Privacy
- Executive Summary
- Working Knowledge
ReGenesis operates in one of the most privacy-sensitive domains in enterprise software: AI-powered executive coaching that processes deeply personal, emotional, and developmental content. Privacy is not a compliance checkbox — it is a trust differentiator that unlocks enterprise sales.
The strategy: US-first launch under CCPA/CPRA as the regulatory floor, with GDPR as the design ceiling. Every architectural decision, data flow, and consent mechanism is built to satisfy the strictest global standard from day one. When the platform expands internationally, it requires a configuration switch — not a retrofit.
Privacy Commitments
| Principle | How ReGenesis Delivers |
|---|---|
| Data Sovereignty | Coachees own their data. Period. |
| Consent First | Granular, revocable consent for every data use |
| Minimization | Collect only what coaching requires, delete on schedule |
| Transparency | Every AI decision is explainable and auditable |
| Cross-Border Safety | Data residency controls, SCCs, transfer impact assessments |
How Privacy Is Organized
This section covers the full spectrum of privacy architecture — from foundational GDPR principles through consent management, data lifecycle, and the sensitive handling of health-adjacent data that is central to the platform's value proposition.
Quick Reference
| Topic | What It Covers | Context |
|---|---|---|
| Privacy Principles | Foundational GDPR principles, data classification, RoPA | Privacy foundation and regulatory alignment |
| Privacy by Design | DSRs, DPIAs, feature checklist, DPO | Feature development and architecture reviews |
| Consent Architecture | Lawful basis, consent management, enterprise context | Data collection and processing decisions |
| Data Minimization | Collection limits, retention, deletion, purging | Data storage and retention decisions |
| Data Lifecycle | 8-step pipeline from ingest to deletion | Data flow and pipeline architecture |
| Data Model | 12+ data stores, PostgreSQL schemas, relationships | Database feature development |
| Cross-Border Transfers | SCCs, TIAs, data residency, LLM provider handling | International operations and expansion |
| Health & Therapy Data | Special category data, sensitive vault, HIPAA readiness | Sensitive content handling |
| US State Privacy Laws | CCPA/CPRA, state patchwork, no-sale commitment | US regulatory compliance |
| Employment Data | Works councils, surveillance limits, aggregation | Enterprise coaching deployments |
| Breach Notification | 72-hour rule, incident response, post-mortems | Incident response planning |
| Automated Decisions | Human-in-the-loop, profiling, right to explanation | AI feature design and compliance |
Coverage Gaps (Tracked for Resolution)
The following gaps have been identified and are tracked for resolution across upcoming milestones:
| Gap | Priority | Target Stage | Target Date |
|---|---|---|---|
| Formal DSR procedures (intake form, identity verification, response templates) | High | Pilot | Q2 2026 |
| DPIA methodology (when PIA escalates, formal process, required participants) | High | Pilot | Q2 2026 |
| DPO role specification (independence, reporting line, responsibilities) | Medium | GA | Q3 2026 |
| Morning check-in data retention (mood/readiness self-reports, rolling window) | Medium | Pilot | Q2 2026 |
| "Preview as Client" audit trail (coach viewing coachee data, access logging) | Medium | Pilot | Q2 2026 |
| Wearable/biometric device data (consent, DPIA, data flow, opt-out) | Low | GA | Q4 2026 |
| Translation API data handling (data residency, processor agreements, retention) | Low | Global | 2027 |