Privacy Policy.

Smpl Security (“Smpl”, “we”, “us”) provides a security and compliance scanning platform. We connect to the services your organisation uses, analyse their configuration and code for security issues, and report findings back to you. This policy explains what data we collect, how we use and store it, who we share it with, and how long we keep it. It applies to our web application, our API, and the Smpl MCP connector.

We collect the following categories of data:

• Account information. Name, email address, organisation name, and authentication identifiers when you create an account or are invited to one.
• Connected service data. When you connect a service (GitHub, Vercel, Supabase, Cloudflare, Stripe, Resend, and similar), we access configuration, metadata, access-control settings, and source code through that service’s API. Access is requested with the minimum scopes required to perform a scan, and is read-only wherever the provider supports it.
• Scan results and findings. Security findings, severity, affected assets, remediation status, and compliance evidence generated by our scans.
• Credentials and tokens. OAuth tokens and API keys for connected services. These are encrypted before storage (see Section 4).
• Usage and diagnostic data. Log data, IP address, and product interactions used to operate, secure, and improve the service.

We use the data described above to:

• scan connected services and generate security findings and compliance evidence;
• display findings, remediation guidance, and compliance status to authorised members of your organisation;
• send notifications you have configured, such as alerts on new critical findings;
• operate, secure, troubleshoot, and improve the service;
• process billing through our payment provider; and
• comply with legal obligations.

Data is stored on infrastructure operated by our hosting and database providers (see Section 5) in encrypted form at rest. OAuth tokens and API keys for connected services are additionally encrypted at the application layer before being written to the database, and are decrypted only at the moment they are needed to perform a scan. Access to production data is restricted to authorised personnel and protected by authentication and access controls. All network traffic is encrypted in transit using TLS.

We share data with the following service providers strictly to operate Smpl. Each processes data on our behalf under its own terms and security commitments:

• Supabase — database, authentication, and storage.
• Vercel — application hosting and serverless compute.
• Stripe — subscription billing and payment processing.
• Resend — transactional and notification email delivery.

We also access data from the services you choose to connect, using the credentials you provide. We do not otherwise share your data with third parties except where required by law, to protect the rights and safety of Smpl or others, or as part of a merger, acquisition, or sale of assets, in which case we will notify you.

Smpl offers a remote Model Context Protocol (MCP) server that lets AI assistants, such as Claude, access your Smpl data on your behalf. When you authorise the connector:

• authorisation uses OAuth 2.0 with an explicit consent step; you can revoke access at any time from your Smpl account settings;
• the connector exposes a limited set of tools that read your security findings and compliance status, and that update the status of a finding;
• the connector returns only the data required to answer a request and does not access your AI assistant’s conversation history, memory, or unrelated files;
• requests made through the connector are subject to this Privacy Policy. Data handled by your AI assistant is additionally governed by that assistant provider’s own privacy policy.

Smpl Security is available as an app on the Stripe App Marketplace. When you install the app and connect your Stripe account via OAuth:

• we request read-only access to your Stripe account’s charges, payment intents, customers, webhook endpoints, and balance — the minimum permissions required to run posture scans (ST-001 through ST-004);
• your OAuth access token is encrypted before storage and decrypted only at scan time; it is never logged or transmitted to third parties;
• the app does not read, store, or process payment card numbers, bank account details, or other financial instrument data — it reads configuration metadata only;
• scan findings (for example, a webhook endpoint URL flagged as non-HTTPS) are stored as described in Section 4 and are accessible only to authorised members of your Smpl organisation;
• you can disconnect the Stripe App at any time from your Stripe Dashboard or from your Smpl account settings, at which point your OAuth token is deleted and no further scans are performed.

We retain account information for as long as your account is active. Connected service data, scan results, and findings are retained while the relevant connection exists and for up to 90 days after a connection is removed or an account is closed, after which they are deleted or anonymised, except where a longer period is required to meet legal, accounting, or security obligations. Credentials and tokens for a connected service are deleted promptly when that service is disconnected. You may request deletion of your data at any time (see Section 9).

Smpl and its sub-processors may process data in countries other than the one in which you are located. Where data is transferred across borders, we rely on appropriate safeguards, such as standard contractual clauses, to protect it.

Depending on your location, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, or to disconnect a service and have its data removed, use the controls in your account settings or contact us at the address below. We will respond within the time required by applicable law.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the service or by email.

For privacy questions or requests, contact us at privacy@smplsecurity.ai. We will respond within 30 days.