Overview
The General Data Protection Regulation (GDPR) is a European Union regulation that protects the privacy and personal data of EU residents.
SimpleAI is committed to GDPR compliance and respects the data protection rights of all users, regardless of location.
Our Role
- •We act as a Data Controller for account and usage data
- •We act as a Data Processor for content processed through our API
Legal Basis for Processing
We process your personal data based on:
Contract Performance (Article 6(1)(b))
- •Account creation and management
- •Processing API requests
- •Customer support
Legitimate Interests (Article 6(1)(f))
- •Service improvement and analytics
- •Fraud prevention and security
- •Marketing to existing customers
Consent (Article 6(1)(a))
- •Marketing communications
- •Optional analytics cookies
Your GDPR Rights
Under GDPR, you have the following rights:
Right to Access (Article 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing (Article 18)
Request limitation of how we use your data.
Right to Data Portability (Article 20)
Receive your data in a machine-readable format.
Right to Object (Article 21)
Object to processing based on legitimate interests.
Right to Withdraw Consent (Article 7)
Withdraw consent at any time for consent-based processing.
Exercising Your Rights
How to Make a Request
- •Email: gdpr@simpleai.dev
- •Subject: "GDPR Request - [Your Right]"
Verification
We may need to verify your identity before processing requests.
Response Time
We will respond within 30 days. Complex requests may take up to 90 days.
No Fee
Exercising your rights is free. Excessive or repetitive requests may incur a fee.
International Data Transfers
Your data may be transferred outside the EEA. We ensure adequate protection through:
Standard Contractual Clauses (SCCs)
We use EU-approved SCCs with our service providers.
Adequacy Decisions
Some transfers are to countries with EU adequacy decisions.
Service Providers
- •Vercel (US) - EU-US Data Privacy Framework certified
- •Stripe (US) - EU-US Data Privacy Framework certified
- •OpenAI/Anthropic (US) - SCCs in place
Data Protection Officer
While not legally required for our size, we have designated a privacy lead:
Contact:
Email: dpo@simpleai.dev
Supervisory Authority
You have the right to lodge a complaint with your local data protection authority. For users in Ireland, this is the Data Protection Commission (dataprotection.ie).
Data Breach Notification
In the event of a personal data breach:
Authority Notification
We will notify the relevant supervisory authority within 72 hours if the breach is likely to result in a risk to your rights.
User Notification
We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights.
Our Process
- •Immediate containment and assessment
- •Documentation of the breach
- •Notification as required
- •Remediation and prevention measures