Privacy Policy

Effective 2026-06-13. Last updated 2026-06-13.

1. Who we are

Simple Council is a product of Simple Intelligence Group, Inc. ("Simple Intelligence", "we", "us"). For privacy questions, write to privacy@simpleintelligence.io.

2. What we process

  • Account data. Email, name, and Microsoft Entra tenant identifier of users you authorize to sign in.
  • Workspace configuration. Tenant name, white-label brand fields, member rosters, pending invites, plan tier.
  • Compliance metadata. Agent inventory, blueprint adoptions, control mappings, evidence attestations, policy decisions, token-usage events.
  • Operational telemetry. Request logs, error traces, health probe results.

We do not process the content of agent prompts or completions on your behalf. Token-usage events sent to Simple Council carry counts and metadata only; payloads stay in the calling product.

3. Why we process it

  • To deliver the Simple Council service to your workspace.
  • To produce the auditor export pack you or your auditor download.
  • To diagnose incidents and improve reliability.
  • To bill subscriptions through Stripe or Azure Marketplace where applicable.

4. Sub-processors

  • Microsoft Azure (hosting, Postgres, Key Vault, Front Door).
  • Stripe, Inc. (subscription billing on direct plans).
  • Anthropic, PBC (blueprint-control mapping and report summarization).
  • SendGrid (transactional email; only when configured).

Sub-processors are bound by data-processing agreements that meet GDPR Article 28 standards. The current list is mirrored at our DPA.

5. Retention

Evidence rows are append-only and retained for the lifetime of your workspace plus the seven years a typical compliance audit requires. Operational telemetry is rotated after 30 days. On workspace deletion every tenant-scoped row cascades; system blueprints and audit attribution to deleted users persist as the audit trail.

6. Your rights

EU and UK individuals have the rights described in GDPR Articles 15-22. California residents have the rights described in the CCPA. Send requests to privacy@simpleintelligence.io; we respond within 30 days.

7. Cross-border transfers

Council currently runs in US Azure regions. We rely on the EU-US Data Privacy Framework where applicable, and on Standard Contractual Clauses as a fallback.

8. Security

Council ships TLS in transit, AES-256 at rest in Azure Postgres, and tenant-scoped query enforcement on every domain table (entity ruleset §1). The control summary lives at our security overview.

9. Changes

We will update this page when our practices change and reflect the new effective date at the top. Material changes are announced in-product to workspace admins at least 30 days in advance.