LEGAL

Privacy Policy

Simple Data Rooms (“Simple Data Rooms,” “we,” “us,” or “our”) operates the website at simpledatarooms.com and the Simple Data Rooms platform (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you visit our website, create an account, use our Service, or otherwise interact with us.

We are committed to protecting your privacy and handling your personal information transparently and responsibly. Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Who This Policy Applies To

This Privacy Policy applies to three categories of individuals:

Room Owners — individuals or entities that create an account, set up data rooms, upload documents, and manage viewer access through the Service.

Viewers — individuals who access a data room through a shared link. Viewers may be required to provide an email address to gain access and are subject to analytics tracking as configured by the Room Owner.

Website Visitors — individuals who visit simpledatarooms.com without creating an account or accessing a data room.

If you are a Viewer, please note that the Room Owner who shared the data room link with you has chosen to use Simple Data Rooms to share documents and track engagement. We process your information on behalf of and as directed by the Room Owner. Questions about why your data is being collected or how it will be used by the Room Owner should be directed to the Room Owner.

2. Information We Collect

2.1 Information You Provide Directly

Account Information (Room Owners): When you create an account, we collect your name, email address, password (stored in hashed form), and billing information (processed and stored by our third-party payment processor — we do not store full payment card numbers).

Viewer Information: When a Viewer accesses an email-gated data room, we collect the email address the Viewer provides. This email address is shared with the Room Owner.

User Content: Documents, files, images, and other materials that Room Owners upload to the Service. We process User Content solely to operate the Service and do not access, review, or analyze User Content for our own purposes, except as required to maintain the Service, comply with law, or enforce our Terms of Use.

Communications: When you contact us for support or other inquiries, we collect the information you provide in those communications, including your name, email address, and message content.

2.2 Information Collected Automatically

When you use the Service or visit our website, we automatically collect certain technical and usage information:

Viewer Analytics Data: When a Viewer accesses a data room, we collect page-by-page viewing activity (which documents were viewed, which pages, time spent per page), the date and time of access, and whether documents were downloaded. This data is collected on behalf of the Room Owner and is displayed to the Room Owner through the Service.

Device and Browser Information: We collect your IP address, browser type and version, operating system, device type, screen resolution, and language preferences.

Usage Data: We collect information about how you interact with the Service, including pages visited, features used, clickstream data, referring URLs, and session duration.

Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar tracking technologies as described in Section 7 of this Privacy Policy.

2.3 Information from Third Parties

We may receive information about you from third-party services you use to sign in to the Service (such as Google or GitHub), including your name, email address, and profile picture. We may also receive information from our payment processor regarding the status of your transactions.

3. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Operate the Service: Creating and managing your account, hosting and delivering your data rooms, processing viewer access, generating analytics reports for Room Owners, processing payments, and providing features consistent with your subscription tier.

To Communicate with You: Sending transactional emails (account confirmations, password resets, payment receipts, access notifications), responding to your inquiries, and providing information about your account or the Service.

To Improve the Service: Analyzing usage patterns and trends to understand how the Service is used, identifying and fixing technical issues, and developing new features.

To Ensure Security and Prevent Fraud: Detecting, investigating, and preventing unauthorized access, abuse, fraud, and other illegal or harmful activities.

To Comply with Legal Obligations: Meeting our obligations under applicable laws, regulations, legal processes, or enforceable governmental requests.

To Send Marketing Communications (with your consent): With your explicit opt-in consent, we may send you promotional emails about new features, product updates, or other information we think may interest you. You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email or by contacting us at privacy@simpledatarooms.com. Opting out of marketing communications does not affect transactional emails related to your account.

We do not sell your personal information. We do not use your User Content to train machine learning or artificial intelligence models. We do not serve advertisements within the Service or share your personal information with advertisers.

4. How We Share Your Information

We share your information only in the following circumstances:

With Room Owners (Viewer Data): When a Viewer accesses a data room, the Viewer’s email address and viewing activity (documents viewed, pages viewed, time spent, downloads) are shared with the Room Owner who created that data room. The Room Owner controls what happens with this information after it is shared.

With Service Providers: We share information with third-party service providers who perform services on our behalf, including cloud hosting and storage, payment processing, email delivery, and analytics. These providers are contractually obligated to use your information only to perform services for us and in accordance with this Privacy Policy. Our current categories of service providers include:

  • Cloud infrastructure and storage (e.g., Cloudflare, Supabase, Vercel)
  • Payment processing (e.g., Stripe)
  • Transactional email delivery (e.g., Resend)
  • Error monitoring and application performance

For Legal Compliance: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is reasonably necessary to protect the rights, property, or safety of Simple Data Rooms, our users, or the public.

In Connection with a Business Transfer: If Simple Data Rooms is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have.

With Your Consent: We may share your information for purposes not described in this Privacy Policy if we have obtained your explicit consent.

5. Data Retention

We retain your information for as long as is necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data (Room Owners): Retained for the duration of your account and for up to ninety (90) days following account deletion to allow for account recovery and to comply with legal obligations.

User Content: Retained for the duration of your account. Upon account termination or deletion, User Content is deleted within ninety (90) days, except for copies retained in encrypted backup systems for a commercially reasonable period not to exceed one hundred eighty (180) days.

Viewer Data: Viewer email addresses and analytics data associated with a data room are retained for as long as the Room Owner’s account is active and the relevant data room exists. When a Room Owner deletes a data room or closes their account, associated Viewer data is deleted within ninety (90) days.

Website Visitor Data: Automatically collected data from website visitors (cookies, usage data, device information) is retained for no more than twenty-four (24) months.

Communications: Records of support and other communications are retained for up to thirty-six (36) months.

When personal information is no longer needed, we delete or anonymize it. Anonymized data that cannot reasonably be used to identify you may be retained indefinitely for analytical purposes.

6. Data Security

We implement commercially reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of stored data at rest
  • Hashed and salted password storage
  • Access controls limiting employee and contractor access to personal information on a need-to-know basis
  • Regular review of our data collection, storage, and processing practices

While we strive to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials.

7. Cookies and Tracking Technologies

7.1 What We Use

We use the following categories of cookies and similar technologies:

Strictly Necessary Cookies: Required for the Service to function. These handle authentication, session management, and security. They cannot be disabled without impairing core functionality.

Functional Cookies: Remember your preferences and settings (such as language or display preferences) to provide a more personalized experience.

Analytics Cookies: Help us understand how visitors interact with our website and Service, including which pages are visited, how long users spend on each page, and where visitors come from. We use this information to improve the Service.

7.2 Viewer Tracking

When a Viewer accesses a data room, we use technical methods to track page-by-page viewing activity on behalf of the Room Owner. This tracking is a core feature of the Service and is necessary for the performance of the contract between Simple Data Rooms and the Room Owner. Viewer tracking within data rooms cannot be disabled, as it is integral to the Service’s functionality. Viewers who do not wish to be tracked should not access the data room.

7.3 Your Cookie Choices

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may impair your ability to use the Service.

For users in the European Union and European Economic Area, we obtain your consent before setting non-essential cookies in accordance with applicable law.

8. Your Rights and Choices

Depending on your location, you may have the following rights with respect to your personal information:

8.1 Rights Available to All Users

Access and Portability: You may request a copy of the personal information we hold about you.

Correction: You may request that we correct inaccurate or incomplete personal information.

Deletion: You may request that we delete your personal information, subject to certain exceptions (such as compliance with legal obligations).

Marketing Opt-Out: You may opt out of marketing communications at any time by clicking “unsubscribe” in any marketing email or by contacting us at privacy@simpledatarooms.com.

Account Deletion: You may delete your account at any time through your account settings or by contacting us at support@simpledatarooms.com.

8.2 Additional Rights for Users in the European Union and European Economic Area

If you are located in the EU or EEA, you have the following additional rights under the General Data Protection Regulation (“GDPR”):

Right to Restriction of Processing: You may request that we restrict the processing of your personal information under certain circumstances.

Right to Object: You may object to the processing of your personal information where we rely on a legitimate interest as the legal basis for processing.

Right to Data Portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format.

Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

8.3 Additional Rights for Users in California

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”):

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, the categories of third parties with whom we share it, and, if applicable, the categories of personal information sold or disclosed for a business purpose.

Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions.

Right to Correct: You have the right to request that we correct inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. Accordingly, there is no need to opt out.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@simpledatarooms.com. We will verify your identity before processing your request. We will respond to verifiable requests within the timeframes required by applicable law (generally thirty (30) days for GDPR and forty-five (45) days for CCPA/CPRA, subject to permitted extensions).

9. Legal Bases for Processing (EU/EEA Users)

If you are located in the EU or EEA, we process your personal information on the following legal bases under the GDPR:

Performance of a Contract (Article 6(1)(b)): Processing necessary to provide the Service to you, including account creation, data room hosting, viewer access, analytics delivery, and payment processing.

Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including improving the Service, ensuring security, preventing fraud, and communicating with you about your account. Our legitimate interests do not override your fundamental rights and freedoms.

Consent (Article 6(1)(a)): Processing based on your explicit consent, including marketing communications and the use of non-essential cookies. You may withdraw consent at any time.

Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal obligations, such as tax and accounting requirements or responding to lawful governmental requests.

10. International Data Transfers

Simple Data Rooms is based in the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

If you are located in the EU/EEA or the United Kingdom, we ensure that international transfers of your personal information are protected by appropriate safeguards as required under applicable data protection law. These safeguards may include:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • An adequacy decision by the European Commission regarding the recipient country
  • Other legally recognized transfer mechanisms

You may request a copy of the relevant safeguards by contacting us at privacy@simpledatarooms.com.

11. Children’s Privacy

The Service is not directed to individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us at privacy@simpledatarooms.com.

12. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals to the websites a user visits. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, Simple Data Rooms does not respond to DNT signals. We will update this Privacy Policy if and when a uniform standard for responding to DNT signals is established.

13. Data Controller and Data Processor Roles

13.1 When We Are the Data Controller

Simple Data Rooms acts as the data controller (as defined under the GDPR) or equivalent under applicable law for the personal information of Room Owners, Website Visitors, and Viewers where such processing is carried out for our own purposes (such as providing the Service, managing accounts, improving the platform, and complying with legal obligations).

13.2 When the Room Owner Is the Data Controller

When a Room Owner uses the Service to collect and process Viewer data (including email addresses and viewing analytics), the Room Owner acts as an independent data controller for that Viewer data. Simple Data Rooms processes Viewer data on the Room Owner’s behalf as part of providing the Service.

Room Owners are responsible for:

  • Ensuring they have a lawful basis to collect and process Viewer data
  • Providing any required privacy notices to Viewers
  • Responding to Viewer requests regarding their personal data
  • Complying with all applicable data protection laws in connection with their use of the Service

If you are a Viewer and wish to exercise your data protection rights with respect to how a Room Owner uses your data, please contact the Room Owner directly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will notify you by email and/or by posting a prominent notice on our website at least thirty (30) days before the changes take effect. For users in the EU/EEA, where required by applicable law, we will obtain your consent to material changes.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Simple Data Rooms
Email: privacy@simpledatarooms.com
Website: simpledatarooms.com

For data protection inquiries specific to the GDPR, you may also reach our designated data protection contact at privacy@simpledatarooms.com.

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

This Privacy Policy was last updated on March 15, 2026.