GDPR Compliance
Last updated: March 1, 2026
Our Commitment to GDPR
SimpleClaims is committed to protecting the privacy and rights of all users, including those in the European Union (EU) and European Economic Area (EEA). We comply with the General Data Protection Regulation (GDPR) and have implemented appropriate technical and organizational measures to ensure your data is handled securely and transparently.
1. Data Controller
SimpleClaims acts as the data controller for personal data collected through our website and application. For questions about data processing, contact our Data Protection Officer:
- Email: dpo@simpleclaims.app
2. Legal Basis for Processing
We process personal data under the following legal bases as defined by GDPR Article 6:
- Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with the SimpleClaims service, including account creation, claim documentation, photo storage, and report generation.
- Legitimate Interest (Art. 6(1)(f)): Processing for product improvement, security monitoring, fraud prevention, and customer support. We balance our interests against your rights and freedoms.
- Consent (Art. 6(1)(a)): Processing that requires your explicit consent, such as GPS location collection for photo stamping, marketing communications, and non-essential cookies.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax and financial regulations for paid subscriptions.
3. Your Rights Under GDPR
If you are in the EU/EEA, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
You can ask us to correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
You can request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing (Art. 18)
You can ask us to limit how we process your data in certain situations.
Right to Data Portability (Art. 20)
You can receive your data in a structured, machine-readable format.
Right to Object (Art. 21)
You can object to processing based on legitimate interest or direct marketing.
To exercise any of these rights, email dpo@simpleclaims.app. We will respond within 30 days as required by GDPR.
4. Data We Collect
We collect the following categories of personal data:
- Account Information: Name, email address, password (hashed), account type
- Claim Data: Property addresses, damage descriptions, loss dates, insurance information
- Media: Photos, videos, and annotations uploaded by you. GPS coordinates are only captured with your explicit consent.
- Payment Data: Processed securely by Stripe. We do not store full credit card numbers.
- Usage Data: Feature usage patterns, error logs (via Sentry), and performance metrics
- Device Data: Browser type, operating system, IP address (anonymized for analytics)
5. Data Processing & Sub-processors
We use the following sub-processors to deliver our service. All have appropriate data processing agreements (DPAs) in place:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States (AWS) |
| Cloudflare | CDN, DDoS protection, hosting | Global (edge network) |
| Stripe | Payment processing | United States |
| Sentry | Error tracking and monitoring | United States |
6. International Data Transfers
Your data may be transferred to and processed in the United States. For EU/EEA users, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-U.S. Data Privacy Framework where applicable
- Adequacy decisions for transfers to countries recognized by the EC
We ensure all sub-processors maintain appropriate safeguards for international data transfers.
7. Data Retention
We retain your personal data only as long as necessary:
- Active accounts: Data is retained for the duration of your account
- Deleted accounts: Personal data is deleted within 30 days of account deletion. Anonymized analytics may be retained.
- Payment records: Retained for 7 years as required by financial regulations
- Support tickets: Retained for 2 years after resolution
8. Data Security
We implement the following technical and organizational measures to protect your data:
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption for all data in transit
- Row-Level Security (RLS) policies in our database
- Regular security audits and penetration testing
- Multi-factor authentication support
- Automated backup and disaster recovery
- Principle of least privilege for internal access
9. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected individuals without undue delay if the breach is high-risk
- Document all breaches internally, regardless of severity
10. Children's Data
SimpleClaims is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly.
11. Supervisory Authority
If you are in the EU/EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of DPAs can be found at the European Data Protection Board website.
12. Changes to This Policy
We may update this GDPR compliance page to reflect changes in our practices or regulatory requirements. Material changes will be communicated via email or an in-app notification.
13. Contact
For any GDPR-related inquiries:
- Data Protection Officer: dpo@simpleclaims.app
- General Privacy: privacy@simpleclaims.app
- Web: Contact Form
See also our Privacy Policy and Cookie Policy for additional information.