Privacy Policy
How we collect, use, store, and disclose personal information.
Last updated: 14 May 2026
1. About this policy
RegCheck360 is operated by Health Icons Pty Ltd (ACN 668 459 188), an Australian proprietary company. This policy explains how we handle personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
In this policy, βweβ, βusβ, and βourβ refer to Health Icons Pty Ltd trading as RegCheck360. βYouβ refers to anyone who uses regcheck360.com, its sub-domains, or any of our APIs.
2. Information we collect
We collect the following categories of information:
- Account information β email address, hashed password, display name, and the plan you are on.
- Compliance check data β ingredient names, formulas, product descriptions, and any documents you upload for screening (label images, COAs).
- Marketplace data β if you list a contract manufacturer profile or request quotes, the contact details, project notes, and quote correspondence you provide.
- Payment data β handled directly by Stripe. We never see or store full card numbers; we receive only a customer ID, last four digits, and plan status.
- Technical data β IP address, browser type, pages visited, and request timestamps, captured in standard server logs and error monitoring.
- Cookies and similar technologies β see our Cookie Policy.
3. How we use your information
We use your information to:
- Run the compliance checks, formula analyses, and pathway advice you request.
- Authenticate you, enforce plan limits, and prevent abuse.
- Process payments and manage subscriptions through Stripe.
- Deliver marketplace quote requests and responses between brands and manufacturers.
- Send transactional emails (account events, quote notifications, regulatory digests you have opted into).
- Monitor service health, debug errors, and improve the product.
- Comply with our legal obligations.
Formula and ingredient data are commercially sensitive. We do not use customer formula data to train machine-learning models. We do not sell, rent, or share customer compliance data with third parties for marketing purposes.
4. Where your data lives
Customer data is stored in Supabase (Postgres) in the ap-southeast-2(Sydney) region. Static assets and serverless functions run on Vercel, with the production deployment pinned to the syd1 region. Some processing may transit edge nodes outside Australia (e.g. for DNS, CDN, or bot mitigation), but the system of record is in Australia.
5. Sub-processors we use
| Sub-processor | Purpose | Data category |
|---|---|---|
| Supabase | Database, auth, file storage | Account, compliance, marketplace |
| Vercel | Hosting, edge functions, logs | All categories (transient) |
| Stripe | Payments, subscription billing | Payment, billing email |
| Anthropic | AI regulatory assessment | Ingredient + formula text only |
| Resend | Transactional email | Email address, message body |
| Sentry | Error monitoring | Technical logs, stack traces |
| Cloudflare | DNS, CDN, bot protection | IP address, request metadata |
We require sub-processors to maintain appropriate security and to handle data only on our instructions. Where a sub-processor is located overseas, we have taken reasonable steps to ensure they handle personal information consistently with the APPs.
6. Disclosure to third parties
We disclose personal information only:
- To the sub-processors listed above, strictly for the purposes shown.
- Between marketplace participants, only when you initiate a quote request β and only the details you submit in that flow.
- To regulators, law enforcement, or courts if we are required by law.
- To a successor entity in the event of a merger, acquisition, or asset sale, subject to equivalent privacy commitments.
We do not sell personal information.
7. Data retention
- Account data: retained for the life of the account, plus 12 months after deletion for accounting and dispute resolution.
- Compliance check history: retained for 24 months on the Free tier, indefinitely on paid tiers until you delete it.
- Payment records: retained for 7 years to meet Australian tax law.
- Server and audit logs: 90 days.
- Error monitoring traces: 90 days.
8. Your rights
Under the APPs you may:
- Ask us what personal information we hold about you (APP 12).
- Ask us to correct inaccurate information (APP 13).
- Ask us to delete your account and associated data.
- Withdraw consent to marketing emails at any time (every email has an unsubscribe link).
- Complain about how we handle your personal information.
Email privacy@regcheck360.com for any of the above. We will respond within 30 days. If you are not satisfied with our response you may contact the Office of the Australian Information Commissioner at oaic.gov.au.
9. Security
We protect your information with HTTPS, HSTS, encrypted-at-rest databases, role-based access controls, and short-lived session tokens. We use Supabase Row-Level Security to enforce data isolation between customers. We log administrative actions on the marketplace approval queue and on the regulatory alerts pipeline.
For more on our security posture, see Trust & Security.
10. Notifiable Data Breach plan
If we become aware of unauthorised access to personal information that is likely to result in serious harm, we will notify affected individuals and the OAIC as required by the Notifiable Data Breaches scheme. Our incident-response process includes containment, root-cause analysis, notification, and remediation.
11. Children
RegCheck360 is a B2B compliance tool. We do not knowingly collect personal information from anyone under 16. If you believe we have done so, contact us and we will delete the information.
12. Changes to this policy
We will publish a new βLast updatedβ date at the top of this page when we make changes. Material changes will be announced by email to active customers at least 14 days before they take effect.
13. Contact
Privacy questions: privacy@regcheck360.com
General contact: /contact
Postal: Health Icons Pty Ltd, New South Wales, Australia