Privacy Policy

1. Introduction

Simple Smarts LLC ("we," "our," or "us") operates Renewal Pilot, an AI-powered contract renewal monitoring service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at renewalpilot.io (the "Service").

We are committed to protecting your privacy and ensuring the security of your data. This policy complies with applicable data protection laws, including GDPR, CCPA, and other relevant privacy regulations.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, company name, job title
• Payment Information: Billing address, payment method details (processed securely via Stripe)
• Contract Documents: Contract files, vendor information, renewal dates, and related metadata
• Communications: Messages, support requests, and feedback you send to us

2.2 Information Automatically Collected

• Usage Data: Features used, time spent, actions taken within the Service
• Device Information: IP address, browser type, device identifiers, operating system
• Log Data: Server logs, error reports, performance metrics
• Cookies: Authentication tokens, preferences, analytics data

2.3 AI Processing Data

Important: When you upload contracts for AI analysis, your document content will be processed by Anthropic AI services to extract key terms, dates, and insights.

By using Renewal Pilot and uploading contracts, you acknowledge and consent to:

• Your contract data being transmitted to Anthropic for AI analysis
• Processing according to their privacy policy and terms of service
• 30-day data retention by AI provider for abuse monitoring (then deleted)
• Zero use of your data for training or improving AI models

Review AI vendor privacy policy:

• Anthropic: anthropic.com/legal/privacy

3. How We Use Your Information

• Service Provision: Analyze contracts, send renewal alerts, provide dashboard insights
• AI Enhancement: Improve contract analysis accuracy and feature development
• Communication: Send service updates, renewal notifications, and support responses
• Billing: Process payments, generate invoices, manage subscriptions
• Security: Detect fraud, prevent abuse, ensure platform security
• Legal Compliance: Meet regulatory requirements and respond to legal requests
• Analytics: Understand usage patterns to improve our service

4. Information Sharing and Disclosure

4.1 Third-Party Service Providers

• AI Processing: Anthropic for contract analysis (with data processing agreement)
• Payment Processing: Stripe for secure payment handling
• Email Services: SendGrid for transactional emails and notifications
• Infrastructure: Vercel and Supabase for hosting and database services
• Analytics: Sentry for error tracking and performance monitoring

4.2 Legal Requirements

We may disclose your information when required by law, to protect our rights, or in response to valid legal process such as subpoenas or court orders.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Encryption

• Data in Transit: All data transmitted using TLS 1.2+ encryption (HTTPS)
• Data at Rest: AES-256 encryption for stored data including contracts and account information
• API Communications: All API calls encrypted end-to-end

5.2 Infrastructure Security

• Database Security: Row-level security (RLS) policies ensuring data isolation between customers
• Access Controls: Multi-factor authentication and role-based access for all systems
• Monitoring: 24/7 security monitoring, intrusion detection, and incident response
• Vendor Security: All infrastructure providers (Vercel, Supabase, Anthropic) are vetted for security and privacy practices and maintain industry-standard certifications

5.3 Organizational Measures

• Data Minimization: We collect only necessary information for service provision
• Regular Audits: Security assessments and vulnerability testing
• Incident Response: Documented procedures for security incidents
• Employee Training: Staff trained on data protection and security practices

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations. The following table summarizes our retention periods:

AI Training Data: We do not use your contracts or personal data to train AI models. Your data is processed for analysis only and is not retained by AI providers beyond their abuse monitoring period (30 days).

6.1 Data Retention After Cancellation

Upon subscription cancellation, we retain your data for a total of 6 months, divided into two periods:

• Grace Period (0–30 days): Your data remains accessible in read-only mode. You may export your data via Settings → Privacy → Download My Data at any time during this period.
• Archive Period (30 days–6 months): Your data is archived and not directly accessible. Data may be restored upon resubscription by contacting support at support@renewalpilot.io.

After 6 months from cancellation, all data is permanently and irreversibly deleted from our systems.

Right to Erasure: You may request immediate deletion of your personal data at any time by contacting us at support@renewalpilot.io, in accordance with GDPR Article 17 (Right to Erasure) and CCPA requirements.

Data Portability: You may export your data in a structured, machine-readable format at any time while your account is active or during the 30-day grace period, in accordance with GDPR Article 20 (Right to Data Portability).

7. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

7.1 Your Rights

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You can request that we delete the personal information we have collected about you, subject to certain exceptions (e.g., legal compliance, completing transactions).
• Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Correct: You can request that we correct inaccurate personal information we maintain about you.
• Right to Limit Use of Sensitive Information: You can limit how we use sensitive personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7.2 Exercising Your Rights

To exercise your California privacy rights, you may:

• Email us at: privacy@simplesmarts.io
• Use the data export and deletion features in your account settings
• Submit a request through our support portal

We will verify your identity before processing your request and respond within 45 days as required by law. You may designate an authorized agent to make a request on your behalf.

8. GDPR Compliance (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR).

8.1 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Service to you
• Legitimate Interests: Processing for our legitimate business purposes (security, improvement, analytics) where your rights do not override these interests
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legal Obligation: Processing required to comply with applicable laws

8.2 Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

• Right of Access: Obtain confirmation of processing and a copy of your personal data
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal effects

8.3 International Data Transfers

Our services are hosted in the United States. When we transfer personal data from the EU/EEA to the US, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards with our service providers
• Additional Technical Measures: Encryption, access controls, and data minimization
• Vendor Compliance: Our sub-processors maintain appropriate data protection certifications

8.4 Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer:

8.5 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at: edpb.europa.eu

9. Your Rights and Choices

9.1 Access and Control

• Account Management: Update your profile and preferences in your account settings
• Data Access: Request a copy of your personal data we hold
• Data Correction: Request correction of inaccurate information
• Data Deletion: Request deletion of your account and associated data
• Data Portability: Request your data in a machine-readable format

9.2 Communication Preferences

• Marketing emails: Unsubscribe via email links or account settings
• Service notifications: Essential for security and billing (cannot be disabled)
• Renewal alerts: Manage frequency and channels in your dashboard

9.3 Communications and Notifications

We offer multiple channels to keep you informed about your contracts. By opting into these channels, you consent to receive the communications described below.

9.3.1 Email Notifications

Email is our default notification channel. All users receive essential service emails including renewal reminders, cancellation deadline alerts, price change notifications, and weekly/monthly digests (if enabled). You can manage email frequency in your account settings but cannot disable security-related or billing notifications.

9.3.2 SMS/Text Message Notifications

9.3.3 WhatsApp Notifications

9.3.4 Managing Your Preferences

You can manage all notification preferences in your account settings:

• Visit Settings > Notifications in your dashboard
• For SMS: Reply STOP to any message or disable in settings
• For WhatsApp: Disable in your account settings
• Contact support@renewalpilot.io for assistance

10. International Data Transfers

Our services are hosted in the United States. If you are located outside the US, your information will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction.

For EU users, we ensure adequate protection through appropriate safeguards such as Standard Contractual Clauses and compliance with data protection frameworks.

11. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we discover we have collected information from a child under 18, we will delete it immediately.

12. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your login session and remember your preferences
• Analyze usage patterns and improve our service
• Provide security features and prevent fraud
• Deliver personalized content and recommendations

You can control cookies through your browser settings, but disabling them may affect service functionality. For more information, see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice in our Service at least 30 days in advance. Your continued use of the Service after such notice constitutes acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us: