Privacy Policy

The ARIA Platform is operated by Simplification Technologies Inc., a corporation incorporated in Manitoba, Canada (“we,” “us,” “Simplification”). For GDPR purposes, Simplification is the controller of personal information about visitors to our public marketing surfaces and the processor of personal information that customers (your organisation) submit to ARIA on behalf of their end users.

For PHIPA purposes, when a customer that is a health information custodian sends Personal Health Information (PHI) to ARIA, we act as their agent under section 17 of PHIPA, processing PHI only on the custodian’s instructions and under the safeguards described in this Policy and in the customer’s Data Processing Agreement.

ARIA is designed to be architecturally aligned with the frameworks listed below. Architectural alignment means the controls exist and operate. It is not the same as third-party attestation:

• GDPR (EU/EEA/UK) — Articles 13 (transparency), 17 (right to erasure), 22 (automated decision-making), and 30 (records of processing) are design-aligned.
• PIPEDA (Canada federal) — the ten fair-information principles are design-aligned. Canadian sovereign hosting is available on the Enterprise tier.
• PHIPA (Ontario / Manitoba / Saskatchewan) — health-information-custodian-aligned, with the agent / electronic service provider safeguards required by PHIPA s.10 and s.17.
• CCPA (California) — consumer-rights design-aligned (right-to-know, right-to-delete, right to limit, opt-out-of-sale).
• AODA (Ontario accessibility) — WCAG 2.1 AA is the target; partial coverage today, full audit underway in the v1.9.0 polish sprint. Honest hedge: report any access barrier to accessibility@simplification.io and we will respond within ten business days.
• SOC 2 — Type 1 audit scheduled Q3 2026. Not yet certified.
• ISO 27001 — planned. Not yet certified.

3.1 Information you give us directly

• Account information — name, work email, organisation name, password (stored as a one-way bcrypt hash), optional phone number, time zone, language preference.
• Billing information — billing email, tax-residency country, and payment tokens issued by Stripe. ARIA does not store payment-card numbers.
• Customer Data — messages, contacts, knowledge-base sources, configurations, and any other content you, your end users, or your subscribers submit to ARIA.
• Trust Center disclosures — contact information you provide when you submit a Data Subject Access Request (DSAR) at trust.simplification.io/dsar.

3.2 Information we collect automatically

• Usage data — request logs, route timings, error stack traces, audit-log entries (PostgreSQL-trigger-protected, append-only).
• Device and connection data — IP address, browser user-agent, approximate region. Used to enforce IP allowlists, to detect abuse, and to show the right Cookie banner default per Cookie Policy.
• Cookies and similar technologies — described in the Cookie Policy.

3.3 Information from third parties

• OAuth identifiers — when you sign in via Google or Apple, we receive your email and basic profile.
• Channel adapters — when you connect WhatsApp, Telegram, or another channel, the platform you connected sends us the inbound message and the sender’s platform-issued ID. We do not receive contact lists you have not addressed.

We share personal information only as needed to operate the ARIA Platform and only with the categories of recipients listed below. The current vendor list is maintained at simplification.io/dpa and on the public Trust Center; that page reads from a single canonical file (subprocessors.json) so it stays accurate without a redeploy of this Policy.

• Subprocessors — infrastructure (Vercel, Railway, Cloudflare), data stores (PostgreSQL, Redis, Qdrant), authentication (Supabase), AI providers (Anthropic, OpenAI, Mistral — bypassed when you bring your own key), billing (Stripe), channel adapters (WhatsApp, Telegram), and transactional email (Resend).
• Customers (when you are an end user) — if you interact with a business that uses ARIA, the message content and the contact information you provide are routed to that business as their Customer Data.
• Authorities — when required by law, lawful process, or to protect the rights, safety, and property of Simplification, our customers, or the public.
• Acquirers — in connection with a merger, sale, or other corporate transaction, subject to your rights under applicable law.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. The CCPA “Do Not Sell or Share My Personal Information” opt-out is honoured by default; no action by California residents is required.

ARIA infrastructure is hosted in Canada, the United States, and the European Union by default. On the Enterprise tier, customers can elect a single jurisdiction (Canada, EU, US, or AU) for their PostgreSQL, Redis, and Qdrant instances; in that configuration their Customer Data does not leave the elected region except where the customer routes it through a third-party AI provider hosted elsewhere.

Cross-border transfers from the EU/EEA/UK rely on the European Commission’s Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, supplemented by the technical measures described in our DPA (encryption in transit, encryption at rest, RLS-enforced multi-tenant isolation, BYOK to keep regulated data in your jurisdiction’s LLM tier).

Customer Data is retained while your account is active and for thirty (30) days after termination, after which it may be deleted. Customers can configure shorter retention windows on a per-data-class basis through Settings → Data retention.

The audit log is append-only and is retained for the longer of (a) your active account lifetime plus thirty days, (b) any period required by law, or (c) any period required by an active legal hold. The audit log is forensic and survives org or user deletion by design, consistent with the requirements of EU AI Act Article 13 transparency obligations and PHIPA s.10 audit-trail expectations for health information custodians.

Backups are encrypted and rotated on a thirty-day cycle; deletions propagate from primary stores within twenty-four hours and from backups within thirty days at the latest.

8.1 GDPR / UK GDPR

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

• access the personal information we hold about you (Art. 15);
• rectify inaccurate information (Art. 16);
• request erasure (“right to be forgotten”) (Art. 17);
• restrict or object to processing (Arts. 18 and 21);
• data portability (Art. 20);
• withdraw consent at any time, where processing is based on consent;
• not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). ARIA surfaces a per-decision “Why?” trace via /v1/decisions/{id}/explain so you can request the full reasoning chain;
• lodge a complaint with your supervisory authority (for example, the Irish Data Protection Commission for users in the EU).

8.2 PIPEDA

Individuals in Canada can request access to, correction of, or information about how their personal information is handled. Requests go to privacy@simplification.io or through the DSAR self-serve form at trust.simplification.io/dsar. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

8.3 PHIPA

For Personal Health Information processed under PHIPA, individuals should make access, correction, or complaint requests to the health information custodian (the clinic, hospital, or practitioner) that holds the record. As the custodian’s agent, we will support the custodian’s response. Complaints about a custodian may be brought to the Information and Privacy Commissioner of the relevant jurisdiction.

8.4 CCPA / California

California residents have the right to:

• know what personal information is collected and why;
• request deletion (with the limited exceptions allowed by Section 1798.105(d));
• request correction of inaccurate information;
• opt out of sale or sharing — this is honoured by default; we do not sell or share for cross-context behavioural advertising;
• limit use of sensitive personal information to the purposes permitted by Section 1798.121;
• non-discrimination for exercising any of these rights.

8.5 How to exercise your rights

The fastest path is the self-serve DSAR form at trust.simplification.io/dsar. You may also email privacy@simplification.io. We respond within thirty (30) days for GDPR / UK GDPR / CCPA and within thirty (30) days for PIPEDA, with a possible thirty-day extension where the request is complex.

To verify your identity, we may ask you to confirm details we already hold (such as a recent transaction or a verification code sent to the email on file). We will not charge a fee unless the request is manifestly unfounded or excessive.

You can delete your account through Settings → Account deletion. The flow requires you to type the literal phrase “DELETE MY ACCOUNT” to prevent accidental deletion and includes a 24-hour cancel window during which the request can be reversed. After the cancel window expires, the deletion executor performs a cascade across the account’s sixty-plus tables and the audit-log entry documenting the deletion is retained for the legal-obligation period described in Section 7.

A complete description of our technical and organisational safeguards is on the Security Practices page. Highlights:

• PostgreSQL Row-Level Security ENABLE+FORCE on every table; cross-tenant data leak is architecturally impossible by design and is verified by an automated regression test suite.
• Encryption at rest (AES-256-GCM for ciphertext at the application layer for sensitive fields such as webhook secrets and BYOK keys) and in transit (TLS 1.2+ everywhere).
• RFC 6238 TOTP two-factor authentication; backup codes stored as one-way SHA-256 hashes with a partial unique index that prevents re-use.
• Append-only audit log protected by PostgreSQL triggers that silently reject UPDATE and DELETE on the audit table itself.
• Memory zone Z6 (collective cohort math) enforces a three-layer privacy floor (algorithmic skip when cohort < 5 + raise inside the INSERT loop + DB CHECK (cohort_size >= 5)) so no aggregate ever reveals an individual.
• EU AI Act Article 13 audit envelope on memory zone Z7 (identity synthesis); a write that lacks the nine required keys or has zero evidence rows is fail-closed before the INSERT.

The ARIA Platform is not directed to children under the age of sixteen (16), or under the higher minimum age set by the local law that applies to you. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@simplification.io and we will delete it.

ARIA produces AI-generated content, classifications, and routing recommendations. By default, these outputs are surfaced for human review (the “auto-pilot” tier sends them directly only when the customer organisation explicitly enables it on a per-flow basis). Every AI decision is accompanied by a per-decision explainability trace, the framework chain applied, and a confidence score. Where a decision is fully automated and produces legal or similarly significant effects on you, you can request human review under Article 22 GDPR by emailing privacy@simplification.io.

Material changes to this Policy will be notified to the primary administrator email address on each affected account at least thirty (30) days before they take effect. Prior versions are accessible through the “View previous versions” link at the top of this page.

Privacy questions: privacy@simplification.io
Security incidents: security@simplification.io
Postal: Simplification Technologies Inc., Manitoba, Canada.

If we cannot resolve your concern, EU/EEA/UK residents may contact their local data protection authority. Canadian residents may contact the Office of the Privacy Commissioner of Canada or the provincial commissioner of the relevant province (Ontario, Manitoba, Saskatchewan, Quebec). California residents may contact the California Privacy Protection Agency.