Privacy Policy.

1. Applicability of this Privacy Policy

This Privacy Policy describes how REGARA^™ processes Personal Data collected from you, or about you, through our websites (for example at regara.ai and help.regara.ai — our "Websites"), the Services, and other interactions you have with REGARA^™.

REGARA^™'s Services are offered to life-sciences businesses, sponsors, and other entities (our "Customers") for professional use. We enter into customer agreements with our Customers (for example, our platform agreement, pilot agreement, evaluation agreement, terms of service, data processing agreement, etc.). These agreements govern the delivery and use of the Services (the "Customer Agreement").

This Privacy Policy does not apply to any input or output generated on our platform, or to documents — including regulatory submissions, study reports, or correspondence — uploaded to our platform. We process such data on behalf of Customers and we refer to it as "Customer Data" and "Content". REGARA^™'s use of Customer Data and Content received through the Services is governed by the relevant Customer Agreement. REGARA^™ processes Customer Data and Content as a Data Processor, so any queries related to this data should be directed to our Customers, who are the Data Controllers.

This Privacy Policy governs only where REGARA^™ is the Data Controller responsible for the processing of the Personal Data.

2. Personal Data we Collect and Process

In the course of doing business, providing our Services, and operating our Websites, we collect and receive Personal Data in different ways and from different sources. This Personal Data includes:

Information that you provide directly

We collect Personal Data directly from you when you create an account with us, otherwise use the Services, or interact with us via another means. This includes:

a) Account Information

When you (or your employer) create an account and throughout the time you use the Services, we collect certain information associated with your account — including your name, email address, information about your profession and professional experience (e.g., regulatory specialty, agency experience, submission types you work on), language preferences, account credentials, payment information, and your transaction history with us (collectively, "Account Information").

b) Communication Information

If you communicate with us (for example, when you contact us about our Services, complete a survey, interact with our Websites, or request support), we collect your name, email address, information about your profession, customer survey responses, the way you interact with our communications and Services, and the contents of any messages you send (collectively, "Communication Information").

c) Social Media Information

We have pages on social-media services such as LinkedIn and X. When you interact with our pages, our employees, or our representatives via social-media services, we collect Personal Data that you choose to provide — such as your contact details and the contents of your messages, posts, or profiles. In addition, third parties may provide us with aggregate information and analytics about our social-media activity (collectively, "Social Media Information").

Information that we collect automatically

We collect Personal Data indirectly, including through automated means from your computer or device. This information includes:

a) Log Data

Information that your browser or device automatically sends when you use our Services or access our Websites. Log Data includes your Internet Protocol address, browser information, the date and time of your request, and how you otherwise use certain features or interact with us (collectively, "Log Data").

b) Service Usage Data

When you interact with the Services, metadata is generated that provides additional context about your use of the Services. This includes your email address, account identifiers, data about how often you visit the Websites, how you interact with the Services, the amount of time spent engaging with the Services, the volume of queries you submit, the type of queries you submit, the features interacted with, and how those features performed during your interactions (collectively, "Usage Data").

c) Cookies and Similar Technologies

We use cookies, scripts, or similar technologies (collectively, "Cookies and Similar Technologies") to manage the Services and to collect information about you and your use of the Services and our Websites. A cookie is a small string of information that websites you visit transfer to your computer for identification purposes. These technologies help us to recognize you, customize or personalize your experience, market additional products or services, understand your preferences, improve your Websites experience, and analyze use of the Services to make them safer and more useful. For more details about how we use these technologies, your opt-out controls, and other options, please visit our Cookie Policy at www.regara.ai/legal/cookie-policy.

d) Device Information

We also collect certain device- and connection-specific information when you install, access, or use our Services and interact with our Websites. This includes information such as the name of the device, operating system, device identifiers, and browser you are using (collectively, "Device Information"). The specific Device Information collected will depend on the type of device you use and its settings.

Information we collect from third parties

We also receive certain information about you from our trusted partners, such as:

• a) Security partners who may provide us with information such as compromised credentials and personal details to protect against fraud, abuse, and other security threats;
• b) Marketing vendors who provide us with information about potential customers of our Services — such as contact details (name, email address, physical address, phone number) and information about professional affiliations and employment;
• c) Advertising vendors, including social-media services, who may provide us with information such as interactions with our marketing emails, social-media posts, and other advertisements; and
• d) Market research firms, survey companies, and event organisers (for example, trade shows, regulatory affairs conferences such as RAPS, DIA, AdvaMed, and BIO) that may provide us with information about you, including contact details, information about your professional affiliations and employment, and information relating to your use of our Services and Websites, your business, and your use of artificial intelligence (collectively, "Market Research Information").

((a), (b), (c), and (d) collectively, "Information Collected From Third Parties").

Information that is publicly available

We collect publicly available information about Customers and prospects to help offer and provide our Services.

We also use publicly available information — for example, FDA guidance documents, EMA scientific opinions, PMDA review reports, public 510(k) summaries, warning letters, advisory committee transcripts, public clinical trial records, and consensus standards — to develop, train, and improve our AI platform (collectively, "Publicly Available Information").

For more information on the sources of information used to train, maintain, and develop our AI platform — and the steps we take to minimise the privacy impact on individuals — please see our model-training disclosure.

3. How We Use Personal Data

We may use Personal Data covered by this Privacy Policy for the following purposes:

• to provide and maintain our Services;
• to bill for our Services;
• to develop, improve, and update our Services and new functionality;
• to develop, improve, and update the way we provide support and carry out our other business practices;
• to carry out research or surveys;
• to investigate the effectiveness of our Services, to understand how our Services are used, and to evaluate user needs and preferences;
• to personalise your use of our Services, applications, or platforms;
• to provide customer support and resolve bugs, issues, or customer queries;
• to communicate with you, including to send information or marketing about our Services and events;
• to assess your eligibility for, and offer or promote, our Services. Where allowed by law (including, where required, with your opt-in consent), we use and share your Personal Data with others so we may market our Services to you, including through interest-based advertising;
• to prevent fraud, criminal activity, or misuse of our Services, and to protect the security of our systems and Services; and
• to comply with legal obligations and protect the rights, privacy, safety, or property of our users, us, our affiliates, or any third party.

We may aggregate or de-identify Personal Data so that you can no longer be identified, and use the aggregated or de-identified data for the following purposes:

• to investigate and study the effectiveness of our Services;
• to update and improve our Services;
• to develop, improve, and update the way we provide support and carry out our other business practices;
• to conduct research and surveys; and
• to share or publish aggregated information about usage of our Services — for example, on our blog or on social media.

We do not attempt to re-identify this information unless required by law.

Details of the purposes for which we process Personal Data as a controller, and the legal bases we rely on for such processing in the European Economic Area and the United Kingdom, are set out under Jurisdiction-Specific Provisions.

4. Who We Share Your Personal Data With

We share your Personal Data with the following categories of recipients:

Our Affiliates

We share Personal Data we collect, such as Account Information, with our corporate affiliates. The information shared may be used for the purposes described in this Privacy Policy and generally to operate our business, including processing for fraud prevention, payment processing, customer support, business development, user account administration, and IT, technical, and engineering support.

Trusted Partners and Service Providers

We may engage third-party companies or individuals as service providers to help us operate and support our business. These third parties may support REGARA^™ in respect of a variety of business purposes including website and data hosting, research, auditing, marketing, customer support, and data processing. These third parties have limited access to your information, may use your information only to perform agreed tasks, and are prohibited from disclosing or using your information for other purposes.

a) Linked third-party websites or plug-ins

When you use third-party applications (for example, Microsoft, Veeva Vault, MasterControl, Greenlight Guru, or SharePoint) and choose to connect your REGARA^™ account with them, the providers of those services may receive information about you that REGARA^™, you, or others share with them. When you use third-party sites or services, their own terms and privacy policies will govern your use of those sites or services.

b) Vendors and service providers

To assist us with our business operations and to perform certain services and functions — including providers of hosting services, email providers, sales support, customer support, authentication providers, financial-services providers, communication providers, content-delivery services, data-warehouse services, and other information-technology services providers. For more details, please see REGARA^™'s Service Provider page.

c) Business reorganisation

In some cases, we may choose to reorganise our business (such as via a sale, merger, liquidation, receivership, or transfer of all or substantially all of REGARA^™'s assets). Your Personal Data may be disclosed in the diligence process with counterparties and others assisting with the transaction, and transferred to a successor or affiliate as part of that transaction. If REGARA^™ intends to transfer information about you, we will notify you.

d) Professional advisors, industry partners, authorities, regulators, and other entities

We may share your Personal Data with our advisors, accountants, consultants, regulators and tax authorities, law enforcement, government agencies, civil litigants, and other entities as reasonably necessary to:

• comply with applicable law or regulations, court orders, subpoenas, legal process, or government requests;
• detect, investigate, prevent, or address actual or suspected fraud, violations of REGARA^™'s terms, and other illegal activity or security and technical issues; or
• protect the rights, property, and safety of our Customers, REGARA^™, or others, including to prevent harm or loss.

e) Our Customers

When you use the Services, we may provide your employer with information regarding your account and your use of the Services, including, as appropriate, your Account Information and Log Data.

5. How We Keep Your Personal Data Secure

The security of your information is important to us. We protect your Personal Data through technical and organizational measures designed to mitigate the risk of unlawful or unauthorized access, destruction, loss, alteration, disclosure, or use of your Personal Data. The measures are designed to provide a level of security appropriate to the risk of processing.

REGARA^™ maintains an ISO 27001-certified information security management system, a SOC 2 Type II program, and HIPAA-aligned controls. For a more detailed view of our security posture, see our Security & Trust page.

6. International Data Transfers

In some cases, we may transfer your Personal Data to countries other than the country in which the Personal Data originates. These countries may have data-protection laws that differ from the laws of your country.

When you access our Websites or use our Services, your Personal Data may be transferred to our servers located in the United States, or to other countries — including countries outside of the European Economic Area ("EEA"), Switzerland, and the United Kingdom ("UK"). This may be a direct provision of your Personal Data to us, or a transfer that we or a third party makes. Where Personal Data described in Section 2 is transferred outside of the country of origin and required by law (including in the EEA, Switzerland, or the UK), we ensure it benefits from an adequate level of data protection by relying on:

Adequacy Decisions

Decisions from an official authority — such as the European Commission under Article 45 GDPR (or equivalent decisions under other laws) — that recognise a country outside the country of origin offers an adequate level of data protection. We transfer Personal Data originating in the EEA, Switzerland, or UK to the United States under the Data Privacy Framework and to other countries with adequacy decisions.

Standard Contractual Clauses

For jurisdictions which are not deemed adequate, we rely on other lawful transfer mechanisms ('appropriate safeguards') such as the Standard Contractual Clauses issued on 4 June 2021 under Article 46(2) GDPR, the UK equivalent, and the revised Federal Act on Data Protection for the transfer of personal data originating in Switzerland.

We ensure the above-mentioned mechanisms are in place with our group companies and third-party service providers. For more information on the legal mechanisms we rely on for any data-sharing arrangement, please reach out to us at info@regara.ai.

Derogations or Exceptions

In limited circumstances, we may rely on a derogation under Article 49 GDPR — e.g., reliance on your explicit consent, or because the transfer is necessary for the establishment, exercise, or defence of legal claims.

Data Privacy Framework

We comply with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF ("UK Extension"), and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce. REGARA^™ has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the UK, and the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, the UK Extension, or the Swiss-U.S. DPF Principles, those principles shall govern. To learn more and view our certification, visit dataprivacyframework.gov.

Commitment to Cooperate. In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, REGARA^™ commits to cooperate with the EU Data Protection Authorities ("DPAs"), the UK Information Commissioner's Office ("ICO"), and the Swiss Federal Data Protection and Information Commissioner ("FDPIC") with regard to unresolved complaints concerning our handling of Personal Data received in reliance on the frameworks.

Federal Trade Commission. The Federal Trade Commission has jurisdiction over REGARA^™'s compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF.

Right to Arbitrate. You may, under certain conditions, invoke binding arbitration for complaints regarding Data Privacy Framework compliance.

Accountability for Onward Transfers. We take responsibility for the processing of personal information we receive and subsequently transfer to a third party. In the case of an onward transfer, REGARA^™ remains liable if a third party processes personal information in a way inconsistent with the Data Privacy Framework Principles, unless we can demonstrate we were not responsible for the event giving rise to the damage.

If you want to contact us with inquiries or complaints regarding our reliance on the DPFs, email info@regara.ai.

7. Data Retention

We retain the Personal Data we collect from you for as long as necessary for the purposes described in this Privacy Policy. If you have a Customer Agreement with us, we will delete your data in accordance with that Customer Agreement.

How long we retain Personal Data depends on a number of factors, including whether we need to retain it to:

• comply with the terms of your or your employer's Customer Agreement;
• comply with or demonstrate compliance with our legal obligations, resolve disputes, or enforce our agreements; and
• in relation to Account Information, meet our tax, accounting, and audit requirements.

Note: Because REGARA^™ supports regulated life-sciences workflows, Customer Data and Content (the substance of your regulatory submissions and associated artifacts) is retained per the terms of the Customer Agreement and the customer's own document-retention obligations under applicable law — for example, 21 CFR Part 11, EU GMP Annex 11, and ICH Q10 equivalents — which often require retention well beyond a typical SaaS lifecycle.

When we have no ongoing legitimate business need or legal reason to process your Personal Data, we will either delete or anonymise it, or — if this is not possible (for example, because your Personal Data has been stored in backup archives) — securely store and isolate it from any further processing until deletion is possible.

8. Jurisdiction-Specific Provisions

EEA, UK, and Switzerland

We rely on several legal bases under applicable data-protection laws — such as the General Data Protection Regulation ("GDPR") or UK Data Protection Regulation ("UK GDPR") — to process Personal Data for the purposes set out in this Privacy Policy. These legal bases are:

a) Contractual Necessity — where we need to engage in this processing to conclude and perform a contract with you. For example, we require certain Personal Data to provide and support the Services.

b) Legal Obligation — where we must process and retain your Personal Data to comply with law or to fulfil certain legal obligations.

c) Consent — in certain circumstances, we may ask for your consent before we collect, use, or disclose your Personal Data. You can withdraw consent at any time.

d) Legitimate Interests — where the processing is necessary for the legitimate interests of either REGARA^™ or a third party, but only when we are confident that your privacy rights will remain appropriately protected. These interests include operating our business and Services, improving them, developing marketing activity, personalising the Services to you, detecting or preventing illegal activity, and managing the security of our IT infrastructure.

Purpose and basis table

United States

If you are a consumer located in the United States, we process your Personal Data in accordance with U.S. privacy laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA").

REGARA^™ does not sell or share personal data with third parties in exchange for payment. To the extent permitted by applicable law, we may provide Personal Data of individuals who visit our Websites or otherwise provide their Personal Data for marketing purposes to third-party partners — such as advertising partners, analytics providers, and social networks — who assist us in advertising our products and services to you. This may be considered a data "sale" or "sharing" under the CCPA and other applicable U.S. privacy laws. To our knowledge, REGARA^™ does not sell personal information of minors under 18 years of age.

As a U.S. consumer — and subject to certain limitations — you may have choices regarding our use and disclosure of your Personal Data. In addition to the rights outlined in Section 10, other rights include:

• The right to know: Request information including the categories and purposes for which your Personal Data is collected and the third parties with whom it is disclosed.
• The right to opt-out from a sale or sharing: We do not sell or share your Personal Data in exchange for payment. As noted, we may share certain information for targeted advertising; where legally required, we provide an opt-out under "Your Privacy Choices".

Canada

Notwithstanding anything to the contrary, in Canada we collect, use, and disclose information about you only in accordance with Canadian law. We will only process Personal Data with consent and/or adequate notice if and when required. You have the right to withdraw consent to the collection, use, and disclosure of Personal Data, subject to limits in applicable law. Withdrawal of consent will not impact the validity of any consent you have given up to the date of withdrawal. Depending on your province of residence, you may also have rights of access, correction, portability, and (in Quebec) cessation of dissemination.

9. Minors' Data

Our Websites and Services are not directed to anyone under the age of 18. REGARA^™ does not knowingly collect Personal Data from anyone under the age of 18. If you have reason to believe that a minor under 18 has provided Personal Data to REGARA^™, please email info@regara.ai and we will endeavour to delete that information from our systems.

10. Your Data Protection Rights

Subject to certain exceptions and where applicable, you may:

• Access, correct, update, or request deletion of your Personal Data.
• Object to processing of your Personal Data, or ask us to restrict processing.
• Request portability of your Personal Data — i.e., that your data be transferred in a readable and standardised format.
• Opt-out of marketing communications at any time by clicking the "unsubscribe" or "opt-out" link in marketing emails, or by contacting us. If you opt out, we will still send you non-promotional emails (e.g., about your account or our ongoing business relations).
• Withdraw your consent at any time, if we collected and processed your Personal Data with your consent. Withdrawal will not affect the lawfulness of any processing prior to your withdrawal.
• Have the right to complain to a supervisory authority.

To exercise any of your rights, please contact us using the details in Section 12 below. We respond to all requests in accordance with applicable data-protection laws.

11. Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, regulatory, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.

You can see when this Privacy Policy was last updated by checking the "Last updated" date displayed at the top.

12. How to Contact Us

If you have any questions or concerns about our use of your Personal Data, please contact our Data Protection Officer at info@regara.ai.

You may also write to us at:

REGARA^™
8400 W Sunset Rd #300
Las Vegas, NV 89113
United States

or contact our representative in the EU.

EEA Representative

To be appointed — contact details will be published here prior to commencement of EEA-resident processing.

Data Protection Officer

To be appointed — please direct all DPO correspondence to info@regara.ai in the interim.

Previous Versions

No prior versions. This is the inaugural Privacy Policy for REGARA^™.