications (email, text messages, social media) are stored in Write-Once-Read-Many (WORM) compliant storage, preventing modification or deletion of archived records
- Password Security: Passwords are stored as one-way cryptographic hashes. API tokens and calendar subscription tokens are stored as cryptographic digests
- Two-Factor Authentication: Available for all users, required for administrators. Supports time-based authenticator apps with encrypted backup codes
- Access Controls: Granular access controls with multiple permission levels. All access is scoped to the user’s organization
- Audit Logging: Every data access and modification is logged with user identity, timestamp, IP address, and change details
- Infrastructure: Hosted on secure cloud infrastructure with managed databases, network isolation, and automated backups
In the event of a data breach affecting your personal information, we will notify affected users and, where applicable, relevant regulatory authorities within 72 hours of becoming aware of the breach, or as otherwise required by applicable law. Notification will include the nature of the breach, the types of data affected, and the measures we are taking in response.
06 Data Retention
Retention periods vary by data type and are driven by regulatory requirements:
- Archived Communications: Retained for the period required by applicable securities regulations. Default retention is 10 years per SEC Rule 17a-4, configurable per firm. Archived records are stored in immutable (WORM) storage and cannot be modified or deleted during the retention period, even upon request
- Compliance Records: Form ADV data, trade monitoring results, marketing review evidence, and vendor due diligence records are retained for at least 5 years from creation or as required by regulation
- Audit Logs: Activity logs are retained indefinitely to satisfy regulatory examination requirements. These logs include user actions, IP addresses, and change histories
- Account Data: Retained for as long as your account is active. Upon termination, you have 30 days to export your data. After the export period, non-regulated data is deleted. Regulated records (archives, audit logs) are retained per applicable retention periods
- Billing Data: Transaction records are retained as required by tax and financial reporting obligations
You may request deletion of your personal data subject to our legal and regulatory obligations. Due to the nature of compliance archiving, certain records stored in WORM storage cannot be deleted before the applicable retention period expires. Upon completion of a deletion request, we will provide a written certification confirming the categories of data deleted and the date of deletion.
07 Information Sharing and Sub-Processors
We do not sell your personal information. We share your information only as described below:
Sub-processors
- Cloud Infrastructure Provider: Hosting, database services, and WORM-compliant file storage (US data centers)
- AI Language Model Providers: API-based AI services for compliance analysis, chat, embeddings, and content review
- Payment Processor: PCI-compliant payment processing (we do not store full payment card numbers)
- Financial Data Provider: Account linking and data aggregation (when enabled by your firm)
- Email Service Providers: Email synchronization via OAuth (when connected by your firm)
- Internal Operations Tools: Project management and error tracking services used to maintain and improve the platform (limited to technical metadata and support context)
We will provide at least 30 days’ advance notice before engaging a new sub-processor that will process Customer Data. If you object to a new sub-processor, you may terminate your subscription in accordance with the Terms of Service.
Other disclosures
- Professional Advisors: Lawyers, accountants, and auditors retained by RegFin, bound by confidentiality obligations
- Legal Requirements: When required by law, regulation, subpoena, court order, or other legal process. We will notify you of such requests where legally permitted
- Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy
- Your Clients: When you use the Client Document Delivery feature, your clients receive access to documents you share. We track their access (IP address, user agent, timestamps) for your delivery audit trail
- Your Vendors: When you send vendor due diligence questionnaires, vendor contacts receive access. We track their access for your governance audit trail
08 Your Rights
Depending on your location, you may have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information, subject to regulatory retention requirements. Records stored in WORM storage for regulatory compliance cannot be deleted before the applicable retention period expires
- Portability: Export your data in standard formats (CSV, PDF, JSON) via the platform’s export features or upon written request
- Opt-Out: Opt out of marketing communications at any time via the unsubscribe link in our emails or by contacting us
- Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Restriction: Request that we restrict processing of your data in certain circumstances
To exercise these rights, contact us at [email protected]. We will respond within 30 days (or 45 days for CCPA requests, with notice of extension if needed). We may verify your identity before processing requests.
09 California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:
Categories of personal information collected
- Identifiers: Name, email address, phone number, IP address, account name, Social Security Number (for advisory clients)
- Financial Information: Bank account details (via financial data partner), investment account data, transaction history, billing information
- Commercial Information: Records of services purchased, subscription details
- Internet Activity: Browsing history on our platform, search queries, interaction data
- Professional Information: Job title, employer, department, employment history
- Geolocation Data: Approximate location derived from IP address
- Audio Data: Meeting recordings (if uploaded by your organization)
- Inferences: Compliance risk assessments derived from the data above
Your CCPA rights
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you
- Right to Delete: You may request deletion of your personal information, subject to exceptions including regulatory retention obligations
- Right to Correct: You may request correction of inaccurate personal information we hold about you
- Right to Limit Use of Sensitive Personal Information: Where we process sensitive personal information (such as Social Security Numbers or financial account details), you may request that we limit our use to what is necessary to provide the Services
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
- Right to Opt-Out of Sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising
To submit a CCPA/CPRA request, contact us at [email protected] or write to our address below. We will verify your identity and respond within 45 days. If we require additional time, we will notify you in writing and may extend the response period by up to an additional 45 days. You may designate an authorized agent to make a request on your behalf.
10 Cookie Policy
RegFin Application (app.regfin.com)
- Essential Cookies: Required for platform functionality, authentication, and session management. These cannot be disabled
- Preference Cookies: Remember your settings such as theme preference (light/dark mode)
- Two-Factor Authentication: A “remember this device” cookie allows you to skip two-factor verification for a limited period on trusted devices
The RegFin application does not use third-party advertising or tracking cookies.
Marketing Website (regfin.com)
Our marketing website uses cookies to understand how visitors find us and to measure advertising effectiveness. We ask for your consent before setting any non-essential cookies.
- Necessary: Cookie consent preference storage. Always active
- Analytics: Google Analytics 4 (GA4) measures page views, scroll depth, and form interactions to help us improve the site. Data is anonymized and not used for cross-site tracking
- Marketing: Advertising platform pixels (Google Ads, Meta, LinkedIn) track conversions from our paid campaigns and enable retargeting. These cookies are only set if you consent to the “Marketing” category
Third Parties Receiving Data
- Google LLC — Analytics (GA4) and advertising (Google Ads conversion tracking)
- Meta Platforms, Inc. — Meta Pixel for campaign attribution
- LinkedIn Corporation — Insight Tag for B2B campaign measurement
- Cloudflare, Inc. — Zaraz tag management (edge-side, no client-side scripts)
Managing Your Preferences
When you first visit our marketing site, a consent banner lets you accept all cookies, accept analytics only, or reject all optional cookies. You can change your preference at any time by clearing the rf_consent cookie from your browser, which will cause the banner to reappear on your next visit. You can also control cookies through your browser settings, but disabling essential cookies may prevent platform functionality.
Data Retention
Analytics data is retained for 14 months in Google Analytics. Advertising platform data follows each platform’s standard retention policies. You can request deletion of your data from these services by contacting us at [email protected].
11 Children’s Privacy
RegFin is a business-to-business compliance platform and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal information from a child under 18, we will delete it promptly. If you believe we have collected information from a child, please contact us at [email protected].
12 International Data Transfers
RegFin is based in the United States and our infrastructure is hosted in US data centers. If you access our Services from outside the United States, your data will be transferred to and processed in the United States. By using the Services, you consent to this transfer. We implement appropriate safeguards for any international data transfers as required by applicable law.
13 Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the “Last updated” date, and sending a notice to the email address associated with your account. Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the changes.
14 Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us.
RegFin Compliance
1905 N Sherman St, Ste 200 #2297
Denver, CO 80203