Privacy Policy
Effective 2026-07-08. Last updated 2026-07-08. This Policy describes how Simple Intelligence Group, Inc. (“Simple Atlas,” “we,” “us”) collects, uses, shares, and protects information when you or your organization uses the Simple Atlas product at atlas.simpleintelligence.io (the “Service”). It also explains the choices you have about how we handle your information and the rights you can exercise.
1. Scope and roles
Simple Atlas is a business-to-business product. When your employer or organization creates a Simple Atlas workspace, that organization is the “Customer” and acts as the data controller for information its users add to the workspace. We act as the data processor on the Customer’s behalf under our Master Subscription Agreement and Data Processing Addendum. This Policy applies to the Service itself, our marketing website, and communications we send about the Service.
2. Information we collect
We collect four categories of information.
- Identifiers and account information. When you create or join a Simple Atlas workspace, we collect your name, email address, and (when you sign in via Microsoft Entra ID or Google) your identity provider’s object identifier and tenant identifier. When you sign in with credentials, we collect a salted hash of your password.
- Workspace content. Information you and your colleagues add to your workspace, including workspace name and branding, agent configurations, workflow definitions, tool registrations, evaluation prompts, and audit-log entries recording who changed what and when.
- Integration data. When a workspace administrator connects Microsoft Entra ID (for OIDC sign-in) or an upstream AI model provider (Anthropic, Azure OpenAI, or a self-hosted model via SimpleForge), we exchange records and metadata with that system on your behalf. The scope of that exchange is documented in the connector’s settings page in the product.
- Usage and operational data. Server logs, authentication events, audit log entries recording who changed what and when, feature usage counters, and telemetry about product performance and errors. When AI features are used, we log the prompt, the model that responded, the response, and confidence and reasoning metadata for traceability.
3. How we use information
- To operate and secure the Service, authenticate users, and provide the features your workspace is paying for.
- To send transactional email (sign-in and password reset links, billing receipts, invite notifications, workspace admin alerts). We do not use your workspace contact list for our own marketing without explicit opt-in.
- To improve the Service through aggregate analytics (feature usage counts, error rates, performance metrics). This analysis does not read the contents of individual workspace records.
- To detect and respond to abuse, fraud, security incidents, and violations of our acceptable use rules.
- To meet our legal, tax, and regulatory obligations, and to exercise or defend legal claims.
4. AI features and providers
The Service is a multi-tenant AI platform. Downstream Simple Intelligence products and customer-authored agents call Simple Atlas endpoints that route to large language models on your behalf. When these features run, we send the relevant prompt (which may contain workspace content passed in by the calling product) to our AI provider and receive a response.
Our AI provider is Microsoft Azure AI Foundry, which routes requests to Anthropic Claude Sonnet models running inside the Microsoft Azure boundary. Anthropic serves as the model supplier under Microsoft’s Azure AI Foundry program; prompts and completions do not leave the Microsoft-managed infrastructure to reach Anthropic’s public API. When SimpleForge (the SIG ZDR gateway) ships, this routing changes and we will update this Policy accordingly.
We do not use Customer Data to train, retrain, or fine-tune AI models. Our contract with our AI provider prohibits the provider from using our submissions to train its models. Every AI-generated record in the product carries provenance metadata (an “AI” badge, plus fields recording the model, the confidence score, and the reasoning). You are responsible for reviewing AI output before relying on it for material business decisions.
5. Sharing and sub-processors
We share information only with sub-processors necessary to operate the Service. The current list as of 2026-07-08:
- Microsoft Azure (Commercial cloud, United States, European Union, and Australia regions): hosting on Azure Container Apps, database on Azure Database for PostgreSQL, identity via Microsoft Entra ID, secrets management via Azure Key Vault, edge delivery via Azure Front Door, AI inference via Azure AI Foundry.
- Anthropic PBC: large language model supplier accessed exclusively through Microsoft Azure AI Foundry endpoints. Anthropic does not receive our submissions directly from us.
- Microsoft Azure Communication Services: transactional email delivery for sign-in and password reset links, billing receipts, invite notifications, and workspace admin alerts, sent from per-tenant verified sender domains.
- Stripe Inc.: payment processing for direct sign-up paid plans. Stripe handles cardholder data as an independent controller under its own privacy notice.
- Microsoft Azure Marketplace: subscription fulfillment, billing, and invoicing for Customers who buy Simple Atlas through the Marketplace channel.
- Integration providers (Salesforce, HubSpot, Microsoft Dynamics 365, ZoomInfo, Xero, Microsoft Graph, and any others a workspace admin connects): each is an independent controller for the data it receives. The exchange happens under the connector settings and only when a workspace admin has connected the integration.
We do not sell, rent, or trade personal information to third parties. We disclose information to government or law enforcement only where legally required and, where lawful, will notify the affected Customer before disclosure.
6. Data retention
We retain workspace content for the duration of your subscription plus a 90-day grace period after the subscription ends. During the grace period, workspace administrators can export Customer Data through the export API and self-service export tools in the product. After the grace period, we permanently delete the data from our production systems and age it out of encrypted backups according to the backup retention schedule, which does not exceed 180 days.
Audit logs, security event records, and billing records may be retained longer where required by law, tax rules, or to exercise or defend legal claims. Aggregated analytics (workspace counts, feature usage counts, no individual content) may be retained indefinitely.
7. Data subject rights and portability
Depending on where you live, you have rights to access, correct, delete, restrict, or object to processing of personal information, and to receive a portable copy of your data. You can exercise most of these rights directly in the product: review and edit your profile in workspace settings, download your data through the export API, and request deletion via the workspace admin.
For rights you cannot exercise directly in the product, send a request to privacy@simpleintelligence.io. We respond within the timeframe required by applicable law (typically 30 to 45 days). If your organization is the Customer, we will route your request to the workspace admin because the Customer is the controller of that data.
Lifeboat commitment. Enterprise Customers receive a contractually binding data portability commitment as part of the Master Subscription Agreement: zero exit fees, an on-demand export API that returns the full record graph with audit, relationships, and attachments preserved, and Customer-owned schema documentation. This commitment mirrors the EU Data Act (Regulation (EU) 2023/2854) portability expectations and applies regardless of the Customer’s jurisdiction. Non-Enterprise Customers receive the same technical export capability without the contractual exit-fee clause.
8. International transfers
Your information may be processed in any country where Microsoft Azure operates the regions we deploy to, including the United States, the European Union (Ireland, Netherlands, France), and Australia (New South Wales). Where required by law, cross-border transfers rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent legal mechanisms in other jurisdictions. Enterprise Customers can request data residency in a specific Azure geography as part of their contract.
9. Security
We use industry-standard technical and organizational measures to protect information.
- Encryption. TLS 1.2 or higher for all data in transit. AES-256 encryption at rest for the production database, backups, and object storage.
- Identity. Sign-in through Microsoft Entra ID multi-tenant OIDC, Google SSO, or credentials with password reset flow. Multi-factor authentication is enforced by the identity provider for Enterprise Customers.
- Tenant isolation. Every domain record carries a tenant identifier and every query is filtered by that identifier through server-side session middleware. No global tenant fallback exists.
- Access controls. Role-based access controls inside our infrastructure, restricted production access via managed identities, and audit logging of administrative actions.
- Monitoring. Log aggregation, anomaly detection, and security event alerts through the Microsoft Defender and Azure Monitor stack.
No method of transmission or storage is perfectly secure. We work continually to improve, and we will notify affected Customers of a security incident that materially affects their data within the timeframes required by applicable law.
10. Children
Simple Atlas is a business-to-business product not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@simpleintelligence.io and we will delete it.
11. Regulatory framework references
This Policy is drafted with reference to the following frameworks. It does not replace the legal obligations those frameworks impose on us or on the Customer as a controller.
- European Union: General Data Protection Regulation (Regulation (EU) 2016/679), the EU Data Act (Regulation (EU) 2023/2854, in force 12 September 2025, full exit-fee ban effective 12 January 2027), and the ePrivacy Directive (Directive 2002/58/EC).
- United Kingdom: UK GDPR and Data Protection Act 2018.
- United States: California Consumer Privacy Act as amended by the California Privacy Rights Act, and applicable state privacy laws (Colorado, Connecticut, Virginia, Utah, and others).
- Canada: Personal Information Protection and Electronic Documents Act.
- Brazil: Lei Geral de Proteção de Dados (Lei 13.709/2018).
12. Changes to this Policy
We revise this Policy as practices evolve and as regulations change. Material changes will be communicated by email to workspace administrators at least 30 days before they take effect. The current version and last-updated date always appear at the top of this page.
13. Contact
Questions about this Policy, our data practices, or to exercise a data subject right: privacy@simpleintelligence.io. For organizations that need a signed Data Processing Addendum, contact us at the same address.
Simple Intelligence Group, Inc. is registered in the State of Delaware, United States. Our EU representative and UK representative details will be published here when Enterprise Customers in those regions have signed contracts that require appointment of a local representative.
Version 1.0, 2026-07-08. For questions, contact privacy@simpleintelligence.io.