Privacy Policy

Regen Studio B.V. (KVK 90337948) is the data controller responsible for personal data of EU/EEA data subjects as described in this policy. For Brazilian data subjects, the controller is Regen Studio Consultoria LTDA (CNPJ 57.579.114/0001-55), a separate legal entity. Regen Studio is a design and innovation studio with activities in Berg en Dal, The Netherlands and São Paulo, Brazil.

This privacy policy applies to the websites at regenstudio.world and demos.regenstudio.world, and to all services offered through these domains.

Contact: info@regenstudio.world

This contact serves as the designated point of contact for data protection matters under both GDPR and LGPD (encarregado, Art. 41 LGPD).

We only collect personal data when you actively provide it, or when strictly necessary to deliver a service you requested.

Contact forms and newsletter subscriptions (regenstudio.world)

• Your name and email address
• Your message (if provided)
• The page URL you submitted from

Purpose: to respond to your inquiry, send newsletters, and notify our team. Legal basis: legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 10) and consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)).

To prevent abuse, contact form submissions are rate-limited. A one-way hash of your IP address (combined with the current date) is temporarily stored for up to 24 hours to count submissions per time window. The raw IP is never stored. Legal basis: legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 10).

Our forms also use client-side anti-spam measures, including a hidden field to detect automated submissions, a minimum time threshold, a visual challenge, and a computational proof-of-work check. These measures generate technical metadata (timestamps, challenge results) that is sent alongside your form submission and used solely to distinguish genuine visitors from bots. This data is not linked to your identity and is not retained beyond the submission request. No personal data is collected by these measures.

Demo access requests and magic links (demos.regenstudio.world)

• Your email address
• A cryptographic hash of the access token (the raw token is never stored server-side)

Purpose: to verify your identity and grant demo access. Legal basis: performance of a contract (GDPR Art. 6(1)(b) / LGPD Art. 7(V)).

Report purchases (demos.regenstudio.world/cpr-dpp-tracker)

• Your email address
• Selected report type and product family
• Discount code (if used)
• Billing details: company name, VAT ID, address (if provided for invoicing)

Purpose: to process your order, generate your report, issue an invoice, and provide download access. When accessing a report or invoice, you must verify your email address to prevent unintended data disclosure through URL sharing. Legal basis: performance of a contract (GDPR Art. 6(1)(b) / LGPD Art. 7(V)).

• We do not set any cookies on any of our websites
• We do not use tracking pixels, fingerprinting, or advertising scripts
• We do not share data with advertisers, data brokers, or social media platforms
• We do not use your data for profiling or automated decision-making
• We do not use your data for marketing unless you explicitly opt in (e.g., newsletter)

On both our sites, all fonts, scripts, and stylesheets are self-hosted — zero third-party asset requests are made when you browse the page.

A small number of blog posts contain embedded videos (Vimeo) or audio players (SoundCloud). These embeds are not loaded automatically. Instead, you will see an informed consent overlay explaining exactly what data will be shared with the third party (IP address, browser type, operating system, page URL). The embed only loads after you explicitly click “I understand.”

Once you consent and the embed loads, the third party’s own privacy policy applies to the data they receive. We do not control their processing.

On both our websites, we collect analytics data to understand which pages are visited, how visitors navigate between pages, and how they engage with content. This system is designed from the ground up to be privacy-preserving:

Because we set no cookies, store no raw IP addresses, and use a daily-rotating salt that prevents cross-day tracking, this analytics system does not require consent under the ePrivacy Directive (Art. 5(3)) or the Dutch Telecommunicatiewet (Art. 11.7a(3)). The legal basis for this processing is legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 10): understanding aggregate website usage to improve our content and services. This architecture mirrors the approach recognized by the French CNIL as exempt from cookie consent requirements.

We use your browser’s localStorage in the following cases:

• Demo access tokens — when you access a demo using a magic link or password, we store a session token containing only the demo identifier and an expiry timestamp. This keeps you logged in so you don’t have to re-authenticate on each page load.
• Content unlock tokens — when you provide your email to access gated content (e.g., product family details), we store a timestamp recording when you unlocked access.
• Pre-publication review tool — when you are invited to comment on a draft article via a private review link, the name (or alias) and optional email or role you enter, your comments, and your consent timestamp are stored in your own browser’s localStorage only. This is never transmitted to our servers automatically — it stays on your device until you choose to email the exported report to us.

In the first two cases, the stored value contains no personal data (no email, no name). All tokens are programmatically enforced to expire after 24 hours: the code checks the stored timestamp against the current time and removes expired tokens automatically.

The pre-publication review-tool data is personal data and stays solely in your browser. It reaches us only if you actively email the exported report. If you do, we then process that feedback — including any real name you entered — in AI-assisted editorial workflows (via Anthropic Claude, our disclosed AI sub-processor) to improve the draft, under the explicit consent you give in the tool. Entering a real name only exposes that name to this AI-assisted editorial workflow; it is not used to credit, attribute or publicly mention you. Enter an alias and omit the email to stay anonymous.

We also use sessionStorage (tab-scoped, automatically cleared when you close the tab) to store the previous page path within the same browsing session. This is used solely to understand internal navigation patterns in aggregate analytics. No personal data is stored.

This storage is strictly necessary to provide the service you requested and is exempt from consent under ePrivacy Directive Art. 5(3).

We use the following third-party services. Each is contractually bound to protect your data in accordance with applicable data protection laws.

Each sub-processor's role maps to one or more of the three scenarios above. Supabase EU and the static stack apply to scenarios 1, 2, and 3. Lettermint, Proton Mail, and (when relevant) Mollie + Exact Online apply to scenarios 2 and 3. Anthropic applies only to scenario 3 — explicit AI-processing consent.

Interactive demos — external public data endpoints: When you use our Spatial Pipeline demo (/spatial-pipeline/), your browser makes direct read-only fetches to public Dutch open-data APIs: Luchtmeetnet (RIVM, NL — live air-quality data, CC0 licence), ruimtelijkeplannen.nl (Geonovum/IPLO, NL — IMRO bestemmingsplannen), and 3DBAG (TU Delft 3D Geoinformation Group — 3D building data, CC-BY 4.0). These are public APIs with no authentication; no personal data is sent. Verifiable in your browser's DevTools Network panel. These are not sub-processors in the GDPR sense (they don't process personal data on our behalf) but are disclosed here for full transparency about outbound network calls.

Your personal data (form submissions, orders) is stored in the EU (Frankfurt, Germany) via Supabase. Payments are processed by Mollie in The Netherlands. Invoices are managed through Exact Online (The Netherlands). Email is handled by Proton Mail (Switzerland, which has an EU adequacy decision).

The static websites are hosted on GitHub Pages (United States). GitHub serves only static files and does not process personal data on our behalf; however, standard HTTP server logs (including IP addresses) may be temporarily retained by GitHub in accordance with their privacy statement.

Supabase Inc. is incorporated in the United States; however, all Regen Studio project data is hosted in the EU (Frankfurt, Germany). Supabase is covered by the EU–US Data Privacy Framework.

Transfers to the United States (Anthropic, GitHub, Supabase Inc.): covered by the EU–US Data Privacy Framework where the entity is certified, supplemented by Standard Contractual Clauses (2024 revised version, Module 2 controller–processor) for processor relationships. For Anthropic specifically, the SCCs are incorporated in the Anthropic Commercial Terms accepted by Regen Studio; a Transfer Impact Assessment is on file at our internal runbooks register.

Transfers between the European Union and Brazil: covered by mutual adequacy as of 26 January 2026 — the Brazilian ANPD recognised the EU as adequate (Resolução CD/ANPD 32/2026), and the European Commission published a reciprocal adequacy decision for Brazil on 27 January 2026. Data flows EU ↔ BR no longer require Standard Contractual Clauses or additional safeguards.

Transfers from Brazil more generally: handled per LGPD Art. 33 (and ANPD Resolução 19/2024 for non-adequate destinations) with documented safeguards.

• To respond to your inquiry or access request
• To send you confirmation emails or magic links
• To process report purchases and deliver the report
• To generate and send invoices
• To send newsletters (only with your explicit consent)
• To notify our team of submissions and orders
• To understand aggregate website usage (privacy-preserving analytics, both sites)

We do not use your data for marketing (beyond opted-in newsletters), profiling, or automated decision-making.

We do not sell, rent, or share your personal data with any third parties beyond the sub-processors listed above. Below is a breakdown of exactly what each party can access:

• Regen Studio team — full access to all data stored in our systems (contact submissions, orders, newsletter lists, analytics dashboards).
• Supabase — hosts all personal data server-side: contact form entries (name, email, message), report orders (email, billing address, VAT ID, invoice records), newsletter subscriber lists, magic link tokens, and analytics hashes.
• Lettermint — receives email addresses and message content for every transactional email we send: contact form confirmations, magic links, purchase receipts, invoice PDFs, download links, and newsletter editions.
• Mollie — receives only payment amounts, an internal order ID, and a redirect URL. Buyer personal details (name, address, VAT ID) are not sent to Mollie and remain in our database.
• Proton Mail — our team mailbox. Internal notification emails (containing contact form submissions, order alerts, and magic link requests) are delivered here by Lettermint. Your replies to us are also stored in this inbox.
• Blended Business (our accountant, The Hague) — receives invoice data (name, company name, VAT ID, amounts) via Exact Online for bookkeeping and tax filing purposes.
• GitHub Pages — serves only static files (HTML, CSS, JS, fonts). No personal data is transmitted to GitHub by our code; however, GitHub may temporarily log IP addresses in standard server logs per their own privacy statement.

• Contact form submissions: automatically deleted after 90 days. You may request earlier deletion at any time.
• Newsletter subscribers: retained until you unsubscribe. Unsubscribed records are automatically deleted after 30 days (GDPR right to erasure). You may request full deletion at any time.
• Email event logs: raw webhook payloads from our email delivery service are automatically deleted after 90 days.
• Magic link tokens: hashed tokens expire after 15 minutes and can no longer be used for authentication. Used and expired links are automatically deleted after 7 days.
• Report orders and invoices: retained for at least 7 years as required by Dutch tax law (Algemene wet inzake rijksbelastingen, Art. 52).
• Analytics raw events and visitor hashes: automatically deleted after 48 hours. Only aggregate counters (with no visitor-level detail) persist long-term. The hashing salt is rotated daily via automated scheduled function, making cross-day visitor identification impossible.
• Browser localStorage tokens: expire automatically after 24 hours, enforced programmatically.

Depending on where you are located, you have specific rights regarding your personal data.

For visitors from other jurisdictions, we extend the same rights listed above as a matter of good practice, regardless of whether local law requires it.

To exercise any of your rights, contact us at info@regenstudio.world. We will acknowledge your request within 5 business days and respond substantively within 15 days for LGPD requests (Art. 18 §5) or within one month for GDPR requests (Art. 12(3)).

If you request deletion, we will erase all personal data we hold about you, except where retention is required by law (e.g., invoice records under Dutch tax law).

Our services are directed at businesses and professionals.

• Under GDPR (EU/EEA visitors): we do not knowingly collect personal data from children under 16. The Dutch UAVG sets the digital-consent age at 16.
• Under LGPD (Brazilian visitors): data of children under 12 requires specific, prominent parental or guardian consent (LGPD Art. 14). We do not knowingly collect children's data.

If you believe we have inadvertently collected data from a child, please contact us at info@regenstudio.world and we will delete it promptly.

We use AI-assisted tools — primarily Claude by Anthropic — in the development of this website, content creation, internal research, and (where you've explicitly opted in) in responding to your inquiries.

Your data only enters an AI pipeline if you tick the AI-processing consent box on the form you submit. This is the architectural gate described in Three scenarios at a glance:

• Default state on every form is unticked. We respond manually if you leave it unticked.
• Ticking the box authorises us to process your submission via Anthropic Claude as our AI sub-processor (see Sub-processors for the full disclosure).
• You can withdraw this AI-processing consent at any time via a self-service magic link tied to the email you submitted. Upon withdrawal, all of your stored data is securely deleted within 72 hours. Where your data has been encrypted at rest with a per-subject key (in our consent registry tables), we crypto-shred the key — rendering all stored copies cryptographically unrecoverable. Where data is held in plaintext (contact submissions, newsletter list), we hard-delete the records and propagate the deletion to backups within the same window. Audit log entries reference your subject identifier (a UUID derived from your email hash — no plaintext) and persist for accountability under GDPR Art 5(2) / LGPD Art 6(X).
• Anthropic itself retains conversation history for approximately 7 days on its side (their standard default since September 2025). We disclose this so that "deleted on our side" does not mislead about Anthropic-side retention. You may request earlier deletion from Anthropic via their privacy controls.

AI-generated or AI-assisted content published on this website is reviewed by our team for accuracy before publication. Your data never enters AI training pipelines. Anthropic's API does not train on customer data by default and we do not opt in.

For special-category data (health, religion, political opinion, ethnic origin, sexual orientation, trade-union membership, biometric or genetic data, criminal records — GDPR Art. 9 / LGPD Art. 11), explicit additional consent is required and must be ticked separately. Without it, special-category data is excluded from AI processing regardless of the general AI-processing consent.

For the most current regulatory information published on our blog, we always recommend consulting official EU sources such as the Official Journal of the European Union.

Ticking the “newsletter” checkbox on any of our forms is your explicit marketing consent under GDPR Art. 6(1)(a) / LGPD Art. 7(I). We use your email address and name to send our newsletter (typical cadence: 6–12 issues per year) and occasional service updates aligned with your stated interests.

We do not share your email with third-party marketing networks, advertising platforms, or list brokers. We do not sell, rent, or trade marketing data.

• Sub-processor: Lettermint (Netherlands) for email delivery.
• Retention: until you unsubscribe + 30 days, then your record is automatically deleted (GDPR Art. 17 propagation window).
• Withdrawal: instant, via the unsubscribe link in any newsletter, or via the manage-consent self-service page (link also included in every transactional email).

Marketing consent is separate from your AI-processing consent (above) and from any contract-based processing (responding to your inquiry). You can hold any combination — e.g. opt-in to marketing without enabling AI processing of your data, or vice versa.

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated date. If we make material changes that affect how we handle your personal data, we will notify existing newsletter subscribers by email.