Last updated: May 13, 2026

Privacy Policy

This Privacy Policy explains how Simple Agent("we", "our", or "us") collects, uses, stores, and shares information about you when you use our service. It is designed to comply with the General Data Protection Regulation (GDPR) and the Lei Geral de Proteção de Dados (LGPD — Lei 13.709/2018).

1. Who We Are / Data Controller

Simple Agent is operated by Simple Agent Tecnologia Ltda., a company incorporated in Brazil. We act as the data controller for information about our customers (workspace owners and members). When you use Simple Agentto deploy chatbots to your end users, you act as a data controller for your end users' data, and we act as a data processor on your behalf.

Data Protection Officer (DPO): dpo@simple-agent.me

2. What Data We Collect

2.1 Account data (customers)

  • Email address (used as primary identifier)
  • Workspace name and slug
  • Billing information for paid subscriptions (processed by Stripe — we never store full card data)
  • Usage telemetry: message counts, token usage, latency (no message content in billing)

2.2 End-user conversation data (processed on your behalf)

  • Chat messages sent to your Simple Agent chatbot
  • Lead capture data (email, name) if you enable lead forms
  • Session ID (anonymised), country, page URL, user agent
  • CSAT votes (thumbs up/down) if enabled

2.3 Automatically collected data

  • Server logs (IP address, request path, timestamp) — retained 30 days
  • Error reports via Sentry — PII scrubbed before transmission
  • Analytics events (page views, button clicks) — anonymised, no cross-site tracking

3. How We Use Your Data

  • Service provision: to authenticate you, run your chatbots, process billing, and provide support.
  • Service improvement: aggregate, anonymised metrics about feature usage and performance.
  • Legal obligations: to comply with applicable law, respond to lawful requests, and prevent fraud.
  • Communications: transactional emails (magic-link, invoice, usage alerts). You may opt out of non-essential emails at any time.

We do not sell your data. We do not use your conversation data to train AI models. We do not share personal data with advertisers.

4. Legal Basis for Processing (GDPR / LGPD)

  • Contract performance (GDPR Art. 6(1)(b)): processing your email and billing data to deliver the service.
  • Legitimate interests (GDPR Art. 6(1)(f)): security monitoring, fraud prevention, service analytics.
  • Legal obligation (GDPR Art. 6(1)(c)): retaining billing records as required by Brazilian tax law.
  • Consent (LGPD Art. 7, I): marketing communications where required.

5. Data Retention

  • Account data: retained for the duration of your subscription + 90 days after cancellation.
  • Conversation messages: default 90-day retention. Configurable per workspace (Settings → Legal → Retention policy).
  • Billing records: 5 years as required by Brazilian fiscal law (Lei 9.430/96).
  • Server logs: 30 days rolling.
  • Backups: encrypted, retained up to 7 days.

6. Your Rights (GDPR Art. 15–22 / LGPD Art. 18)

You have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format (JSON).
  • Restriction — limit processing in specific circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — at any time for consent-based processing.

Exercise your rights via Settings → Legal in your dashboard, or by emailing dpo@simple-agent.me. We respond within 15 days.

7. Subprocessors & Transfers

We use third-party services listed on our Security page. Some processors are located outside Brazil / the EEA. Transfers are covered by:

  • EU Standard Contractual Clauses (SCCs) where applicable
  • Adequacy decisions where available
  • Data encrypted at rest (AES-256) and in transit (TLS 1.3); DPA available for Growth+ plans

8. Cookies

We use strictly necessary cookies for authentication (session token). We do not use third-party advertising cookies or tracking pixels. Analytics events are collected server-side without cookies. You can delete all cookies by logging out or clearing your browser storage.

9. Security

We implement technical and organisational measures including TLS 1.3, AES-256 encryption at rest, Row-Level Security at the database layer, PII scrubbing in logs, and regular independent security audits. See our Trust Center for details.

10. Children

Simple Agent is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided personal data, contact dpo@simple-agent.me and we will delete it promptly.

11. Changes to This Policy

We will notify customers of material changes to this policy by email and by updating the "Last updated" date above, at least 30 days before the change takes effect.

12. Contact

Questions about this policy: dpo@simple-agent.me
General support: support@simple-agent.me
ANPD (Brazil) complaints: gov.br/anpd

Terms of Service·Security & Trust Center·Download DPA