RK Regnor Knowledge
  • About
  • Capabilities
  • Proof of Concept
  • Method
  • Contact
Book a Call
  • About
  • Capabilities
  • Proof of Concept
  • Method
  • Contact
Book a Discovery Call

Privacy Policy

Last updated: May 2026

Summary: Regnor Knowledge is a knowledge-as-a-service consultancy based in Bangalore, India, serving clients globally. We design structured extraction systems and hand them to you. We do not process your documents on an ongoing basis, we do not use analytics or tracking on this website, and we do not sell or share your personal data with third parties for marketing purposes. This policy explains what data we collect, why, and what rights you have under applicable data protection laws - including India's Digital Personal Data Protection Act, 2023 (DPDP Act), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) where applicable.

1. Data Controller / Data Fiduciary

The entity responsible for the processing of your personal data is:

Regnor Knowledge
A service of Flowcraft
Bangalore, Karnataka, India
Email: romil@regnor.systems

Under India's DPDP Act, we act as the Data Fiduciary. Under the EU GDPR, we act as the Data Controller. If you have questions about how your data is processed, or wish to exercise any of your rights, you may contact us at the email address above. We will respond within 30 days.

2. Applicability

This Privacy Policy applies to:

  • All visitors to this website (regnorknowledge.com / regnor.systems).
  • All individuals who contact us via email, scheduling tools, or other communication channels.
  • All clients who engage our services, regardless of their geographic location.

Because we serve clients globally, we comply with the data protection laws applicable to you based on your jurisdiction:

  • India - Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000.
  • European Union / EEA / UK - General Data Protection Regulation (GDPR) and UK GDPR, which apply when we process personal data of individuals in those regions.
  • California, USA - California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), which apply when we process personal information of California residents.
  • Other jurisdictions - we respect the data protection rights afforded to you by your local laws.

3. What Personal Data We Collect

We collect only the minimum data necessary to communicate with you and deliver our services.

3.1 Data you provide directly

  • Contact information - your name, email address, company name, and job title when you book a discovery call, send us a brief, or contact us via email.
  • Scheduling data - appointment date, time, timezone, and any notes you include when booking through Google Calendar Appointments.
  • Communication content - the content of emails, messages, and briefs you send us.
  • Project-related information - descriptions of your document types, domain taxonomy, organizational structure, and workflow requirements shared during discovery and engagement.
  • Sample documents - if you choose to share sample documents for system calibration during an engagement (see Section 8 for detailed handling).

3.2 Data collected automatically

  • Server logs - our hosting provider (Vercel) may collect standard server access logs including IP address, browser type, referring URL, and timestamp. These logs are used solely for security monitoring and are automatically deleted after 30 days.

3.3 Data we do NOT collect

  • We do not use cookies (no first-party, no third-party, no session, no persistent).
  • We do not use analytics services (no Google Analytics, no Plausible, no Mixpanel, no Hotjar - nothing).
  • We do not use tracking pixels, fingerprinting, or any behavioral tracking technology.
  • We do not collect payment card details directly (payments are processed through invoicing and bank transfer).
  • We do not process special categories of personal data (health, biometric, political opinions, religious beliefs, etc.) unless your documents inherently contain such data, in which case Section 8 applies.

4. Purpose and Legal Basis for Processing

We process your personal data only for specific, stated purposes. The legal basis depends on your jurisdiction:

Processing activityPurposeLegal basis (GDPR)Legal basis (DPDP Act)
Responding to your inquiry or scheduling a callPre-contractual communicationLegitimate interest (Art. 6(1)(f))Consent / Legitimate use
Preparing and sending a proposalService deliveryPre-contractual steps (Art. 6(1)(b))Consent
Delivering the engagementContractual obligationPerformance of contract (Art. 6(1)(b))Consent / Contractual necessity
Processing sample documentsSystem calibrationPerformance of contract (Art. 6(1)(b))Consent
Issuing invoices, maintaining tax recordsLegal complianceLegal obligation (Art. 6(1)(c))Compliance with Indian law
Follow-up communication after engagementBusiness relationshipLegitimate interest (Art. 6(1)(f))Legitimate use

We do not use your data for profiling, automated decision-making, marketing to third parties, or any purpose beyond what is described above. Under the DPDP Act, we process data only for the purposes communicated to you at the time of collection.

5. How We Use Your Data

We use the personal data we collect for the following purposes and no others:

  • Communication - responding to inquiries, scheduling discovery calls, sending proposals, and coordinating during engagements.
  • Service delivery - designing extraction templates, prompts, and wiki architecture calibrated to your domain.
  • System calibration - if sample documents are provided, using them solely to test and refine the extraction system being built for you.
  • Invoicing and accounting - issuing invoices and maintaining financial records as required by Indian tax law (Income Tax Act, 1961 and GST Act, 2017).
  • Legal compliance - fulfilling obligations under applicable law, including responding to lawful requests from authorities.

6. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data. We do not share your data with third parties for their marketing purposes. We share data only with the following categories of service providers, and only to the extent necessary for the stated purpose:

6.1 Service providers we use

ServicePurposeData sharedLocation
Google Workspace (Calendar, Gmail)Scheduling, email communicationName, email, appointment detailsGoogle LLC (US) - covered by Standard Contractual Clauses for EU data subjects
VercelWebsite hostingIP address, access logs (automatic)Vercel Inc. (US) - global CDN
Google FontsTypography renderingIP address (automatic on page load)Google LLC (US)

6.2 LLM providers (during engagements only)

During the system design phase, we may use large language model (LLM) services to test and refine extraction prompts. This is a critical privacy consideration and we handle it as follows:

  • We never send your actual documents to LLM providers without your explicit written consent.
  • When testing prompts, we use synthetic data, anonymized excerpts, or publicly available documents unless you explicitly authorize the use of your sample materials.
  • If you authorize the use of sample documents with LLM services, we will disclose which provider (e.g., OpenAI, Anthropic, Google) will be used and confirm their data processing terms with you before proceeding.
  • We select LLM providers that offer enterprise-grade data handling - specifically, providers whose API terms confirm that input data is not used for model training.
  • The delivered system is designed so that your team chooses which LLM provider to use. We do not mandate any specific provider, and your production data never passes through our infrastructure.

6.3 When we may be required to share data

  • In response to a valid legal request from a court, regulatory authority, or law enforcement agency with jurisdiction.
  • To comply with Indian tax law requirements (e.g., sharing invoice data with tax authorities during an audit).
  • To protect our legal rights in the event of a dispute.

7. Cross-Border Data Transfers

Regnor Knowledge is based in India and serves clients globally. This means personal data may be transferred across borders in both directions:

7.1 Data flowing into India

When we collect data from clients outside India (e.g., EU, US, UK), that data is processed in India. For EU/EEA/UK data subjects, we rely on:

  • Standard Contractual Clauses (SCCs) - where required, we will enter into EU-approved Standard Contractual Clauses with you to ensure adequate protection for personal data transferred from the EU/EEA/UK to India.
  • Explicit consent - in some cases, we rely on your explicit, informed consent to the transfer as part of the engagement agreement.

7.2 Data flowing out of India

Under India's DPDP Act, cross-border transfers of personal data are permitted to all jurisdictions unless the Central Government specifically restricts transfer to a particular country (the "negative list" approach). As of the date of this policy, no such restrictions have been notified that affect our operations.

7.3 Third-party services

Some services we use (Google, Vercel) are operated by US-based companies. For EU data subjects, Google LLC participates in the EU-US Data Privacy Framework. We ensure that appropriate safeguards are in place for any international data transfer involving your personal data.

8. Client Document Policy

This section addresses the handling of documents shared during an engagement. It is central to our service model and your data protection.

Core principle: Regnor Knowledge designs extraction systems. We do not operate them. The delivered system runs entirely on your infrastructure, with your chosen LLM provider, under your control. We have no ongoing access to your documents or knowledge base after delivery.

8.1 During the engagement

  • Sample documents are optional. We can design systems based on document descriptions, taxonomies, and publicly available examples alone. Sharing actual documents accelerates calibration but is never required.
  • If you share sample documents:
    • They are used exclusively for designing and testing the extraction system.
    • They are stored on encrypted local storage (not cloud-synced) during the engagement.
    • They are permanently deleted within 14 days of project completion, unless a different retention period is agreed in writing.
    • We will confirm deletion in writing upon request.
  • Sensitive documents: If your documents contain special category data (health records, legal proceedings, financial data subject to regulatory requirements), we will agree on additional safeguards in writing before any documents are shared. These may include: working only with anonymized excerpts, using air-gapped environments, or designing the system entirely without access to real documents.

8.2 After delivery

  • The delivered system (templates, prompts, architecture, documentation) becomes your property.
  • We retain no copy of the delivered system unless you request ongoing support.
  • We have no access to your production knowledge base, your documents, or any data processed by your team using the system.
  • If you engage us for follow-up work, a new data handling agreement will be established for that scope.

8.3 AI-generated output disclaimer

The extraction systems we design use large language models to process documents. LLM outputs may contain inaccuracies, hallucinations, or misinterpretations. The systems include source-tracing mechanisms, but ultimate responsibility for verifying extracted knowledge rests with your team. We do not guarantee the accuracy of AI-generated output.

9. Data Retention

We retain personal data only as long as necessary for the purpose it was collected:

Data typeRetention periodReason
Contact information (prospects who did not engage)12 months after last contactLegitimate interest in follow-up
Contact information (clients)Duration of engagement + 3 yearsContractual obligations, potential follow-up, warranty period
Invoices and financial records8 yearsIndian tax law (Income Tax Act, 1961 - Section 44AA; GST Act - Section 36)
Email correspondenceDuration of engagement + 2 yearsContractual reference, dispute resolution
Sample documentsDeleted within 14 days of project completionNo longer necessary
Server access logs (Vercel)30 days (automatic)Security monitoring

After the retention period expires, data is permanently deleted or anonymized. You may request earlier deletion at any time (see Section 11), subject to legal retention obligations.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures are commensurate with the nature and volume of data we process:

  • Encryption in transit - all communication with this website is encrypted via TLS 1.3. Email communication uses TLS where supported by the recipient's mail server.
  • Encryption at rest - sample documents and project files are stored on encrypted storage (FileVault full-disk encryption).
  • Access control - only authorized Flowcraft personnel have access to client data. We do not employ subcontractors with access to your data without prior written consent.
  • Secure deletion - sample documents are securely deleted (not just moved to trash) upon project completion.
  • No cloud sync for client documents - sample documents are not stored in cloud services (no Dropbox, no Google Drive, no iCloud) unless explicitly agreed with you in writing.
  • Device security - work devices are protected with strong passwords, biometric authentication, and automatic screen lock.

10.1 Data breach notification

In the unlikely event of a personal data breach:

  • For all clients: We will notify you directly without undue delay (and in any event within 72 hours of becoming aware of the breach) if the breach is likely to affect your personal data or documents.
  • For EU/EEA/UK data subjects: We will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR, and notify you directly if the breach poses a high risk to your rights and freedoms (Article 34 GDPR).
  • Under India's DPDP Act: We will notify the Data Protection Board of India and affected Data Principals as required by Section 8(6) of the DPDP Act, in the manner prescribed by the DPDP Rules.
  • The notification will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address and mitigate the breach.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data. You may exercise any of these rights by contacting us at romil@regnor.systems.

11.1 Rights under India's DPDP Act (Data Principals in India)

  • Right to access - obtain a summary of your personal data being processed and the processing activities undertaken.
  • Right to correction and erasure - request correction of inaccurate data or erasure of data that is no longer necessary.
  • Right to grievance redressal - raise a grievance with us regarding our data processing. We will acknowledge and resolve grievances within the timeframe prescribed by the DPDP Rules.
  • Right to nominate - nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to withdraw consent - withdraw consent at any time, with the understanding that withdrawal does not affect the lawfulness of processing carried out before withdrawal.

11.2 Rights under EU/UK GDPR (Data subjects in EU/EEA/UK)

  • Right of access (Art. 15) - request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) - request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) - request deletion of your data where it is no longer necessary, or where you withdraw consent.
  • Right to restriction of processing (Art. 18) - request that we restrict processing while a dispute is resolved.
  • Right to data portability (Art. 20) - receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) - object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent - withdraw consent at any time without affecting prior lawful processing.
  • Right to lodge a complaint - you may lodge a complaint with your local data protection supervisory authority.

11.3 Rights under CCPA/CPRA (California residents)

  • Right to know - request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to delete - request deletion of personal information we have collected from you.
  • Right to opt-out of sale/sharing - we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
  • Right to non-discrimination - we will not discriminate against you for exercising your privacy rights.

We will respond to all rights requests within 30 days. If your request is complex, we may extend this by an additional 60 days with notice.

12. Cookies and Tracking

This website does not use cookies. No first-party cookies, no third-party cookies, no session cookies, no persistent cookies. There is nothing to consent to because there is nothing to track.

We do not use any of the following:

  • Analytics services (Google Analytics, Plausible, Fathom, Matomo, etc.)
  • Advertising pixels (Meta Pixel, Google Ads, LinkedIn Insight Tag, etc.)
  • Session replay tools (Hotjar, FullStory, Microsoft Clarity, etc.)
  • A/B testing platforms
  • Browser fingerprinting or device identification
  • Local storage or IndexedDB for tracking purposes

The only external requests made by this website are to Google Fonts (for typography) and Vercel (for hosting/CDN). Neither sets cookies in the context of this website.

13. Third-Party Links

This website contains links to external services (Google Calendar for booking, LinkedIn for professional profile). These services have their own privacy policies and data practices. Once you leave our website, we have no control over how those services process your data. We encourage you to review their privacy policies before providing personal information.

14. Children's Privacy

Our services are designed for businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it immediately and notify the parent or guardian where possible.

15. Grievance Officer (India)

In accordance with the DPDP Act and the Information Technology Act, 2000, the Grievance Officer for Regnor Knowledge is:

Flowcraft
Email: romil@regnor.systems
Response time: Within 72 hours of receipt of grievance, with resolution within 30 days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India (once constituted and operational under the DPDP Act).

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. When we make material changes:

  • The "Last updated" date at the top of this page will be revised.
  • For active clients, we will notify you of material changes via email at least 14 days before they take effect.
  • Previous versions of this policy are available upon request.

Continued use of this website after changes are posted constitutes acceptance of the revised policy for website visitors. For clients under active engagement, the privacy terms agreed at the time of the proposal govern unless you consent to updated terms.

17. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact:

Flowcraft
Regnor Knowledge
Bangalore, Karnataka, India
romil@regnor.systems

● Regnor Knowledge · Knowledge as a Service · 2026 Privacy Terms