Privacy Policy
Last updated: March 2026
1. Introduction
This Privacy Policy explains how RegNexus Mail (“we”, “us”, “our”), accessible at reg-nexus.com, collects, uses, stores, discloses, and protects personal data in connection with the provision of our managed email hosting and compliance services.
RegNexus Mail is a business-to-business (“B2B”) managed email hosting platform designed for law firms, financial advisory practices, accountancy firms, FCA-regulated small and medium enterprises, and other professional services businesses. We provide email infrastructure, compliance archiving, document management, and related professional services tooling.
We are committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations 2003 (“PECR”). Where we process personal data on behalf of our business customers, we act as a data processor. Where we process personal data for our own purposes (such as managing customer accounts and billing), we act as a data controller.
By using our services, you acknowledge that you have read and understood this Privacy Policy. If you are a client administrator or decision-maker acting on behalf of your organisation, you confirm that you have the authority to accept this policy on behalf of your organisation and its users.
2. Data Controller
For the purposes of the UK GDPR, the data controller responsible for your personal data is:
RegNexus Mail
Operated by RegNexus, trading at reg-nexus.com
United Kingdom
Data Protection Contact: privacy@reg-nexus.com
Where our business customers use RegNexus Mail to host email services for their own employees, clients, and contacts, the business customer is the data controller for the personal data contained within email communications, and we act as a data processor on their behalf under the terms of our Data Processing Agreement.
3. Types of Data We Collect
3.1 Account Registration Data
When an organisation registers for RegNexus Mail or a user is provisioned by their organisation's administrator, we collect:
- Full name and job title
- Business email address and telephone number
- Organisation name, registered address, and sector
- Account credentials (passwords are hashed and salted; we never store plaintext passwords)
- IP address, browser user agent, and timestamp at time of registration or onboarding document signing
3.2 Email Content and Metadata
As a managed email hosting provider, we store and process:
- Email message bodies (including plaintext and HTML content)
- Email headers, including sender, recipients, subject line, timestamps, and routing information
- File attachments uploaded or received via email
- Email metadata such as read/unread status, folder assignments, flags, and labels
- Compliance archive records, including SHA-256 integrity hashes and retention metadata
- Trust Ledger entries comprising cryptographic verification records of trusted communications
We do not read, scan, or analyse the content of your emails for advertising purposes. Content scanning is performed only when explicitly enabled by the organisation's administrator through our Confidentiality Scanner feature, which detects sensitive content patterns before emails are sent to help prevent accidental data disclosure.
3.3 Usage and Analytics Data
We collect limited usage data to maintain, improve, and secure our services:
- Login timestamps, session duration, and authentication events
- Feature usage patterns (e.g., which platform areas are accessed) in aggregate form
- Mailbox storage usage, message counts, and quota utilisation
- Domain health check results, DNS configuration status, and deliverability metrics
- Audit log entries recording administrative actions (user provisioning, domain changes, policy modifications)
- Error logs and performance metrics for service reliability
3.4 Billing and Payment Data
To process subscriptions and payments, we collect:
- Billing contact name, email address, and billing address
- Subscription plan, user count, and billing cycle information
- Payment method details are collected and processed directly by our payment processor, Stripe. We do not store full card numbers, CVV codes, or complete payment credentials on our servers. We retain only a Stripe customer identifier and the last four digits of the card for reference purposes.
- Invoice history, payment status, and transaction records
3.5 Document Vault Data
Where organisations use our Document Vault and Secure Client Portal features, we store:
- Uploaded documents, including file content, file names, version history, and access logs
- Secure portal access records, including PIN authentication attempts, access timestamps, and read receipts
- Client matter tags and organisational folder structures
4. Lawful Basis for Processing
We process personal data only where we have a lawful basis to do so under Article 6 of the UK GDPR. The specific lawful bases we rely upon are:
| Processing Activity | Lawful Basis |
|---|---|
| Providing email hosting, mailbox management, and related platform services | Contract performance (Art. 6(1)(b)) — processing is necessary to fulfil our service agreement with your organisation |
| Processing payment transactions and managing billing | Contract performance (Art. 6(1)(b)) — processing is necessary to manage subscriptions and collect fees |
| Maintaining security, preventing abuse, and generating audit logs | Legitimate interests (Art. 6(1)(f)) — to protect the security and integrity of our platform and our customers' data |
| Service improvement, aggregate analytics, and platform performance monitoring | Legitimate interests (Art. 6(1)(f)) — to improve service quality and reliability for all customers |
| Compliance archiving and legal hold of email communications | Legal obligation (Art. 6(1)(c)) and Contract performance (Art. 6(1)(b)) — to satisfy regulatory record-keeping requirements applicable to our customers and to fulfil our archiving service commitments |
| Retaining financial and tax records | Legal obligation (Art. 6(1)(c)) — to comply with UK tax, accounting, and financial reporting obligations |
| Sending service communications (onboarding, account changes, security alerts) | Contract performance (Art. 6(1)(b)) — these communications are necessary to operate the service |
| Marketing communications and product announcements | Consent (Art. 6(1)(a)) — only where you have explicitly opted in; you may withdraw consent at any time |
| Responding to data subject access requests and regulatory enquiries | Legal obligation (Art. 6(1)(c)) — to comply with our obligations under the UK GDPR and DPA 2018 |
5. Data Sharing and Third-Party Processors
We do not sell, rent, or trade personal data to third parties. We do not share personal data for advertising or marketing purposes. We share personal data only with the following categories of recipients, and only to the extent necessary to provide our services:
Stripe (Payment Processing)
We use Stripe, Inc. as our payment processor. When you provide payment information, it is transmitted directly to Stripe via their PCI DSS Level 1 certified infrastructure. Stripe processes payment card data, billing addresses, and transaction details on our behalf. Stripe's privacy policy is available at stripe.com/privacy. Stripe is certified under the UK Extension to the EU-US Data Privacy Framework.
Stalwart Mail Server (Email Infrastructure)
Email messages are processed and stored by our Stalwart Mail Server infrastructure, which we operate on dedicated servers within UK-based data centres. Stalwart is an open-source, self-hosted mail server that handles SMTP, IMAP, and JMAP protocols. As we operate this infrastructure ourselves, email data does not leave our controlled environment for mail processing purposes. All email transit is encrypted using TLS 1.3, and all stored email data is encrypted at rest.
Hosting and Infrastructure
Our web application is hosted on Vercel, Inc. for front-end delivery and serverless functions. Our database is hosted on Neon, Inc. for managed PostgreSQL services. Both providers process data under our instructions and in accordance with appropriate data processing agreements. We select infrastructure regions within the UK or European Economic Area wherever technically feasible.
We may also disclose personal data where required to do so by law, regulation, legal process, or enforceable governmental request, including to comply with a court order, regulatory investigation, or lawful request from a law enforcement authority. Where permitted, we will notify the affected organisation before making such a disclosure.
6. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to enforce our agreements. Specific retention periods are as follows:
| Data Category | Retention Period |
|---|---|
| Active mailbox email data | Duration of the service agreement, plus 30 days after account closure to allow for data export |
| Compliance archive (where enabled) | As configured by the organisation's administrator, aligned with their regulatory obligations and subscription tier: 30 days (Essential), 1 year (Professional), 3 years (Secure Pro), or up to 7 years (Compliance+) |
| Audit logs and administrative action records | Aligned with plan tier: 30 days (Essential), 1 year (Professional), 3 years (Secure Pro), or 7 years (Compliance+) |
| Account registration data | Duration of the service agreement, plus 12 months after termination for legal and accounting purposes |
| Billing, invoice, and tax records | 7 years from the date of the transaction, in accordance with HMRC requirements |
| Trust Ledger verification records | Duration of the service agreement, plus 7 years to support ongoing verification of previously issued certificates |
| Legal hold data | Retained indefinitely while a legal hold is active; released and subject to standard retention policies once the hold is lifted by the organisation's administrator |
| Document Vault files | Duration of the service agreement, plus 30 days after account closure |
| Contact form enquiries | 24 months from the date of submission, or until the enquiry converts to a customer relationship |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is not immediately technically feasible (for example, data held in backups), we ensure that the data is isolated from further processing until deletion can be completed.
7. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encryption in Transit
All data transmitted between your devices and our servers, and between our internal systems, is encrypted using TLS 1.3. All email transmission between mail servers is encrypted via opportunistic TLS, with mandatory TLS enforced for connections to major providers. Our platform enforces HTTPS for all web traffic with HSTS headers.
Encryption at Rest
All stored data, including email content, attachments, database records, and document vault files, is encrypted at rest using AES-256 encryption. Database backups are similarly encrypted.
UK-Based Infrastructure
Our mail server infrastructure is hosted in UK-based data centres. We select UK or European Economic Area infrastructure regions wherever technically feasible to minimise international data transfers.
Access Controls and Authentication
Access to personal data is restricted on a need-to-know basis. Administrative access to our infrastructure requires strong authentication. Our platform enforces multi-tenant isolation, ensuring that each organisation's data is logically separated and inaccessible to other organisations. All administrative actions are recorded in immutable audit logs.
Email Authentication and Integrity
We implement comprehensive email authentication measures including SPF (hard fail policy), dual DKIM signing (ed25519 and RSA-2048), and DMARC (reject policy) as standard for all customer domains. SHA-256 cryptographic hashing is applied to archived emails and Trust Ledger records to ensure data integrity and provide tamper-evident audit trails.
Incident Response
We maintain an incident response procedure for security events and personal data breaches. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (“ICO”) within 72 hours of becoming aware of the breach, and will notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
8. Your Rights
Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions:
- Right of Access (Art. 15) — You have the right to request a copy of the personal data we hold about you, together with information about how we process it. We will provide this information within one month of receiving your request, free of charge for the first copy.
- Right to Rectification (Art. 16) — You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete personal data.
- Right to Erasure (Art. 17) — You have the right to request the deletion of your personal data in certain circumstances, such as where the data is no longer necessary for the purpose for which it was collected. This right does not apply where we are required to retain data to comply with a legal obligation (for example, regulatory archiving or tax records) or to establish, exercise, or defend legal claims.
- Right to Data Portability (Art. 20) — Where processing is based on consent or contract performance and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. For email data, this includes standard mailbox export formats (e.g., MBOX or EML).
- Right to Restriction of Processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where processing is unlawful and you oppose erasure.
- Right to Object (Art. 21) — You have the right to object to processing based on our legitimate interests. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to Withdraw Consent — Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
- Right to Lodge a Complaint — You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe that our processing of your personal data infringes the UK GDPR. The ICO can be contacted at ico.org.uk or by telephone on 0303 123 1113.
To exercise any of these rights, please contact us at privacy@reg-nexus.com. We will respond to all legitimate requests within one calendar month. In certain cases, particularly where requests are complex or numerous, we may extend this period by a further two months, but we will inform you of any such extension within the initial one-month period.
Where personal data is processed on behalf of your organisation (i.e., where we act as a data processor), we will direct your request to the appropriate data controller within your organisation, as they retain primary responsibility for responding to data subject requests relating to their data.
9. International Data Transfers
Our primary data processing infrastructure, including our mail servers, is located in the United Kingdom. We store and process personal data within the UK wherever possible.
Where personal data is transferred to the European Economic Area (“EEA”), such transfers are permitted under the UK GDPR without additional safeguards, as the UK recognises the EEA as providing an adequate level of data protection.
Where personal data is transferred to countries outside the UK and EEA (for example, where a third-party service provider such as Stripe processes data in the United States), we ensure that appropriate safeguards are in place. These safeguards may include:
- Transfers to countries with UK adequacy regulations (as determined by the Secretary of State under Section 17A of the DPA 2018)
- International Data Transfer Agreements (“IDTAs”) or the UK Addendum to the EU Standard Contractual Clauses
- The UK Extension to the EU-US Data Privacy Framework, where the recipient is a certified participant
You may request details of the specific safeguards applied to any international transfer by contacting us at privacy@reg-nexus.com.
10. Cookies
We use a minimal set of cookies that are strictly necessary for the operation of our platform. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track individual users across websites.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| next-auth.session-token | Maintains your authenticated session after sign-in | Session / 30 days | Strictly necessary |
| next-auth.csrf-token | Protects against cross-site request forgery attacks | Session | Strictly necessary |
| next-auth.callback-url | Stores the return URL for redirect after authentication | Session | Strictly necessary |
Because we only use strictly necessary cookies, we do not require cookie consent under PECR. Strictly necessary cookies are exempt from the consent requirement as they are essential for the provision of the service you have requested.
If we introduce any non-essential cookies in the future (such as analytics or preference cookies), we will update this policy and implement a cookie consent mechanism before deploying them.
11. Data Processing Agreements
Where we process personal data on behalf of our business customers (i.e., where we act as a data processor), our obligations are governed by a Data Processing Agreement (“DPA”) that forms part of our service agreement. Our DPA sets out the subject matter, duration, nature, and purpose of processing, the types of personal data processed, and the categories of data subjects, in accordance with Article 28 of the UK GDPR.
Our DPA includes commitments to process personal data only on documented instructions from the controller, ensure that persons authorised to process the data have committed themselves to confidentiality, implement appropriate technical and organisational security measures, assist the controller in responding to data subject requests, and delete or return all personal data upon termination of the service.
If you require a copy of our standard DPA, please contact us at privacy@reg-nexus.com.
12. Children's Data
RegNexus Mail is a B2B service designed exclusively for professional and regulated businesses. Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that data as promptly as possible.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify affected organisations via email or through an in-platform notification.
We encourage you to review this Privacy Policy periodically. Your continued use of our services after any changes to this policy constitutes acceptance of the updated terms.
14. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle personal data, please contact our Data Protection Officer:
We aim to respond to all privacy-related enquiries within 5 business days. For formal data subject access requests, we will respond within one calendar month as required by the UK GDPR.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk