Privacy Policy

Effective Date: December 17, 2025
Last Updated: December 17, 2025

1. Overview

This Privacy Policy explains how Simplist ("Simplist", "we", "us", or "our") collects, uses, stores, and shares personal data when you visit simplist.blog or app.simplist.blog, create and use an account, integrate our REST API at api.simplist.blog, or use our TypeScript SDK @simplist.blog/sdk.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for your personal data is:

Gaëtan HUSZOVITS
Email: privacy@simplist.blog
Website: https://simplist.blog
Country: France

3. Legal Bases for Processing

We process your personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b) GDPR): to provide, operate, and support your use of the Service (account creation, authentication, projects, articles, analytics dashboards, API).
  • Legitimate interests (Art. 6(1)(f) GDPR): to secure our systems, prevent abuse, measure performance, and improve features.
  • Legal obligations (Art. 6(1)(c) GDPR): to comply with tax, accounting, and regulatory requirements.
  • Consent (Art. 6(1)(a) GDPR): where required for optional tracking or integrations that are not strictly necessary for the Service.

4. Data We Collect

4.1 Account and profile data

When you create or manage an account, we collect:

  • Email address;
  • Name and optional first/last name fields;
  • Profile image URL (from OAuth providers, if provided);
  • Account creation and update timestamps;
  • Account deletion workflow fields (e.g. deletionRequestedAt, deletionScheduledAt, deletionCanceledAt, reminder flags).

4.2 Authentication data

Depending on the sign-in method you use:

  • Email + password: we store a cryptographic hash of your password (never the plaintext), and email verification status.
  • OAuth (Google, GitHub): we store your provider ID, basic profile information (such as email, name, avatar URL), and tokens needed to maintain your session.
  • Passkeys (WebAuthn): we store your public key, credential ID, and passkey metadata, but never your private key.
  • Two-factor authentication (TOTP): we store encrypted secrets and backup codes used to verify login attempts.

4.3 Session and security data

To maintain secure sessions and detect suspicious sign-ins, we collect:

  • Session tokens and expiration times;
  • IP address and user agent at session creation;
  • Basic device and browser data used to detect unusual login activity.

4.4 Project and content data

Within each project we store configuration and content including:

  • Project metadata: name, slug, icon, color, avatar URL, timezone, default language, allowed origins, base URL, article URL pattern, subscription tier, subscription state, storage usage, monthly API call counters.
  • Articles: title, slug, content, excerpt, cover image URLs, status (draft/published/deleted/scheduled), publishedAt, scheduledPublishAt, statistics (word count, character count, line count, estimated read time), and relationships to tags and variants.
  • Article variants: same as articles but per language, with their own content, cover image, and statistics.
  • Tags: name, icon, color, and relationships to articles.
  • Webhooks: URLs, subscribed events, headers, custom templates, secret values, and delivery history.

Content may include personal data if you or your users choose to store such information. You are responsible for ensuring that such content is collected and processed lawfully.

4.5 Members, roles, and invitations

For collaboration features, we store:

  • Project members (userId, projectId, roleId, invitedBy, invitedAt, joinedAt);
  • Project roles (name, slug, and booleans for each permission, such as canManageProject, canManageMembers, canViewAnalytics, canManageBilling, canDeleteProject);
  • Invitations (email, projectId, roleId, token, status, expiresAt, invitedBy, invitedAt, acceptedAt).

4.6 API keys

For each API key we store:

  • Key ID and secret value;
  • Display name and permissions (e.g. read, analytics);
  • Project association;
  • Optional expiration date;
  • Last used timestamp and current status (active/deleted);
  • Creation and deletion timestamps.

4.7 Analytics data (visitors to your articles)

When you enable Simplist analytics and instrument your articles, we collect and process pseudonymous visitor analytics including:

  • Article and project identifiers (which article was viewed, in which project);
  • Pseudonymous visitor IDs and session IDs (generated client- or server-side);
  • Device and browser data: user agent, browser name/version, OS name/version, screen width/height, device type;
  • Traffic data: referrer URL and domain, UTM parameters (source, medium, campaign, term, content), page URL and title;
  • Derived geographic data (when requested): country, region, city, timezone, country code, using IP-based geolocation via trusted providers;
  • Engagement metrics: time on page, scroll depth, exit position, bounce flag, and timestamp of views and events;
  • Events: event type (e.g. scroll milestone, click), element selectors, event-specific data, and time offsets.

These analytics are designed to be privacy-friendly and are primarily used to provide aggregated statistics in your analytics dashboards. They are not used to build marketing profiles or sell data.

4.8 Billing and payment data

We use Stripe to process payments. Through Stripe we receive and store the following billing-related data:

  • Stripe customer ID and subscription ID;
  • Plan type, billing interval, and subscription status;
  • Basic payment method metadata (e.g. card brand, last four digits, expiry date);
  • Billing address and country (used for tax calculations);
  • Invoice and payment history (amount, currency, status, timestamps).

We do not store full card numbers, CVV codes, or bank account details; Stripe handles those directly.

4.9 Technical and diagnostic logs

To operate and secure the Service, we log:

  • API request metadata (path, method, status code, response time, projectId, apiKeyId where relevant);
  • Error logs, stack traces, and context required for debugging;
  • Scheduler activity (e.g. scheduled publishing, invitation expiry, account deletion cron jobs);
  • Cache and queue operations associated with analytics and article caching.

5. How We Use Your Data

We use the data described above to:

  • Provide, maintain, and improve the Service and its features;
  • Authenticate your Account and authorize access based on project roles and permissions;
  • Store and serve your Content via the dashboard, API, and SDK;
  • Generate analytics dashboards and statistics for your projects;
  • Enforce subscription quotas and plan limits;
  • Process payments, manage billing, and handle upgrades/downgrades;
  • Communicate with you about security events, billing issues, changes to policies, and important product updates;
  • Detect, investigate, and prevent fraud, abuse, and security incidents;
  • Debug issues, optimize performance, and plan product improvements.

We do not sell or rent your personal data to third parties.

6. Data Retention

We retain your data only as long as necessary for the purposes described in this Policy, subject to legal requirements:

  • Account data is kept while your Account is active. If you delete your Account, it is removed or anonymized after the deletion grace period, except for data we must keep for legal, tax, or security purposes.
  • Project and content data is stored until the Project or Article is deleted, or until we delete it due to prolonged inactivity or plan limits, in line with our Terms of Service.
  • Analytics data is stored for as long as the associated project and articles remain active, or until you delete them. Summarized aggregates may be kept longer in anonymized form.
  • Billing records and invoices are kept for the retention period required by French/EU tax and accounting law (typically up to 7–10 years).
  • Technical logs are kept for shorter periods (e.g. 30–365 days), depending on the log type, then aggregated or deleted.

Backups may contain copies of your data for a limited additional period until they are rotated or overwritten.

7. Sharing with Third Parties

We share limited data with trusted third-party processors who help us operate the Service, including:

  • Cloud hosting providers (compute, database);
  • Redis/caching providers for performance and API key caching;
  • Object storage providers (e.g. Cloudflare R2) for file uploads;
  • Email providers for sending transactional emails (verification, deletion, reminders);
  • OAuth providers (Google, GitHub) for authentication;
  • Stripe for payments and subscriptions.

These providers process data on our behalf under contracts that require them to protect your data and comply with relevant privacy laws.

We may also share data:

  • When required by law, court order, or governmental authority;
  • To enforce our Terms of Service or protect the rights, property, or safety of Simplist, our users, or the public;
  • In connection with a business transaction (e.g. merger, acquisition), with appropriate safeguards.

8. International Data Transfers

Some of our infrastructure and providers may be located outside your country, including outside the EU/EEA. When personal data is transferred internationally, we rely on:

  • European Commission adequacy decisions, where applicable;
  • Standard Contractual Clauses (SCCs) or equivalent contractual safeguards;
  • Provider commitments to GDPR-level protections and security practices.

9. Your Rights

If you are in the EU/EEA or a jurisdiction with similar privacy laws, you may have the following rights:

  • Access: request a copy of the personal data we hold about you and information on how it is used.
  • Rectification: correct inaccurate or incomplete personal data (you can also update many details in your account settings).
  • Erasure: request deletion of your personal data where we are not required to keep it by law (for example, by deleting your account).
  • Restriction: ask us to restrict processing while a dispute or request is being resolved.
  • Portability: request your data in a structured, commonly used, machine-readable format.
  • Objection: object to processing based on our legitimate interests, in certain circumstances.
  • Withdrawal of consent: where processing is based on your consent, withdraw consent at any time (without affecting prior lawful processing).

To exercise these rights, contact us at privacy@simplist.blog. We may need to verify your identity before acting on your request.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL.

10. Security Measures

We implement technical and organizational measures to protect your data, including:

  • Transport-layer encryption (HTTPS/TLS) for all dashboard and API traffic;
  • Secure password hashing and secret storage;
  • Access controls on databases and infrastructure;
  • Rate-limiting and bot detection on public APIs;
  • Regular security updates, dependency management, and monitoring.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authorities in accordance with legal requirements.

11. Cookies and Similar Technologies

Simplist uses limited first-party cookies and browser storage to provide essential functionality such as login sessions, CSRF protection, and basic UI preferences. We do not use third-party advertising cookies.

For more details about the cookies we set and how to manage them, please see our Cookie Policy.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, please contact us so we can investigate and take appropriate action.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and may also notify you via email or in-app notifications.

Your continued use of the Service after the changes take effect constitutes your acceptance of them.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Data Controller:
Gaëtan HUSZOVITS
Email: privacy@simplist.blog

For additional legal information, see our Terms of Service and GDPR & Data Protection pages.