Simple Agent
Create my agent
Docslgpd

GDPR & Privacy

How Simple Agent handles personal data, data residency, and how to configure your instance for GDPR compliance.

The General Data Protection Regulation (GDPR — EU 2016/679) and equivalent laws such as Brazil's LGPD require that personal data be processed with transparency, security, and a specific purpose. Simple Agent was built with data protection as a design requirement, not an afterthought.

Data residency

By default, all customer data for EU-based accounts is stored in Frankfurt (AWS eu-central-1):

  • Postgres database (Neon): eu-central-1
  • Vectors (pgvector): eu-central-1
  • Source backups (R2): replicated in eu-central-1
  • Conversation logs (Logtail): 90-day retention, EU

No conversation data leaves the EU on Starter, Growth, and Agency EU plans.

Brazil accounts: data is stored in São Paulo (AWS sa-east-1) by default, in compliance with LGPD.

What data Simple Agent collects

Operator data (you)

  • Account email
  • Billing data (tokenized via Stripe)
  • Training source content (documents, URLs)
  • Agent configuration

End-user data (your users)

  • Messages exchanged with the agent
  • IP address (masked after collection — only the first 3 octets are stored)
  • Browser User-Agent
  • Lead capture opt-in (if configured)

Simple Agent does NOT collect:

  • End-user names or national ID numbers
  • End-user payment data
  • Browsing behavior outside the widget

Legal basis for processing

Data Legal basis Rationale
Account email Contract performance (Art. 6(1)(b)) Required for authentication
Conversations Legitimate interest (Art. 6(1)(f)) Service quality improvement
Captured leads Consent (Art. 6(1)(a)) Explicit opt-in in the widget
Anonymous analytics Legitimate interest Aggregate data without PII

Compliance settings

1. Disable conversation storage

If you don't need conversation history in the dashboard:

Settings → Privacy → Store conversations → Disable

With this option disabled:

  • Conversations are not recorded
  • Volume analytics continue working (counters only)
  • You lose: conversation replay, unanswered question analysis

2. Automatic PII scrubbing

Simple Agent automatically scrubs PII from conversations before storage:

  • National ID numbers: detected and redacted
  • Email addresses: detected and redacted
  • Phone numbers: detected and redacted
  • Credit card numbers: last 4 digits preserved, rest redacted

Enable in Settings → Privacy → PII Scrubbing → Enable.

3. Consent banner in the widget

For widgets that may capture leads, add the consent banner:

<script
  src="https://simple-agent.me/widget/loader.js"
  data-agent-id="YOUR-AGENT-ID"
  data-consent-required="true"
  data-consent-text="By chatting, you accept our Privacy Policy."
  data-consent-link="/privacy"
  async
></script>

The widget displays the banner before the first message and blocks sending without acceptance.

DPA (Data Processing Agreement)

For Growth, Agency, and Scale plans, we provide a signed DPA that documents:

  • Simple Agent's obligations as a data processor
  • Technical security measures
  • Incident notification procedure (72 hours, as required by GDPR Art. 33)
  • Authorized sub-processors

Request it in Settings → Legal → Request DPA.

Data subject rights

Simple Agent provides API endpoints to respond to data subject rights requests from your users:

Export a user's data

POST /v1/privacy/export
{
  "user_identifier": "ip:192.168.1",
  "format": "json"
}

Delete a user's data

POST /v1/privacy/delete
{
  "user_identifier": "session:abc123",
  "confirm": true
}

Data retention

Type Default retention Configurable
Conversations 365 days 30–365 days
System logs 90 days No
Billing data 7 years (legal obligation) No
Embeddings While source is active Yes

To change retention: Settings → Privacy → Data retention.

Certifications and audits

  • SOC 2 Type II: Controls mapped; external report not yet issued
  • ISO 27001: Controls mapped; certification not yet issued
  • OWASP Top 10: Internal reviews and automated tests in progress
  • Penetration test: External testing program planned; reports will be available under NDA when issued

For enterprise-specific security requirements, contact our security team: security@simple-agent.me.