Privacy Policy

Where this Policy describes processing for which Northline Studio is the controller, the controller is Northline Studio, the entity that operates ReGuardian.

You can contact us at privacy@northlinestudio.com for any privacy-related question.

Under the UK GDPR, the EU GDPR, the French Loi Informatique et Libertés and the Italian Codice Privacy (D.Lgs. 196/2003), Northline Studio acts in two distinct roles:

• Controller — for personal data we collect about visitors to our marketing site and Authorised Users of the Service (account data, support interactions, marketing, billing, security telemetry).
• Processor — for personal data contained in Customer Data, which we process strictly on documented instructions of the customer organisation under our Data Processing Addendum (the “DPA”).

If you are an employee, candidate or contractor of an organisation that uses ReGuardian, your employer is the controller of your data within the Service. Your privacy notice and data-subject rights process should be obtained from your employer; we will support that process as processor.

As controller, we collect:

• Identification & contact data — name, business email, business phone, employer, job title, country.
• Account data — credentials (hashed), authentication events, role and permission settings, single-sign-on identifiers.
• Usage data — features accessed, actions taken, timestamps, IP address, browser and device information, language, region preference, error and diagnostic logs.
• Communications — content of support tickets, demo requests, sales enquiries and survey responses you choose to send us.
• Billing — billing contact, VAT number, purchase order references and payment status. Card details, where applicable, are handled by our payment processor and not stored by us.
• Marketing — email open and click events for messages you have consented to receive.

We process the personal data above for the following purposes and on the bases shown:

• Provide and operate the Service — performance of a contract (Art. 6(1)(b) UK/EU GDPR) for Authorised Users; legitimate interests (Art. 6(1)(f)) for organisational contacts of customers.
• Account security, fraud prevention and incident response — legitimate interests, and where applicable legal obligation (Art. 6(1)(c)).
• Customer support — performance of a contract and legitimate interests in responding to enquiries.
• Billing and tax — performance of a contract and legal obligation.
• Improving the Service — legitimate interests in measuring usage, diagnosing errors and prioritising features. We use aggregated and de-identified data wherever practical.
• Marketing communications — consent (Art. 6(1)(a)) where required (e.g. email marketing to non-customers in the EEA/UK), or legitimate interests for soft opt-in messages to existing business contacts. You can unsubscribe at any time.

When you upload employment contracts or related material to the Service, the customer organisation determines the purposes and means of that processing and is the controller. Northline acts as processor and processes that data only:

• to host, analyse, classify and version the contracts within the Service;
• to generate Outputs (compliance scores, impacted-clause queues, suggested rewrites, audit-trail entries);
• to provide support, security, and to maintain the integrity of the Service; and
• where strictly necessary to comply with a legal obligation.

We do not use Customer Data to train shared or third-party foundation models. Where machine-learning components run within the Service, they operate on infrastructure under our control or under contractual commitments that prohibit cross-customer training.

The detailed terms of our processor role — including processing instructions, security measures, sub-processor governance, breach notification, audit rights and standard contractual clauses for international transfers — are set out in the DPA, available on request to privacy@northlinestudio.com.

ReGuardian produces automated analyses of contractual text, including compliance scores and suggested rewrites. These Outputs are intended to support qualified human decision-makers and are not designed to be used as the sole basis for any decision producing legal or similarly significant effects on an individual.

Customers using the Service must apply meaningful human review before relying on Outputs and must comply with Article 22 of the UK/EU GDPR and applicable national rules on automated decision-making in the employment context.

The marketing site at reguardian.northlinestudio.com uses a small number of cookies and similar technologies:

• Strictly necessary — for example to remember your region and language preference. These cookies do not require consent.
• Analytics — anonymised usage measurement to understand which pages are useful. These are loaded only with your consent where required.

We do not use advertising cookies or cross-site trackers. You can change your cookie preferences at any time using the controls on the site or in your browser.

We share personal data only as described below:

• Within your organisation — Authorised Users from your organisation have access to Customer Data according to the role-based permissions configured by your administrator.
• Service providers (sub-processors) — vetted vendors who help us host, secure, monitor and support the Service, under written processing terms (see section 10).
• Professional advisors — auditors, lawyers and accountants under confidentiality.
• Authorities — where required by law, court order or to protect rights, property or safety.
• Corporate transactions — in connection with a merger, acquisition or sale of assets, subject to standard confidentiality safeguards.

We do not sell personal data and do not share it for cross-context behavioural advertising.

We use a limited set of sub-processors to operate the Service, including infrastructure and database hosting in the United Kingdom and the European Union, error monitoring, email delivery and customer-support tooling. The current list of sub-processors, the regions in which they operate and a summary of the personal data they process is available on request to privacy@northlinestudio.com.

We notify customers in advance of changes to our sub-processor list and give them an opportunity to object on reasonable data-protection grounds, as described in the DPA.

Customer Data is hosted within the United Kingdom and the European Union. Where personal data is transferred outside the UK or the EEA — for example to a sub-processor providing global support — we rely on appropriate safeguards under UK GDPR and the EU GDPR, including:

• UK adequacy regulations or European Commission adequacy decisions where available;
• the EU Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum to those clauses; and
• transfer impact assessments and supplementary measures (such as encryption and access controls) where required.

We retain personal data only for as long as necessary for the purposes set out in this Policy:

• Customer Data — for the duration of the customer’s subscription, plus a defined post-termination export window, after which data is deleted in accordance with the DPA and our retention schedule.
• Account data — while the account is active and for a reasonable period afterwards to comply with legal, accounting and audit obligations.
• Marketing data — until you withdraw consent or object, after which we retain a minimal record of the suppression to honour your preference.
• Security and audit logs — for the period necessary to investigate incidents and meet regulatory obligations.

We maintain a written information-security programme aligned with industry standards. It includes administrative, technical and organisational measures designed to protect personal data, in particular:

• encryption in transit (TLS 1.2+) and at rest;
• role-based access control, least-privilege provisioning and SSO support;
• tamper-evident audit logs of access to Customer Data and configuration changes;
• vulnerability scanning, dependency monitoring and timely patching;
• secure software-development practices and code review;
• personnel screening, training and confidentiality obligations;
• documented incident-response procedures and breach-notification obligations under the DPA.

No system is perfectly secure, but we work continuously to reduce risk and to be transparent with our customers when issues arise.

Subject to applicable law, you have the right to: access your personal data; have inaccurate data corrected; have your data erased; restrict or object to certain processing; receive your data in a portable format; and withdraw any consent you have given.

If you are an employee, candidate or contractor of a customer organisation, please contact your employer first — they are the controller of your data within the Service. Where Northline acts as processor, we will support your employer in responding to your request.

To exercise rights against Northline as controller, contact privacy@northlinestudio.com. You may also lodge a complaint with the supervisory authority of your country of residence, including:

• United Kingdom — Information Commissioner’s Office (ICO), ico.org.uk
• France — Commission nationale de l’informatique et des libertés (CNIL), cnil.fr
• Italy — Garante per la protezione dei dati personali, garanteprivacy.it

The Service is intended for business use by adults. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@northlinestudio.com and we will take appropriate steps to delete it.

We may update this Policy from time to time. The “Last updated” date at the top of the page indicates the latest revision. If we make material changes, we will provide reasonable advance notice through the Service or by email.

For any question, request or complaint about this Policy or our processing of personal data, contact privacy@northlinestudio.com. You can also review our Terms of Service.