Privacy Policy

Regen Studio B.V. is the data controller responsible for your personal data as described in this policy. Regen Studio is a design and innovation studio registered in The Netherlands (KVK 90337948), with activities in The Hague, The Netherlands and São Paulo, Brazil (CNPJ 57.579.114/0001-55).

This privacy policy applies to the websites at regenstudio.world and demos.regenstudio.world, and to all services offered through these domains.

Contact: info@regenstudio.world

We only collect personal data when you actively provide it, or when strictly necessary to deliver a service you requested.

Contact forms and newsletter subscriptions (regenstudio.world)

• Your name, email address, and organisation (if provided)
• Your message (if provided)
• The page URL you submitted from

Purpose: to respond to your inquiry, send newsletters, and notify our team. Legal basis: legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)) and consent (GDPR Art. 6(1)(a) / LGPD Art. 7(I)).

Demo access requests and magic links (demos.regenstudio.world)

• Your email address
• A cryptographic hash of the access token (the raw token is never stored server-side)

Purpose: to verify your identity and grant demo access. Legal basis: performance of a contract (GDPR Art. 6(1)(b) / LGPD Art. 7(V)).

Report purchases (demos.regenstudio.world/cpr-dpp-tracker)

• Your email address
• Selected report type and product family
• Discount code (if used)
• Billing details: company name, VAT ID, address (if provided for invoicing)

Purpose: to process your order, generate your report, issue an invoice, and provide download access. When accessing a report or invoice, you must verify your email address to prevent unintended data disclosure through URL sharing. Legal basis: performance of a contract (GDPR Art. 6(1)(b) / LGPD Art. 7(V)).

• We do not set any cookies on any of our websites
• We do not use tracking pixels, fingerprinting, or advertising scripts
• We do not share data with advertisers, data brokers, or social media platforms
• We do not use your data for profiling or automated decision-making
• We do not use your data for marketing unless you explicitly opt in (e.g., newsletter)

On both our sites, all fonts, scripts, and stylesheets are self-hosted — zero third-party asset requests are made when you browse the page.

A small number of blog posts contain embedded videos (Vimeo) or audio players (SoundCloud). These embeds are not loaded automatically. Instead, you will see an informed consent overlay explaining exactly what data will be shared with the third party (IP address, browser type, operating system, page URL). The embed only loads after you explicitly click “I understand.”

Once you consent and the embed loads, the third party’s own privacy policy applies to the data they receive. We do not control their processing.

On both our websites, we collect aggregate page view statistics to understand which pages are visited. This system is designed from the ground up to be privacy-preserving:

Because we set no cookies and store no personal data, this analytics system does not require consent under the ePrivacy Directive (Art. 5(3)) or the Dutch Telecommunicatiewet (Art. 11.7a(3)). This architecture mirrors the approach recognized by the French CNIL as exempt from consent requirements.

We use your browser’s localStorage in two cases:

• Demo access tokens — when you access a demo using a magic link or password, we store a session token containing only the demo identifier and an expiry timestamp. This keeps you logged in so you don’t have to re-authenticate on each page load.
• Content unlock tokens — when you provide your email to access gated content (e.g., product family details), we store a timestamp recording when you unlocked access.

In both cases, the stored value contains no personal data (no email, no name). All tokens are programmatically enforced to expire after 24 hours: the code checks the stored timestamp against the current time and removes expired tokens automatically.

We also use sessionStorage (tab-scoped, automatically cleared when you close the tab) to store the previous page path within the same browsing session. This is used solely to understand internal navigation patterns in aggregate analytics. No personal data is stored.

This storage is strictly necessary to provide the service you requested and is exempt from consent under ePrivacy Directive Art. 5(3).

We use the following third-party services. Each is contractually bound to protect your data in accordance with applicable data protection laws.

Your personal data (form submissions, orders) is stored in the EU (Frankfurt, Germany) via Supabase. Payments are processed by Mollie in The Netherlands. Invoices are managed through Exact Online (The Netherlands). Email is handled by Proton Mail (Switzerland, which has an EU adequacy decision).

The static websites are hosted on GitHub Pages (United States). GitHub serves only static files and does not process personal data on our behalf; however, standard HTTP server logs (including IP addresses) may be temporarily retained by GitHub in accordance with their privacy statement.

For transfers to the United States, we rely on the EU–US Data Privacy Framework where applicable, supplemented by Standard Contractual Clauses (SCCs). For transfers from Brazil, these are covered by LGPD Art. 33 with adequate safeguards.

• To respond to your inquiry or access request
• To send you confirmation emails or magic links
• To process report purchases and deliver the report
• To generate and send invoices
• To send newsletters (only with your explicit consent)
• To notify our team of submissions and orders
• To understand aggregate website usage (privacy-preserving analytics, demos site only)

We do not use your data for marketing (beyond opted-in newsletters), profiling, or automated decision-making.

We do not sell, rent, or share your personal data with any third parties beyond the sub-processors listed above. Below is a breakdown of exactly what each party can access:

• Regen Studio team — full access to all data stored in our systems (contact submissions, orders, newsletter lists, analytics dashboards).
• Supabase — hosts all personal data server-side: contact form entries (name, email, organisation, message), report orders (email, billing address, VAT ID, invoice records), newsletter subscriber lists, magic link tokens, and analytics hashes.
• Lettermint — receives email addresses and message content for every transactional email we send: contact form confirmations, magic links, purchase receipts, invoice PDFs, download links, and newsletter editions.
• Mollie — receives only payment amounts, an internal order ID, and a redirect URL. Buyer personal details (name, address, VAT ID) are not sent to Mollie and remain in our database.
• Proton Mail — our team mailbox. Internal notification emails (containing contact form submissions, order alerts, and magic link requests) are delivered here by Lettermint. Your replies to us are also stored in this inbox.
• Blended Business (our accountant, The Hague) — receives invoice data (name, company name, VAT ID, amounts) via Exact Online for bookkeeping and tax filing purposes.
• GitHub Pages — serves only static files (HTML, CSS, JS, fonts). No personal data is transmitted to GitHub by our code; however, GitHub may temporarily log IP addresses in standard server logs per their own privacy statement.

• Contact form submissions: automatically deleted after 90 days. You may request earlier deletion at any time.
• Newsletter subscribers: retained until you unsubscribe. Unsubscribed records are automatically deleted after 30 days (GDPR right to erasure). You may request full deletion at any time.
• Email event logs: raw webhook payloads from our email delivery service are automatically deleted after 90 days.
• Magic link tokens: hashed tokens expire after 15 minutes and can no longer be used for authentication. Used and expired links are automatically deleted after 7 days.
• Report orders and invoices: retained for at least 7 years as required by Dutch tax law (Algemene wet inzake rijksbelastingen, Art. 52).
• Analytics visitor hashes: deleted within 24 hours. Only aggregate counters persist. The hashing salt is rotated daily via automated scheduled function.
• Browser localStorage tokens: expire automatically after 24 hours, enforced programmatically.

Depending on where you are located, you have specific rights regarding your personal data.

For visitors from other jurisdictions, we extend the same rights listed above as a matter of good practice, regardless of whether local law requires it.

To exercise any of your rights, contact us at info@regenstudio.world. We will acknowledge your request within 5 business days and respond substantively within 15 days (in compliance with LGPD Art. 18 §5).

If you request deletion, we will erase all personal data we hold about you, except where retention is required by law (e.g., invoice records under Dutch tax law).

Our services are directed at businesses and professionals. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

In the spirit of transparency, we disclose that AI-assisted tools (including Claude by Anthropic) are used in the development of this website and in the creation and editing of content. All AI-generated or AI-assisted content is reviewed by our team for accuracy before publication.

No personal data you provide through our forms or services is shared with AI tools. AI assistance is limited to website development, content writing, and internal research. Your data never enters AI training pipelines.

For the most current regulatory information published on our blog, we always recommend consulting official EU sources such as the Official Journal of the European Union.

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated date. If we make material changes that affect how we handle your personal data, we will notify existing newsletter subscribers by email.