Privacy Policy

Overview

Simpra, Inc. ("Simpra", "we", "us") provides an AI compliance platform. This Privacy Policy describes how we collect, use, share, and protect information when you visit our website or use our Service. It applies to our role as a data controller for our website visitors, prospects, and customer administrators.

When our customers use the Simpra platform, we act as a data processor on their behalf for the data they upload or process through the Service. Our handling of that data is governed by our agreement with the customer, including our Data Processing Addendum.

1. Information We Collect

1.1 Information you provide

Account information: name, business email, company name, role, phone number (optional).
Authentication data: credentials if you use password authentication; provider identifiers if you use SSO.
Billing information: handled by our payment processor; we do not store full payment card details.
Communications: messages you send us through email, forms, support, or demo requests.
Customer Data: data you upload or generate inside the Service (policies, controls, evidence, questionnaire responses). We process this on your behalf; you are the controller.

1.2 Information collected automatically

Usage data: pages visited, features used, actions taken within the Service.
Device and browser data: IP address, browser type and version, operating system, device identifiers.
Log data: server logs, application logs, error reports.
Cookies and similar technologies: see Section 8.

1.3 Information from third parties

Identity providers: if you sign in through SSO (Google Workspace, Okta, Azure AD), we receive identifying information from those providers.
Integration providers: if you connect integrations (AWS, GitHub, Azure, etc.), we receive data from those systems per the integration's configuration.
Business tools: we may receive limited enrichment data (job title, company size) from B2B data providers to tailor our communications.

2. How We Use Information

We use information to:

Provide, maintain, and improve the Service;
Create and manage your account;
Process payments and send invoices;
Communicate with you about the Service, updates, and support;
Send marketing communications (where permitted and subject to opt-out);
Monitor and analyze Service usage, performance, and security;
Detect and prevent fraud, abuse, and security incidents;
Comply with legal obligations;
Exercise and defend legal rights.

Under GDPR, our legal bases for processing include:

Contract: processing necessary to provide the Service you've requested.
Legitimate interests: improving our Service, preventing abuse, and running our business, balanced against your rights.
Consent: where required, such as for marketing communications and certain cookies.
Legal obligation: where processing is required by law.

We do not sell personal information. We share information only as described below:

Service providers and sub-processors: with vendors who help us deliver the Service, under contract and confidentiality obligations. See Section 4.
Within your organization: administrators of your account can see user activity and data within your tenant.
With your consent: when you direct us to, such as through an integration you enable.
Legal obligations: when required by law, court order, or valid legal process, or to protect the rights, property, or safety of Simpra, our customers, or others.
Business transfers: in connection with a merger, acquisition, or sale of assets, with notice and continued protection of your information.

4. Sub-Processors

We engage a limited set of sub-processors to help us deliver the Service. Each is contractually bound to confidentiality and data protection obligations at least as protective as those in this Privacy Policy.

Sub-processor	Purpose	Location
Amazon Web Services	Cloud infrastructure (compute, storage, databases)	United States / Canada
Anthropic	AI model inference for drafting and assistance features	United States
OpenAI	Embedding generation for semantic search	United States
Stripe	Payment processing and billing	United States
Postmark	Transactional email delivery	United States

We maintain an up-to-date list of sub-processors on our Security page. Customers with active DPAs receive advance notice of material changes to our sub-processor list.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account data: retained for the duration of your subscription plus a reasonable wind-down period.
Customer Data: retained per your instructions and the terms of your subscription. Following termination, Customer Data is available for export for thirty (30) days before deletion.
Billing and tax records: retained as required by financial and tax regulations (typically 7 years).
Logs and security telemetry: retained for a rolling period sufficient for incident investigation and audit, typically 12–24 months.
Marketing communications: retained until you opt out, then removed from active campaigns.

6. Security

We implement appropriate technical and organizational measures to protect your information, including encryption in transit (TLS 1.2+) and at rest, access controls, logging and monitoring, regular security testing, and personnel training. For a detailed overview, see our Security page.

No method of transmission or storage is completely secure. In the event of a personal data breach affecting you, we will notify you in accordance with applicable law.

7. Your Rights

Depending on where you live, you may have rights under GDPR, CCPA, PIPEDA, or similar laws, including:

Access: request a copy of the personal information we hold about you.
Correction: request that we correct inaccurate or incomplete information.
Deletion: request that we delete your personal information, subject to legal exceptions.
Portability: receive a copy of your information in a structured, machine-readable format.
Objection and restriction: object to certain processing, or request that we restrict how we use your information.
Opt-out of marketing: unsubscribe from marketing emails using the link in any such email.
Withdraw consent: where we rely on consent, you can withdraw it at any time.
Lodge a complaint: with your local data protection authority.

To exercise these rights, contact us at privacy@simpra.ai. If your request relates to data we process on behalf of a customer (as a processor), we will direct you to that customer to handle the request.

California residents. In addition to the rights above, California residents have the right to know what categories of personal information we collect, the purposes for which we use it, and to whom we disclose it; to request deletion; and not to be discriminated against for exercising rights. We do not sell or share personal information for cross-context behavioral advertising.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

Essential cookies: required for the Service to function (authentication, session management, security).
Preference cookies: remember your settings and choices.
Analytics cookies: understand how the Service is used so we can improve it.

You can control cookies through your browser settings. Disabling essential cookies will prevent parts of the Service from functioning. We honor Global Privacy Control (GPC) signals where applicable.

9. Children's Privacy

The Service is not directed to or intended for individuals under the age of sixteen (16). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. International Data Transfers

Simpra operates primarily from Canada, with infrastructure in the United States and Canada. If you access the Service from outside these regions, your information will be transferred to, stored, and processed in them.

Where required by law (including GDPR), we rely on appropriate transfer mechanisms for personal data leaving the UK, European Economic Area, or Switzerland, including Standard Contractual Clauses and, where applicable, adequacy decisions. Our Data Processing Addendum includes the current SCCs for customer-directed processing.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. For material changes, we will provide additional notice — typically by email to account administrators or through a notice in the Service — at least thirty (30) days before the change takes effect. We encourage you to review this Policy periodically.

12. Contact Us

Questions, requests, or concerns about this Privacy Policy? Contact us at:

Simpra, Inc.
Privacy: privacy@simpra.ai
Security: security@simpra.ai
General: hello@simpra.ai

For EU/UK residents: you also have the right to lodge a complaint with your local data protection authority.