Privacy Policy

Effective Date: June 8, 2026

Product: RegSecure AI v1.2.0 Beta

1. How RegSecure AI Works

RegSecure AI is desktop software that runs entirely in your web browser. It uses WebGPU technology to run an AI model locally on your device. When you open a contract, agreement, case file, or regulatory filing, it is processed in browser memory — it is never transmitted to any server.

2. What Stays on Your Device

• Your documents — contracts, agreements, NDAs, case files, regulatory filings, PDFs, Word files, and text are processed in browser memory and optionally stored in encrypted local storage (IndexedDB)
• AI analysis results — clause analysis, risk detection, missing-term findings, summaries, and chat history are stored locally
• The AI model — downloaded once (~2 GB) and cached in your browser for offline use
• Your encryption key — derived from your password using PBKDF2, never stored or transmitted
• Embedding vectors — generated locally for semantic search

3. What Leaves Your Device

• One-time AI model download — on first use, the AI model weight files are downloaded from the Hugging Face CDN. The AI runtime libraries are served from this domain (self-hosted). After that, the model is cached locally and the app works offline.
• Nothing else. No documents, no analysis results, no personal data, no usage data.

You can verify this at any time using the built-in Privacy Monitor, which shows all network activity in real time.

4. Encryption & Local Storage

All locally stored data is encrypted with AES-256-GCM. Your encryption key is derived from your master password using PBKDF2 with 600,000 iterations. We never see, store, or have access to your password or encryption key.

If you forget your password, your data cannot be recovered — by you or by us. This is by design.

RegSecure AI also offers an optional duress password: when configured, entering it permanently and irreversibly destroys all stored workspace data on the device. This destruction is local and is not reported anywhere.

5. Multi-Pass Document Segmentation

RegSecure AI uses multi-pass segmentation to identify section boundaries in your documents. The pipeline combines:

• Visual boundary detection — typography (font-size jumps), whitespace patterns (multi-newline runs), and line shape (ALL-CAPS heading candidates, indentation changes) identify structural transitions.
• Linguistic boundary detection — regex-based patterns target legal-document conventions: numbered sections, lettered sub-clauses, Roman-numeral sub-items, and legal keywords (WHEREAS, NOW THEREFORE, IN WITNESS WHEREOF, Section N, Article N).
• Legal-domain boundary detection — Title-Case inline section headings (e.g., "Dispute Resolution.") and SCHEDULE / EXHIBIT / APPENDIX / ANNEX markers.
• Boilerplate filter — lines appearing ≥3 times (page headers/footers, form-field underlines, repeated metadata) are filtered from boundary detection.
• Weighted-voting aggregator — proposals from multiple detectors merge within a ±2 line window; confidence sums determine emission.

All segmentation runs locally in your browser. No document content is sent to any server.

Honest scope. The segmentation pipeline implements three of the four passes described in our patent application (US 19/428,113, pending): visual boundary detection, linguistic and legal-domain boundary detection, and weighted-voting aggregation. The semantic embedding pass is deferred — initial measurement showed marginal F1 improvement on the test corpus combined with significant performance cost for on-device embedding on long documents. Future releases will revisit if corpus or hardware characteristics shift the trade-off.

6. PDF Extraction with Hybrid OCR Merge

When you upload a PDF, the app first attempts native text extraction via the embedded pdf.js library. For pages where native extraction returns sparse content (below 200 characters or 10 text items), the app falls back to optical character recognition (OCR) using Tesseract.js. OCR runs entirely on your device — no document content is sent to any server. The native text from high-content pages and the OCR text from sparse pages are merged into a single document representation before downstream analysis. Per-page progress is shown during OCR processing, and you can cancel mid-document; cancellation preserves the pages OCR'd so far.

Pages that exceed 50 are skipped (current cap); the cap applies whether extraction is native, OCR, or hybrid.

Honest scope. OCR confidence is observed but does not currently influence the per-page choice — the threshold is applied to native extraction yield only.

7. Memory Scrubbing — Best-Effort Cleanup

RegSecure AI attempts to clear sensitive data from your device's memory at predictable moments: when you lock the vault, switch documents, time out, trigger a duress wipe, or close the browser tab.

What we do:

• Mutable buffers (such as cryptographic salts) are filled with zeros before the reference is dropped.
• Document text, chunk text, AI prompts, and search results are dropped from references; for the immutable string types JavaScript requires for text, we rely on the browser's garbage collector to reclaim that memory.
• On vault lock, the on-device AI model, embedding worker, and OCR worker are torn down so their compute resources and internal caches are released.
• A best-effort tab-close handler attempts the same scrub before the page unloads.

What we cannot do:

• Force the browser to zero memory it controls (cryptographic key storage, GPU buffers, garbage collector heap).
• Inspect or scrub memory the garbage collector has already reclaimed.
• Prevent operating-system-level memory inspection (swap files, hibernation images, kernel core dumps).

This is best-effort defense, not a guarantee. For threat models that include forensic memory inspection of the device itself, OS-level protections (full-disk encryption, encrypted swap, secure boot) are required.

8. Tamper-Evident Audit Trail

RegSecure AI maintains a tamper-evident HMAC-SHA256-chained record of operations performed on your documents (vault unlock, document loads, analyses, exports, etc.). Each entry includes a sequence number, timestamp, operation type, hash of inputs and outputs, and a MAC computed over the entry and the previous entry's MAC. The chain is stored encrypted on your device alongside your documents.

Verifiable with your master password. The MAC key is derived from your master password (PBKDF2 + HKDF). To verify the chain, you re-derive the key with your master password and recompute the MACs — entries that have been altered or removed will fail verification. Verification can be run inside the app (Settings → Verify Audit Chain) or against an exported bundle using a standalone verifier (see Settings → Export Audit Trail).

Never leaves the device. The audit chain is stored locally with your documents. It is exported only if you explicitly choose to. The exported bundle is plain JSON; the verifier is a single self-contained HTML file that works offline without contacting any server.

Rollback detection. Alongside the chain, the application maintains a separately-stored watermark recording the highest sequence number and final MAC of the chain. On verification, the watermark is compared against the live chain: if entries appear to have been removed (truncation), if the chain's final MAC does not match the watermark (snapshot replacement), or if the chain has been wholesale-cleared while the watermark persists, verification surfaces the discrepancy. The watermark is included in exported bundles so the standalone verifier performs the same comparison offline.

Limitations:

• The chain proves that an entry was created by the running application under your vault's MAC key. It does not prove that the content of an entry is independently true. A party with persistent control of the running application could write entries that pass verification.
• Verification is symmetric: anyone you give the exported bundle to must also know your master password to verify the chain. The chain is not third-party verifiable without the password.
• If a duress password is configured and entered, the chain is terminated at a duress marker and all data (including the rest of the chain) is irreversibly destroyed. The marker records that termination happened but is not itself MAC-signed.
• Rollback detection compares the chain against a watermark stored alongside it. An attacker with persistent write access to that storage can defeat the check by reverting both the chain AND the watermark together — or by deleting the watermark first and then rolling back the chain later. The watermark catches partial reversion (chain rolled back, watermark forgotten); it does not catch coordinated reversion or deliberate disarm.

9. No Accounts, No Signup

RegSecure AI does not require an account, email address, or any form of registration. There is no login, no user database, and no way for us to identify who uses the software.

10. Third-Party Services

The application loads the following external resources from public CDNs on first use only:

• AI model weight files from the Hugging Face CDN

These CDNs may log standard web-server access data (IP address, timestamp, user agent) for the one-time download. We have no control over their logging practices and we receive none of that data. Fonts and all other libraries are self-hosted on this domain (no third-party font or analytics services are used). After the initial load, all resources are cached locally and the app works offline.

11. Confidential & Privileged Documents

RegSecure AI is intended for use with confidential, privileged, and regulated documents. Because document content is processed entirely on your device and never transmitted, using RegSecure AI does not transmit privileged material to us or to any third party. You remain responsible for the security of your own device and for compliance with any confidentiality, privilege, or data-handling obligations applicable to you or your organization.

12. Children's Privacy

RegSecure AI is a professional contract-analysis tool not directed at children under 13. We do not knowingly collect information from children.

13. Changes to This Policy

We may update this policy when new features are added. Since we don't collect email addresses, we cannot notify you directly. The effective date at the top of this page indicates when it was last revised.

14. Contact

Questions about this privacy policy? Contact us at support@regsecure.ai