Privacy Policy

1. Who we are and how to contact us

This Privacy Policy explains how JustSimpleChat (“we”, “us”, “our”) processes personal data when you use https://www.justsimple.chat and associated domains and subdomains.

Data controller: JustSimpleChat (operated by Jayson Espley).

Registered address: 53 Woodlea Avenue, Huddersfield, West Yorkshire, HD3 4EF, United Kingdom.

Email: [email protected]

If you are in the UK or EEA you may contact your local data protection authority. In the UK this is the Information Commissioner’s Office (ICO).

If Article 27 GDPR applies, we will appoint an EU Representative and publish their details here.

2. Scope

This Policy covers personal data we process about:

• Visitors to our websites
• Registered users of the Service
• Individuals who contact us for support, partnership, or business enquiries

It does not cover third-party services that integrate with JustSimpleChat. Please review their privacy notices separately.

3. Information we collect

3.1 Information you provide

• Account information: Name, email address, password, and Google OAuth profile identifiers when you create an account or sign in.
• Chat content: Prompts, messages, feedback, uploaded files, and conversation history you choose to store in the Service.
• Support communications: Contact details and the content you send to us for assistance.
• Billing information: Subscription plan, invoices, and payment status. Card data is handled directly by Stripe and never stored on our servers.

3.2 Information we collect automatically

• Usage data: Timestamps, features used, referral URLs, and aggregate diagnostics to maintain and improve the Service.
• Device and log data: IP address, device identifiers, browser type and settings, operating system, error and crash logs, and security logs.
• Cookies and similar technologies: Session cookies to keep you signed in and, with your consent, analytics and preference cookies. See section 12.

3.3 Information from third parties

• Payment processors: Confirmation of payment status so we can activate subscriptions.
• Authentication providers: When you use single sign-on we receive the identifiers required to authenticate you.
• Analytics and error reporting: Pseudonymous usage metrics and crash diagnostics.

4. Purposes and legal bases

We process personal data only where a lawful basis applies under UK GDPR/EU GDPR. The table below summarises the key purposes and legal grounds:

We do not intentionally collect special category data. Please avoid submitting health, biometric, political, or similarly sensitive information in prompts. If such data is processed, stricter GDPR conditions apply.

5. How we use information

We use personal information to:

• Provide, maintain, and improve the Service and user experience
• Authenticate users and manage accounts
• Process payments, subscriptions, and send billing notices
• Respond to support requests and provide customer service
• Monitor usage, debug issues, and enhance performance
• Protect against abuse, fraud, and security threats
• Comply with legal obligations and enforce our terms
• Develop new features, AI workflows, and integrations

5.1 Data minimisation

We collect only the data necessary for the stated purposes and review data flows regularly to ensure we do not retain more than we need.

5.2 No sale of personal data

We never sell, rent, or trade your personal information, including chat history or Google OAuth data, to third parties. We also do not share personal data for cross-context behavioural advertising.

6. AI model providers and your chat content

• Third-party processors: Where we use AI model providers, they act as our processors under written terms and process your prompts to return results and for safety monitoring.
• Model improvement: By default we do not permit providers to use your chats to train their general models. If we offer an explicit opt-in, that setting will control any use for model improvement.
• Human review: Limited human review may occur to debug abuse, address safety issues, or support you, using the minimum data necessary.
• Your control: You can delete conversation history in-product where available or request deletion via [email protected].

7. How we share information

7.1 Service providers and subprocessors

We share data with trusted partners under contract, including:

• AI model providers: OpenAI, Anthropic, Google, and other model partners to generate responses.
• Infrastructure: Amazon Web Services and Google Cloud for hosting and storage.
• Payment processing: Stripe to handle subscription billing.
• Security & monitoring: Cloudflare for CDN/WAF and Sentry for error tracking.
• Analytics: Privacy-conscious analytics services to understand aggregate usage.

All subprocessors are required to implement appropriate security measures and process data only on our instructions. We maintain a subprocessors register and will post material updates before they take effect.

7.2 Legal obligations

We may disclose personal data when required by law, court order, or government request, or to protect our rights, property, or users.

7.3 Business transfers

If we are involved in a merger, acquisition, or asset sale, your information may be transferred to the acquiring entity. We will provide notice before the transfer occurs.

8. Data security

We implement administrative, technical, and physical safeguards, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control with multi-factor authentication for staff
• SOC 2 and ISO 27001 compliant infrastructure providers
• Continuous monitoring, logging, and automated anomaly detection
• Regular vulnerability scanning, penetration testing, and code reviews
• Documented incident response procedures and security training

No method of transmission or storage is perfectly secure. If we become aware of a personal data breach that poses a risk to you, we will notify regulators without undue delay and, where required, affected individuals.

9. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy or to comply with legal obligations. Typical retention periods include:

• Account information and chat history: retained while the account is active and up to 30 days after deletion.
• Google OAuth tokens: revoked immediately when you disconnect Google.
• Chat history: retained for 90 days unless you delete it sooner.
• Analytics logs: aggregated and anonymised after 12 months.
• Billing and tax records: retained for up to 7 years to meet legal requirements.
• Security logs: retained for up to 6 months depending on log type.

When immediate deletion is not technically feasible, data is securely archived or anonymised until deletion can occur.

10. International transfers

We are UK-based and use reputable providers in the UK, EEA, US, and other locations. Where personal data is transferred internationally we rely on adequacy decisions (such as the UK–US Data Bridge and EU–US Data Privacy Framework), Standard Contractual Clauses, or the UK International Data Transfer Agreement, and we implement appropriate safeguards.

11. Your rights & choices

11.1 Access and correction

You can review and update account information via your settings.

11.2 Data portability

You can export your data at Account Settings → Privacy → Export Data.

11.3 Deletion

Request account deletion by emailing [email protected]. We delete the account within 30 days, revoke OAuth tokens, and remove chat history subject to legal holds. Anonymised analytics may be retained.

11.4 Preferences and opt-outs

• Unsubscribe from marketing emails using the link provided or via account settings.
• Disable analytics collection in privacy settings (this may limit certain features).
• Control non-essential cookies through our banner, the cookie preferences centre, or your browser settings.
• Revoke Google data access from your Google Account permissions page.

To exercise your rights email [email protected]. We respond without undue delay and within one month, extendable by two months for complex requests. We will verify requests by confirming control of the account email address and may request limited additional information to confirm identity. You can also complain to your local data protection authority; in the UK visit the ICO’s “Make a complaint” page.

12. Children’s privacy

The Service is not directed to children. You must be at least 13 years old (or 16 in the EEA) to use it. We do not knowingly collect personal data from children, and if you believe a child has provided personal data please contact [email protected] and we will take appropriate action.

13. Cookie policy

13.1 Types of cookies

• Essential: Required for authentication, security, and load balancing.
• Analytics: Help us understand aggregate usage and service reliability (used only with consent).
• Preferences: Remember themes, model selections, and layout choices.

13.2 Managing cookies

You can adjust cookie preferences via our banner or your browser settings. Disabling essential cookies may impact core functionality. We follow the ICO’s guidance on cookies and similar technologies.

14. GDPR legal bases

• Consent: Optional marketing emails and analytics.
• Contract: Providing the Service you request.
• Legal obligation: Tax, accounting, and regulatory duties.
• Legitimate interests: Security, analytics, and product improvement balanced against your rights.

15. US state privacy notices

California residents may have additional rights under the CCPA/CPRA, including rights to know, delete, correct, and opt out of sale or sharing. We will respond to such requests within the required timelines, verify identity as described above, and honour valid opt-out preference signals (such as Global Privacy Control) where legally required. We do not sell personal data. Similar rights may apply in other US states; we will facilitate valid requests that cite those laws.

For more detail, read our California privacy addendum.

16. Data breach response

We investigate security incidents promptly. Where a breach creates a risk to individuals we will notify the ICO without undue delay (within 72 hours where feasible) and inform affected users if there is a high risk to their rights and freedoms.

17. Third-party links

Our Service may contain links to third-party websites. Their privacy practices are not governed by this Policy. We encourage you to review their privacy notices before providing any personal information.

18. Automated decision-making

We use automation to:

• Select AI models based on prompt characteristics.
• Detect suspicious account activity or abuse.
• Filter content that breaches our Acceptable Use Policy.

You have the right to request human review of automated decisions that significantly affect you. Contact [email protected] to request review.

19. Third-party subprocessors

We engage carefully selected subprocessors, including:

We require all subprocessors to implement appropriate security measures and process personal data only on our documented instructions. A current list is available on request or via our subprocessor page.

20. Security measures (summary)

• Regular security assessments and third-party audits
• Change management and code review procedures
• Dedicated incident response runbooks
• Least-privilege access controls and employee security training

21. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version with an updated “Last Updated” date and, for material changes, provide additional notice (for example, via email or in-app notification).

22. Contact

If you have questions or requests, please contact:

JustSimpleChat
Operated by: Jayson Espley
53 Woodlea Avenue
Huddersfield, West Yorkshire
HD3 4EF, United Kingdom

General enquiries: [email protected]
Privacy questions: [email protected]
Website: https://www.justsimple.chat

EU Data Protection Officer: Mr Jayson Espley · [email protected]