GDPR & Data Protection

Effective Date: December 17, 2025
Last Updated: December 17, 2025

1. Purpose of This Page

This page explains how Simplist complies with the General Data Protection Regulation (GDPR) and similar data protection laws. It complements and should be read together with our Privacy Policy and Terms of Service.

2. GDPR Principles

We follow the core data protection principles set out in GDPR:

  • Lawfulness, fairness, and transparency: we process data only where we have a valid legal basis and we explain our practices clearly.
  • Purpose limitation: we collect data for specific, legitimate purposes and do not use it in ways that are incompatible with those purposes.
  • Data minimization: we collect only the data that we need to provide and operate the Service.
  • Accuracy: we keep personal data accurate and up to date where reasonably possible.
  • Storage limitation: we retain personal data only for as long as needed for the stated purposes and legal requirements.
  • Integrity and confidentiality: we implement appropriate security measures to protect data.
  • Accountability: we maintain internal records and contracts with processors and can demonstrate compliance with GDPR.

3. Legal Bases and Typical Processing Activities

Examples of how we apply legal bases in practice include:

  • Contract performance: creating and managing accounts, projects, articles, roles, and API access; providing analytics dashboards; sending necessary account emails (e.g. password reset, security notifications).
  • Legitimate interests: protecting the Service from abuse, monitoring security, aggregating analytics, and improving product features.
  • Legal obligations: retaining invoices, payment records, and certain logs for tax and accounting compliance.
  • Consent: where required by law for non-essential tracking or when you explicitly enable certain optional features in your own integration.

4. Your Data Protection Rights

If you are in the EU/EEA or another region with similar rights, you have the following rights:

  • Right of access: to know whether we process your personal data and to receive a copy.
  • Right to rectification: to correct inaccurate or incomplete data.
  • Right to erasure: to request deletion of your data in certain circumstances (for example by deleting your account).
  • Right to restriction of processing: to request that we limit processing while a request or dispute is being resolved.
  • Right to data portability: to receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract and done by automated means.
  • Right to object: to object to processing based on our legitimate interests, in certain situations.
  • Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.

You can exercise many of these rights using features in the dashboard (for example, updating account information, deleting projects, or deleting your account). You can also contact us at privacy@simplist.blog with your request.

5. Processors and International Transfers

To provide the Service, we rely on service providers that act as processors for activities such as hosting, databases, caching, storage, email delivery, authentication, and payment processing. We enter into data processing agreements with these providers to ensure that:

  • They process data only on our instructions;
  • They implement appropriate technical and organizational measures;
  • They assist us in meeting GDPR obligations, including data subject rights and breach notification;
  • They delete or return data upon termination of their services, where applicable.

Some processors may be located outside the EU/EEA. When personal data is transferred internationally, we rely on legal mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions to protect your data.

6. Data Breach Response

We have procedures in place to detect, report, and investigate personal data breaches. If a breach is likely to result in a high risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority without undue delay, where required by law; and
  • Notify affected users without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed to address it.

7. Privacy by Design and by Default

We implement privacy by design and by default in Simplist by:

  • Limiting the personal data we collect to what is necessary for the Service;
  • Providing role-based access controls so that only authorized users can manage projects, members, and billing;
  • Using pseudonymous identifiers in analytics instead of directly identifiable user data;
  • Offering account and project deletion workflows from the dashboard;
  • Avoiding third-party ad tracking cookies in the product.

8. Supervisory Authorities and Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In France, the supervisory authority is the CNIL:

https://www.cnil.fr

9. Contact

For questions about GDPR, data protection, or to exercise your rights, please contact our data protection contact:

Data Protection Contact
Email: privacy@simplist.blog

For more details on how we collect and handle data, please read the Privacy Policy and Cookie Policy.