Privacy Policy
Last update: 10/03/2026
1. Data Controller
SimpleRead is the data controller responsible for processing your personal data under this Privacy Policy.
- SimpleRead (simpleread.foundation)
- Contact: contact@simpleread.foundation
2. Personal Data We Collect
We collect the following categories of personal data:
- Identity data: full name, email address, profile picture
- Authentication data: hashed password, OAuth tokens (when using Google login)
- Educational data: classroom enrollments, assigned reading materials, role (student/teacher)
- Preferences: visual and reading accessibility settings
- Technical data: session tokens, IP address, browser type via our hosting provider
- Usage data: page visits and interactions (only with your consent to analytics)
3. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6 / LGPD Article 7):
- Contract performance (Art. 6(1)(b)): processing necessary to provide the educational platform services you signed up for
- Consent (Art. 6(1)(a)): analytics cookies and tracking (Microsoft Clarity, Vercel Analytics) - only if you accept in the cookie banner
- Legal obligation (Art. 6(1)(c)): retaining data required by applicable law
- Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, and service improvement
4. How We Use Your Data
We use your data to:
- Provide, operate, and maintain the educational platform
- Authenticate users and manage sessions
- Send transactional emails (email verification, exam notifications)
- Personalize the reading experience based on your accessibility preferences
- Analyze platform usage and performance (only with analytics consent)
5. Third-Party Data Processors
We share data with the following sub-processors to operate the platform. All processors are bound by data processing agreements (DPA):
| Service | Purpose | Location |
|---|---|---|
| Google OAuth | OAuth authentication (optional login method) | USA |
| Google Cloud Storage | Cloud storage for content files, images, and audio | USA/EU |
| Resend | Transactional email delivery | USA |
| Vercel | Platform hosting and performance analytics (consent-gated) | USA/EU |
| Microsoft Clarity | Session recording and heatmaps (consent-gated) | USA |
Analytics services (Vercel Analytics and Microsoft Clarity) are only loaded after you explicitly accept analytics cookies.
6. Cookies & Local Storage
We use minimal local storage technologies:
- Necessary: session authentication cookies (required for login to work)
- Necessary: login preference (localStorage key 'simpleread_remember') - stores whether you selected 'Remember Me'
- Analytics (opt-in): Microsoft Clarity and Vercel Analytics cookies - only set after you accept in the cookie consent banner
You can manage your cookie preferences at any time using the cookie banner or your browser settings.
7. Data Retention
We retain personal data for the following periods:
- Account data: retained for as long as your account is active; deleted within 30 days of account deletion request
- Session tokens: expire after 30 days of inactivity or when you sign out
- Email verification codes: expire automatically after 15 minutes
- Analytics data: as configured with the analytics provider (Microsoft Clarity default: 12 months)
8. Your Rights
Under GDPR and LGPD, you have the following rights regarding your personal data:
- Right to Confirmation of Processing (Art. 15 GDPR) — Confirm whether we process your personal data. Contact our DPO at contact@simpleread.foundation.
- Right of Access (Art. 15 GDPR) — Request a copy of all personal data we hold about you. Use the 'Export My Data' feature in your profile settings.
- Right to Rectification (Art. 16 GDPR) — Correct inaccurate personal data. Update your name and profile picture directly in your profile settings.
- Right to Erasure (Art. 17 GDPR) — Request deletion of your account and personal data using the 'Delete Account' option in your profile settings.
- Right to Data Portability (Art. 20 GDPR) — Receive your personal data in a structured, machine-readable format. Use 'Export My Data' in your profile settings.
- Right to Erasure of Consent-Based Data (Art. 17 GDPR) — If you withdraw analytics consent, data collection by Microsoft Clarity and Vercel Analytics stops immediately. Revoke via Profile > Privacy & Data > Cookies.
- Right to Know Recipients (Art. 15.1.c GDPR) — See Section 5 of this policy ('Third-Party Processors') for the full list of organisations with whom your data is shared.
- Right to Object to Processing (Art. 21 GDPR) — Analytics consent is optional - the platform works without it. You can also object to legitimate-interest processing by contacting our DPO.
- Right to Withdraw Consent (Art. 7.3 GDPR) — Withdraw consent for analytics at any time in Profile > Privacy & Data, or via the cookie banner. Withdrawal does not affect prior lawful processing.
To exercise your rights, contact us at contact@simpleread.foundation. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (UK: ICO; Germany: BfDI; France: CNIL; Italy: Garante).
9. Children's Data
SimpleRead is an educational platform used in school environments and may process data of users under 18. Students are enrolled by their school or teacher. If you are a parent or guardian and believe your child's data has been collected without appropriate consent, please contact us immediately at contact@simpleread.foundation.
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including password hashing (bcrypt), HTTPS encryption in transit, session token expiry, and access controls. No system is completely secure; in the event of a data breach affecting your rights, we will notify you and relevant authorities as required by law.
11. International Data Transfers
Some of our processors are located in the USA. Transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards provided by each processor. For details, refer to each provider's privacy policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our platform. The date at the top of this page always reflects the latest version.
13. Contact
For any questions or requests regarding this Privacy Policy or your personal data, please contact us: