Privacy Principles

Executive Summary

ReGenesis is built on the seven foundational principles of the GDPR — not because EU law applies at launch, but because these principles represent the global gold standard for data protection and are the strongest trust signal an enterprise vendor can send to buyers.

The compliance strategy uses CCPA/CPRA as the regulatory floor (what the platform must satisfy for US launch) and GDPR as the design ceiling (what it builds to). This means every data flow, every AI inference, and every coaching interaction is designed to satisfy the strictest privacy standards in the world from day one. When ReGenesis expands internationally, the platform activates regional configurations rather than retrofitting the entire architecture.

The personal data ReGenesis handles is among the most sensitive in enterprise software: coaching session transcripts, personal development notes, emotional reflections, AI-generated behavioral insights, and feedback loops. Every byte of this data is classified, tracked through a Record of Processing Activities (RoPA), and governed by a defined lawful basis for processing. This is not a liability — it is a competitive moat. Enterprises trust the platform that takes privacy most seriously with their most valuable people.

Working Knowledge

The Seven GDPR Principles (The Design Ceiling)

Even though ReGenesis launches in the US, the platform is designed to GDPR standards. Here is what each principle means for daily product decisions:

1. Lawfulness, Fairness, and Transparency (Article 5(1)(a))

What it means: Every piece of data the platform processes must have a legal reason (lawful basis), must not be used in ways that would surprise or harm the person, and the person must know what is being done with their data.

What it means for ReGenesis:

• Every data processing activity has a documented lawful basis (contract, legitimate interest, or consent)
• The privacy notice is written in plain English, not legalese
• Sasha's AI outputs are always labeled as AI-generated
• Coachees can see exactly what data the platform holds about them

2. Purpose Limitation (Article 5(1)(b))

What it means: Data collected for one purpose cannot be used for a different, incompatible purpose without additional consent.

What it means for ReGenesis:

• Coaching session data is used for coaching insights — period
• ReGenesis does not repurpose coaching content for marketing, product training, or selling
• If anonymized data is used for AI model improvement, that requires separate, explicit consent
• Aggregated analytics for executives are a separate, defined purpose with their own lawful basis

3. Data Minimization (Article 5(1)(c))

What it means: Only collect and process data that is necessary for the stated purpose.

What it means for ReGenesis:

• The platform does not ingest entire email inboxes or full calendar data
• Evidence Packs at L2 level store excerpts and citations, not full session transcripts
• Sasha observes only what is within its granted permission scope
• See the dedicated Data Minimization page for full details

4. Accuracy (Article 5(1)(d))

What it means: Personal data must be accurate and kept up to date.

What it means for ReGenesis:

• Coachees and coaches can correct or update their data at any time
• AI-generated insights carry confidence indicators and evidence trails
• Evidence Packs allow users to trace back to source material and verify accuracy
• Stale or outdated coaching data can be archived or deleted

5. Storage Limitation (Article 5(1)(e))

What it means: Data should not be kept longer than necessary.

What it means for ReGenesis:

• Each client organization can configure its own retention period
• Default retention: active engagement + 12 months post-disengagement
• Automated retention scheduler identifies and flags data for deletion
• Deletion is real deletion (not soft-delete) with cryptographic deletion certificates

6. Integrity and Confidentiality (Article 5(1)(f))

What it means: Data must be protected against unauthorized access, loss, or damage.

What it means for ReGenesis:

• AES-256 encryption at rest, TLS 1.3 in transit
• Four-tier data visibility model (client_visible, coach_only, admin_aggregate, system_internal)
• Role-based access control across six user roles
• Audit logging of all data access events
• SOC 2 Type II audit trail (GA milestone)

7. Accountability (Article 5(2))

What it means: The data controller must be able to demonstrate compliance with all the above principles.

What it means for ReGenesis:

• Maintained Record of Processing Activities (RoPA)
• Data Protection Impact Assessments (DPIAs) for high-risk processing
• Regular compliance audits and documentation
• Designated Data Protection Officer (DPO) by GA milestone

---

Record of Processing Activities (RoPA)

The RoPA is a living document that catalogs every data processing activity in the platform. It is required under GDPR Article 30 and is a best practice that enterprise clients expect.

Field	Description	Example
Processing Activity	What the platform does with data	"Generate coaching insights from session transcript"
Data Categories	Types of personal data involved	Session transcript, coaching notes, behavioral patterns
Data Subjects	Whose data	Coachees, coaches
Lawful Basis	Legal ground for processing	Contractual necessity (B2B service agreement)
Recipients	Who receives the data	Coach (coach_only), Coachee (client_visible), Sasha (system_internal)
Retention Period	How long data is retained	Client-configured, default 12 months post-engagement
Security Measures	How data is protected	AES-256 at rest, TLS 1.3 in transit, RBAC
Transfer Mechanism	Cross-border details	US-only at launch; SCCs for EU expansion

---

Data Classification

All personal data in ReGenesis is classified at ingestion:

Classification	Description	Examples	Handling
Standard Personal Data	Identifiers and contact info	Name, email, job title, organization	Standard encryption, standard retention
Professional Context Data	Work-related information	Role descriptions, team structure, goals	Standard encryption, purpose-limited
Coaching Content Data	Session and development content	Transcripts, notes, reflections, action items	Enhanced encryption, strict access control
Sensitive Personal Data	Health, emotional, deeply personal	Mental health references, therapy topics, trauma	Sensitive data vault, explicit consent required
AI-Derived Data	Sasha's inferences and insights	Behavioral patterns, sentiment analysis, growth metrics	Evidence Pack audit trail, explainability

Sensitive Data Detection

The platform includes automated keyword and pattern detection that flags potentially sensitive personal data (health terms, emotional distress indicators, therapy references) for enhanced handling. See Health & Therapy Data for the full sensitive data protocol.

---

US-First Strategy: CCPA as Floor, GDPR as Ceiling

Requirement	CCPA/CPRA	GDPR	ReGenesis approach
Lawful basis for processing	Not required (opt-out model)	Required (opt-in model)	Build to GDPR: define lawful basis for all processing
Right to know/access	Yes	Yes (broader)	Build to GDPR: full data subject access
Right to delete	Yes	Yes (broader)	Build to GDPR: per-user deletion with certificates
Right to portability	No	Yes	Build to GDPR: structured data export
Data minimization	Implied	Explicit principle	Build to GDPR: enforced minimization
DPO requirement	No	Conditional	Appoint DPO by GA regardless
Breach notification	Yes (varies by state)	72 hours to authority	Build to GDPR: 72-hour notification capability
Consent for sensitive data	Yes (CPRA)	Yes (explicit consent)	Build to GDPR: explicit consent + sensitive vault

Technical Spec

---

Principle Interaction Map

Key Takeaway

The seven GDPR principles are not independent checkboxes — they form an interconnected system where Accountability ties everything together. Building to this standard from day one is cheaper than retrofitting later and sends the strongest possible trust signal to enterprise buyers.