Privacy Policy
SimpledAId is a product of Simpled Tech Limited, a company registered in England and Wales (company number 13391034, registered office 2 Eastbourne Terrace, London, W2 6LG, United Kingdom) ("we", "us", "Simpled Tech", "SimpledAId"). This policy explains how we handle personal data when you visit simpledaid.com, when you use SimpledAId as a customer, and when SimpledAId processes the messages of shoppers who chat with our customers' stores.
We take a deliberate, two-role approach to data, and we ask you to read §2 first, because which role we are in changes who is responsible for what.
1. Who we are and how to contact us
- Controller (for our own data): Simpled Tech Limited, 2 Eastbourne Terrace, London, W2 6LG, United Kingdom.
- Privacy contact: [email protected].
- ICO registration: Simpled Tech Limited is registering with the UK Information Commissioner's Office (ICO); our registration reference will be published here once issued.
- We are not currently required to appoint a statutory Data Protection Officer, but the privacy contact above is your single point of contact for all data-protection matters.
2. The two roles SimpledAId plays — please read this first
SimpledAId handles personal data in two distinct capacities, and the law treats them differently:
A. When you are our customer (a business using SimpledAId), and for visitors to simpledaid.com — we are the controller. We decide why and how your account, billing and website-analytics data are processed. The rest of this policy applies to you directly.
B. When a shopper chats with the SimpledAId widget installed on our customer's store — we are the processor, and our customer is the controller. We process those chat messages only on our customer's instructions, to provide the chatbot service. We do not decide the purposes of that processing. If you are a shopper and want to exercise your rights over a chat you had on a store's website, the controller is that store, not us. Please contact them. We will assist them in responding, and we will pass your request to them if you reach us by mistake. The contractual terms governing this processor relationship are in our Data Processing Addendum.
Everything below is written from the controller perspective unless it explicitly says "as a processor".
3. The personal data we collect
3.1 Account data (we are controller)
When you sign up for or use SimpledAId: your name, business name, email address, password (stored hashed), billing details (processed by our third-party payment provider — we do not store full card numbers), the store or website you connect, configuration choices, support correspondence, and usage and diagnostic logs (IP address, browser, actions in the app).
3.2 Website and marketing data (we are controller)
When you browse simpledaid.com: analytics and device data via cookies (see our Cookie Policy), and — if you use our email-gated demo chatbot — the email address you enter and the messages you send to the demo bot (we use these to follow up about SimpledAId and to improve the demo; lawful basis: legitimate interests or consent, see §5).
3.3 End-customer chat data (we are processor; our customer is controller)
When the SimpledAId widget runs on a customer's store, it processes whatever shoppers type or that the store passes to it: messages, and any personal data they contain — typically names, email addresses, order numbers, and product or delivery queries. We process this strictly on our customer's behalf and instructions. Customers are contractually required not to send special-category data (health, biometric, etc.) or full payment-card numbers through the widget.
4. Why we use your data (purposes)
- Provide, operate and secure the SimpledAId service and the chatbot widget.
- Authenticate you, manage your account and process billing.
- Generate AI responses (see §6) and learn the customer's own knowledge base so the bot can answer accurately.
- Provide support and respond to your enquiries.
- Measure and improve the website and product, and detect and prevent abuse and fraud.
- Send service messages and, where permitted, marketing about SimpledAId (you can opt out at any time).
- Comply with our legal obligations.
5. Lawful basis (UK and EU GDPR)
| Purpose | Lawful basis |
|---|---|
| Providing the service to our customer; billing | Contract (Art 6(1)(b)) |
| Operating the chatbot on a store (chat data) | We act as processor; the customer relies on its own lawful basis (usually contract or legitimate interests) |
| Security, fraud prevention, product improvement, B2B marketing of our own product | Legitimate interests (Art 6(1)(f)) — balanced against your rights; you may object |
| Non-essential cookies or analytics on simpledaid.com; the demo-bot email follow-up | Consent (Art 6(1)(a) + PECR/ePrivacy) — withdrawable at any time |
| Keeping records, responding to legal requests | Legal obligation (Art 6(1)(c)) |
6. AI and automated processing (important)
SimpledAId is an AI product. You should know exactly what that means for your data:
- How it works. To generate replies, the chatbot sends the relevant conversation text to large-language-model (LLM) providers acting as our sub-processors — currently OpenAI and/or Anthropic (see §7 and the Sub-processor list). They return a response, which the bot delivers.
- Your data is NOT used to train AI models. We use these providers under their business/API terms, which contractually prohibit using inputs or outputs to train or fine-tune their foundation models. We do not consent to, and have not enabled, any training on customer or end-customer data. We will not change this without updating this policy and notifying customers.
- Retention at the LLM provider. Under their API terms, these providers retain request data only transiently for abuse-monitoring (for example up to 30 days, shorter or zero where a zero-data-retention arrangement applies) and then delete it. They do not retain it for their own purposes.
- No solely-automated decisions with legal effect. SimpledAId answers questions and assists with sales; it does not make decisions that produce legal or similarly significant effects on a person without human involvement (Art 22). Customers configure escalation to a human agent for anything that needs it.
- It can be wrong. AI output may be inaccurate; the customer (store) remains responsible for the information it provides to shoppers.
7. Who we share data with (sub-processors and third parties)
We share personal data only with vetted service providers ("sub-processors") who process it on our behalf under written data-processing terms, and where legally required.
Our current sub-processors — what each does and where data is hosted — are listed and kept up to date in our Sub-processor list. They include, in summary: cloud database and hosting (Supabase), edge hosting / CDN / DNS (Cloudflare), the LLM providers (OpenAI and/or Anthropic), the human-handoff helpdesk (Chatwoot, self-hosted on our own infrastructure), our third-party payment provider, email and communications (Microsoft 365), and website analytics (Google Analytics 4, Microsoft Clarity).
We do not sell your personal data, and we do not share it for cross-context behavioural advertising. We may disclose data if required by law, to enforce our terms, or in connection with a corporate transaction (we will tell you if that happens).
8. International data transfers
We are UK-based and serve customers in the UK, EU and US. Some sub-processors are located in, or transfer data to, the United States and other countries outside the UK/EEA. Where we transfer personal data internationally, we rely on an appropriate safeguard:
- UK International Data Transfer Addendum (IDTA) / UK Addendum to the EU SCCs, for transfers out of the UK;
- EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision 2021/914), for transfers out of the EEA; and/or
- the EU-US / UK Extension / Swiss-US Data Privacy Framework, where the recipient is certified.
Our major sub-processors (Supabase, Cloudflare, OpenAI, Anthropic) provide these mechanisms in their data-processing terms. A copy of the relevant safeguard is available on request from [email protected].
9. Your rights
Under UK and EU GDPR you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time (without affecting prior lawful processing). Where we rely on legitimate interests you may object, and we will stop unless we have overriding grounds.
To exercise any right, email [email protected]. We will respond within one month (extendable by two months for complex requests) and we do not charge for genuine requests. We may need to verify your identity.
If you are a shopper whose chat data was processed on a store's website, please contact that store (the controller). If you contact us, we will forward your request to them.
You also have the right to lodge a complaint with a supervisory authority — in the UK the Information Commissioner's Office (ico.org.uk), or your local EU data-protection authority. We would appreciate the chance to resolve it first.
10. How long we keep data
| Data | Retention |
|---|---|
| Account and billing data | For the life of the account, plus 6 years for tax and legal records after closure |
| End-customer chat data (as processor) | As instructed by the customer; by default for the contract term, then deleted or returned on termination (see DPA) |
| Website analytics | Per the retention set in GA4 (default 14 months) |
| Demo-bot leads | Until you ask us to delete, or 24 months of inactivity |
| Security and diagnostic logs | 90 days |
LLM-provider transient retention is covered in §6.
11. Security
We protect personal data with technical and organisational measures appropriate to the risk, including: encryption in transit (HTTPS/TLS) and at rest; tenant isolation in our database (every record is scoped by a tenant identifier and access is enforced by row-level security, so one customer's data cannot be read by another); least-privilege access controls; and reputable, certified infrastructure providers. No system is perfectly secure, but we work to industry-standard practice. If a personal-data breach occurs, we will notify the relevant parties as the law requires (and, where we are processor, our customer without undue delay).
12. California privacy rights (CCPA/CPRA)
If you are a California resident, you have rights to know and access, delete, correct, and to opt out of the sale or sharing of your personal information, plus the right to non-discrimination for exercising them.
We do not sell your personal information, and we do not share it for cross-context behavioural advertising. Because we do not sell or share, no "Do Not Sell or Share My Personal Information" mechanism is required — but you may still exercise your access, deletion and correction rights by emailing [email protected]. We will verify your request and respond within the statutory timeframe. You may use an authorised agent. The categories of personal information we collect and the purposes are described in §3–§4; we disclose personal information to the service providers in §7 for business purposes only.
13. Children
SimpledAId is a business tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data, contact [email protected] and we will delete it.
14. Other regions
Our GDPR-grade posture also supports our obligations under Canada's PIPEDA, the Australian Privacy Act (APPs) and the Swiss FADP. If you are in one of these jurisdictions and have a specific request, contact [email protected].
15. Changes to this policy
We may update this policy. We will change the "last updated" date above and, for material changes, notify customers by email or in-app. Continued use after the effective date means you accept the updated policy.
Related: Cookie Policy · Terms of Service · Sub-processor list.