Privacy Policy

Firm and account information. When you register or complete onboarding, we collect your firm name, CRD number, assets under management, Chief Compliance Officer name, and a contact email address.

Assessment responses. We collect your answers to the 27-question Reg S-P self-assessment to generate your gap analysis and compliance documentation.

Payment information. Payments are processed by Stripe, Inc. We do not receive or store your credit card number or CVV. We receive only a payment confirmation and the last four digits of the card used for billing reference.

Usage and technical data. We automatically collect information about how you use the service, including pages visited, session duration, browser type, and IP address, to operate and improve the service.

Communications. If you contact us by email, we retain your message to respond to your inquiry.

• To provide the service: generate your gap analysis, produce the PDF documentation package, and make templates available.
• To operate your account: authenticate you, manage your subscription, and process payments through Stripe.
• To communicate with you: send transactional emails such as account confirmations, payment receipts, and deadline reminders you have opted into.
• To improve the service: analyze aggregate, de-identified usage patterns.
• To comply with legal obligations: retain records as required by law and respond to lawful government requests.

We do not use your assessment data or CRD information to train machine learning models or to market our services to third parties.

We do not sell your personal information.

We share information only in the following limited circumstances:

• Infrastructure and hosting. We use cloud hosting and database infrastructure providers. These vendors process data only on our behalf under contractual data protection obligations.
• Payment processing. Stripe, Inc. processes all payments. Stripe's privacy policy governs its handling of your payment data.
• Email delivery. We use a transactional email provider to deliver account and notification emails.
• Legal requirements. We may disclose information when required by law, court order, or government authority. Where permitted by law, we will provide advance notice before making such a disclosure.
• Business transfers. If RegSP Dash is acquired or its assets transferred, user information may be part of the transaction. We will notify affected users before their data becomes subject to a materially different privacy policy.

We implement reasonable technical measures to protect your information: all data is transmitted over encrypted HTTPS connections using TLS; data at rest is encrypted by our hosting infrastructure; and access to production systems is restricted to authorized personnel.

In the event we discover unauthorized access to your firm's information stored in our systems, we will provide written notice to the contact email on your account within 72 hours of becoming aware of the incident, consistent with service provider obligations under the amended Regulation S-P Safeguards Rule.

No security system is impenetrable. We will notify you of any breach affecting your information as required by applicable law and as described above.

We retain firm information and assessment data for as long as your account is active. If you request account deletion, we will delete your data within 30 days, except where retention is required by law. Aggregate, de-identified analytics data may be retained indefinitely.

Regardless of where you are located, you may contact us at any time to access, correct, or request deletion of your data, or to opt out of non-transactional emails. Email hello@regspdash.com. We will respond within 30 days.

This section applies to California residents. Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), you have the following rights:

• Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete. You may request that we delete your personal information, subject to certain exceptions permitted by law (such as retaining records required for legal compliance).
• Right to Correct. You may request correction of inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing. We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
• Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information beyond what is necessary to provide the service.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights.

To submit a verifiable request, email hello@regspdash.com from the address associated with your account. We will respond within 45 days. You may designate an authorized agent to submit requests on your behalf.

Note: The CPRA's business-to-business exemption expired January 1, 2023. Personal information of California residents who are employees, officers, or contacts of investment advisory firms that use our service is subject to the full CCPA/CPRA framework.

Residents of the following states have rights similar to those described in Section 7 regarding access, deletion, correction, and opt-out of sale. We do not sell personal information and honor these rights for all users regardless of state.

• Virginia (VCDPA). Rights to access, correct, delete, and opt out of sale and targeted advertising profiling.
• Colorado (CPA). Rights to access, correct, delete, data portability, and opt out of sale and profiling.
• Connecticut (CTDPA). Rights to access, correct, delete, and opt out of sale. Beginning July 2026, Connecticut's threshold expands and may apply more broadly to B2B platforms.
• Texas (TDPSA). Rights to access, correct, delete, and opt out of sale of personal data.

To exercise any of these rights, email hello@regspdash.com. We will respond within 45 days.

We use session cookies required for authentication and to maintain your logged-in state. We may use analytics tools to understand aggregate usage. You can configure your browser to refuse cookies, but some features may not function correctly.

RegSP Dash is a professional service for investment advisory firms and their authorized adult employees. We do not knowingly collect information from individuals under 18.

We may update this policy from time to time. If we make material changes, we will notify registered users by email before the changes take effect. Continued use of the service after the effective date constitutes acceptance.

RegSP Dash
hello@regspdash.com