Simpliant

Privacy Policy for the Simpliant Platform

This privacy policy (as of May 2025) describes the processing of personal data in connection with the use of the Simpliant platform (“Simpliant app/platform”) and the Leibniz01 product in accordance with the requirements of the General Data Protection Regulation (“GDPR”).

When you use our platform and its features, Simpliant acts as a data processor for most of the personal data processed. This means that the data is only processed on the instructions of the controller, which in this case is your organization.

The processing activities as a data processor are governed by our Data Processing Agreement (DPA) (Part B of the Terms and Conditions). For such processing activities, please contact your organization for further information on how your personal data is processed.

1. Controller

The controller responsible for providing the Simpliant platform and services such as Leibniz01 is Simpliant Technologies GmbH (with its registered office at Fasanenstraße 12, 10623 Berlin, Germany; referred to as “SIMPLIANT” or “we”). While SIMPLIANT acts as a processor for certain data processing on behalf of your organization (see DPA), SIMPLIANT is the controller within the meaning of the GDPR for the technical provision and core functionality of services such as Leibniz01.

2. Rights of the data subject and supervisory authority

As a data subject, you can exercise the following rights against SIMPLIANT:

  • Information about your data stored by us and its processing (Art. 15 GDPR)
  • Correction of inaccurate personal data (Art. 16 GDPR)
  • Deletion of your data stored by us (Art. 17 GDPR)
  • Restriction of data processing if we are not yet permitted to delete your data due to legal obligations (Art. 18 GDPR)
  • Data portability if you have consented to data processing or have concluded a contract with us (Art. 20 GDPR)
  • Objection to the processing of your data by us (Art. 21 GDPR).

If you have consented to data processing, you have the right to withdraw your consent with effect for the future.

To exercise your rights, please contact us by email at (datenschutz@simpliant.eu). Please note that in this case we will need to verify your identity and therefore identify you by appropriate means.

You can lodge a complaint with a data protection supervisory authority at any time, e.g., with the competent supervisory authority of the federal state in which you reside or with the authority responsible for us.

You can find all supervisory authorities for non-public bodies in Germany at the following link:
(https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html)

3. Retention period

The duration of data storage depends on the respective data category and processing activity. If the retention period is not specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. Personal data will not be deleted if there is a legal obligation to retain it (e.g., Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)) and in the event of a possible legal dispute.

The security measures are continuously improved and adapted in line with technological developments.

4. Recipients of the data

We use service providers for some of the data processing activities we carry out. These service providers are processors and have been contractually obliged by us in accordance with Art. 28 GDPR to process data only in accordance with our instructions. These processors may have access to personal data in the course of their activities.

5. Data processing activities on the Simpliant platform

5.1 User account and provision of the platform

Type and purpose of data processing:

We offer a platform on various topics such as data protection, information security, and cyber security. To use the platform, you must create a user account. This involves the processing of personal data such as your first and last name and email address.

Legal basis:

The data is processed in accordance with Art. 6 (1) sentence 1 lit. b) GDPR (performance of a contract).

Recipients:

The recipients of the data are various technical service providers for hosting the platform, for user authentication, and for sending transaction emails. As processors, the service providers are obliged to process personal data only in accordance with our instructions on the basis of data processing agreements.

Retention period:

User account data is retained until the user deletes their account. Usage data is retained for as long as the contractual relationship exists. Otherwise, personal data is deleted as soon as the purpose or legal basis for storage no longer applies. Insofar as we are subject to statutory retention periods, we will comply with these and delete your data after these periods have expired.

5.2 Online training

Type and purpose of data processing:

Within the framework of our platform, you have the opportunity to participate in online training courses and receive a training certificate upon successful completion. The administrators and owners have the opportunity to view your training progress. During the training courses, personal data such as user ID, assigned training courses, information on the execution of the training, and the company name (optional) are processed. The animated learning videos are hosted by our streaming service provider.

Legal basis:

The data is processed in accordance with Art. 6 (1) sentence 1 lit. b) GDPR (performance of a contract).

Recipients:

The recipients of the data are various technical service providers for hosting the platform, for user authentication, for providing the videos, and for sending transaction emails. As processors, the service providers are obliged to process personal data only in accordance with our instructions on the basis of data processing agreements.

Transfer of data to third countries:

Personal data is also transferred by our service provider to the United States of America (“USA”). An adequate level of data protection is ensured by the fact that the service provider is certified under the EU-US Data Privacy Framework and therefore subject to an adequacy decision. Alternatively, standard contractual clauses have been concluded with the service provider.

Retention period:

The user data processed in the context of the training will be retained for as long as the contractual relationship exists. Otherwise, personal data will be deleted as soon as the purpose or legal basis for storage no longer applies. Insofar as we are subject to statutory retention periods, we will comply with these and delete your data after these periods have expired.

5.3 Error monitoring and ensuring data quality

Type and purpose of data processing:

To ensure a stable and high-quality user experience on our platform, we use technical monitoring tools to identify and fix any errors or malfunctions. If technical errors occur in the user interface (front end), we use user session recording features to understand the context of the error, with all text information being masked to protect privacy. For logged-in users, identifiable data such as user ID and email address are processed for error analysis. In the area of server technology (backend), error and performance data are logged, which may sometimes contain user data that is processed in the course of error analysis.

Legal basis:

Data processing is carried out in accordance with Art. 6 (1) sentence 1 lit. f) GDPR and is based on our legitimate interest in ensuring the functionality and continuous optimization of our platform.

Recipients:

The recipients of the data are service providers for error and performance monitoring of our platform, who act as processors and process the data exclusively in accordance with our instructions and based on a data processing agreement.

Transfer of data to third countries:

Data may be transferred to countries outside the European Economic Area. In such cases, we ensure an adequate level of data protection by using standard contractual clauses or by selecting service providers with appropriate certifications.

Retention period:

Error-related data is automatically deleted after a specified period of time, which is based on technical and organizational requirements. In addition, personal data is deleted as soon as the purpose or legal basis for storage no longer applies or statutory retention periods expire.

5.4 Service billing

Type and purpose of data processing:

In the context of service billing, we process payment data, invoice information, bank details, and credit card data.

Legal basis:

Insofar as personal data is processed in this context, the data is processed in accordance with Art. 6 (1) sentence 1 lit. b) GDPR (performance of a contract).

Recipients:

The recipient of the data is an online payment service provider. As a processor, the service provider is obliged to process personal data only in accordance with our instructions on the basis of a data processing agreement.

Transfer of data to third countries:

Personal data is also transferred by our service provider to the United States of America (“USA”). An adequate level of data protection is ensured by the fact that the service provider is certified under the EU-US Data Privacy Framework and is therefore subject to an adequacy decision. Alternatively, standard contractual clauses have been concluded with the service provider.

Retention period:

In accordance with our legal retention periods for tax-related data, we store your data for up to 10 years, depending on the applicable period.

5.5 Customer support

Type and purpose of data processing:

You can contact us for support purposes by sending us an email or entering data in our end-to-end encrypted contact form. You can specify your request and contact our office directly using the contact information on our website.

The data you enter and transmit will be processed for the purpose of customer support and individual communication with you.

Legal basis:

Data processing is carried out for the purpose of implementing contractual measures, fulfilling a contract (Art. 6 (1) sentence 1 lit. b) GDPR) or on the basis of our legitimate interests in providing customer support (Art. 6 (1) sentence 1 lit. f) GDPR).

Recipients:

Another recipient of the data is a processor. As a processor, the service provider is obliged to process the data only in accordance with our instructions.

Retention period:

Unless statutory retention periods require the storage of data or the type of processing requires the ongoing processing of personal data, your data will be deleted no later than 3 years after the last contact. Insofar as we are subject to statutory retention periods, we will comply with these and delete your data after these periods have expired.

5.6 Product information, product updates, and advertising

Type and purpose of data processing:

We regularly inform administrators and workspace owners about new features and developments relating to our platform. For this purpose, we process your name and email address in order to send you messages. You can object to receiving these messages at any time by clicking on “unsubscribe” in the respective email or by contacting us by email at (datenschutz@simpliant.eu).

Legal basis:

We process your data in accordance with Section 7 (3) UWG (German Act Against Unfair Competition) in conjunction with Art. 6 (1) lit. f) GDPR on the basis of our legitimate interest in providing news about platform features.

Recipients:

Another recipient of the data is our processor for mail delivery. As a processor, the service provider is obliged to process the data only in accordance with our instructions.

Retention period:

We process your data until you unsubscribe from our product updates or delete your account and/or workspace.

5.7 Marketing conversion tracking on product pages (landing pages)

Type and purpose of data processing:

With your consent, we use conversion tracking to optimize our marketing strategies and measure the effectiveness of our advertising campaigns. This process helps us understand how effective our advertisements are by tracking the actions of users after they click on one of our ads.

Legal basis:

The legal basis is your consent in accordance with Article 6 (1) (a) GDPR.

Recipient:

The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Retention period:

The retention period is 30 days from collection.

5.8 Whistleblower reporting channel

Type and purpose of data processing:

You can report violations within the meaning of the German Whistleblower Protection Act (HinSchG) via our internal whistleblower system “Simpliant Whistleblower.” Your report will be processed by our internal reporting office. Within 7 days of receiving your report, we will confirm receipt and inform you about the progress of the investigation. All data necessary for processing the report will be processed, including any special categories of personal data. Once the investigation has been completed, you will receive feedback on the status of the proceedings within 3 months.

Legal basis:

Data processing is necessary for the fulfillment of a legal obligation (Art. 6 (1) lit. c GDPR).

Recipients:

The recipients of the data are our internal reporting office and the persons who support them in the performance of their tasks. In court proceedings or official investigations, third parties such as authorities may also have access to the data. Information will only be forwarded on a need-to-know basis if this is necessary for the performance of tasks in accordance with the Whistleblower Protection Act.

Categories of personal data:

The following categories of personal data are likely to be processed in the context of the data processing activity “Receipt and processing of reports”:

  • With regard to the whistleblower:

    • Personal data (name and gender)
    • Contact details (private and, if applicable, business address, telephone number, email address)
    • Data on professional activities (occupation, employer, function, and position)
    • If applicable, special categories of personal data in accordance with Article 9 GDPR
    • If applicable, personal data relating to criminal offenses in accordance with Article 10 GDPR

  • With regard to persons who are the subject of a report:

    • Personal data (name and gender)
    • Data on professional activity (occupation, employer, function, and position)
    • Information on the conduct constituting the violation
    • Information on follow-up measures and investigation results
    • Special categories of personal data in accordance with Article 9 GDPR, if applicable
    • Personal data relating to criminal offenses in accordance with Article 10 GDPR, if applicable

  • With regard to other persons affected by a report:

    • Personal data (name and gender)
    • Contact details (private and, if applicable, business address, telephone number, email address)
    • Data relating to professional activities (occupation, employer, function, and position)
    • Special categories of personal data in accordance with Article 9 GDPR, if applicable
    • Personal data relating to criminal offences in accordance with Article 10 GDPR, if applicable

(b) The following categories of personal data are likely to be processed in the context of the processing activity “Information and advice”:

  • With regard to persons considering making a report:

    • Personal data (name and gender)
    • Contact details (private and, if applicable, business address, telephone number, email address)
    • Data relating to professional activities (occupation, employer, function, and position)
    • Content of the information or advice provided
    • Where applicable, special categories of personal data in accordance with Article 9 GDPR
    • Where applicable, personal data relating to criminal offenses in accordance with Article 10 GDPR

  • With regard to persons who are the subject of a possible report:

    • Personal data (name and gender)
    • Data on professional activities (occupation, employer, function, and position)
    • Information on the possible violation
    • Special categories of personal data pursuant to Article 9 GDPR, if applicable
    • Personal data relating to criminal offenses pursuant to Article 10 GDPR, if applicable

  • With regard to other persons affected by a possible report:

    • Personal data (name and gender)
    • Contact details (private and, where applicable, business address, telephone number, email address)
    • Data relating to professional activities (occupation, employer, function and position)
    • Special categories of personal data in accordance with Article 9 GDPR, where applicable
    • Personal data relating to criminal offences in accordance with Article 10 GDPR, where applicable

Transfer to a third country:

Personal data will not be transferred to third countries (countries outside the European Union and the European Economic Area) or to an international organization (Articles 44 et seq. GDPR).

Retention period:

Data relating to reports will be deleted after an initial review and, if necessary, after the conclusion of an investigation. In accordance with Section 11 (5) sentence 1 HinSchG, the data will be deleted no later than 3 years after the case has been closed, unless further legal requirements or proceedings require longer storage.

5.9 Simpliant Meeting Summary

Type and purpose of data processing:

Data processing includes audio recording of participants via the browser after consent has been obtained. The recorded audio data is then transcribed by a transcription server within the EU (no transfer of audio files to OpenAI). The transcribed text is transmitted via API to OpenAI Ireland Ltd. for further processing in “text generation” format. The result of the processing is received in order to provide the desired meeting summaries.

Categories of personal data:

Data for organizing meetings
  • Names
  • Email addresses
  • Data on meeting events (e.g., meeting details, organizer and participants, agenda, notes)
Audio and text data
  • Voice recordings (temporary)
  • Meeting transcripts (temporary)
  • Summaries created
Technical data
  • User IDs
  • Device information
  • Connection data
  • Usage statistics

Legal basis:

The processing is based on Art. 28 GDPR in the relationship between the customer and Simpliant Technologies GmbH. In the relationship between the customer/user and other participants, the processing is based on the consent of the users (Art. 6 (1) (a) GDPR).

Transfer to a third country:

The processing of audio files and their transcription takes place exclusively within the EU. With regard to the processing of the transcribed text by OpenAI Ireland Ltd., subcontractors based in the USA are named in OpenAI's data processing agreement: https://platform.openai.com/subprocessors.

Retention period:

Audio files and meeting transcripts are automatically deleted after the meeting has been created. The meeting summaries can be deleted by the user in the app interface and are otherwise deleted when the account is deleted.

5.10 Leibniz01

Type and purpose of data processing:

Leibniz01 is a service for transcribing audio files. Processing includes the uploading of audio files by the user and their automatic transcription. Simpliant acts as the controller for the technical provision of the transcription and prompt processing service. The audio files are transferred to servers of Simpliant Technologies GmbH for processing and transcribed there. The generated transcript is then sent back to the user's browser and primarily stored locally in the browser. If users use the optional prompt function (“Generate” button), the text prompts entered are forwarded to the API provider OpenAI Ireland Ltd. for processing in order to generate results based on them. Neither the uploaded audio files nor the entered prompts are used by Simpliant or its subcontractors (such as OpenAI) for their own purposes beyond the mere provision of the service or for training models. The service is subject to a fair use policy.

Categories of personal data:

  • User data: Account information (name, email address, user ID) for identification and administration.
  • Audio data: Audio files uploaded by the user that may potentially contain voices and spoken content that may constitute personal data (temporarily stored on servers during transcription).
  • Text data: Automatically generated transcripts of the audio files (primarily stored locally in the browser); text prompts entered by the user (when using the Generate function); text results generated by the AI model.
  • Technical data: Usage statistics (within the scope of fair use), device information, connection data to ensure service quality and troubleshooting.
  • Special categories of personal data pursuant to Article 9 GDPR, if applicable: If these are entered by the user in the uploaded audio files or prompts or are discussed therein (e.g., health data, political opinions). Simpliant does not specifically process this data, but cannot technically exclude its processing in the context of automated transcription and prompt processing.

Legal basis:

The processing of data for the provision of Leibniz01 is carried out for the fulfillment of the contract in accordance with Art. 6 (1) sentence 1 lit. b) GDPR. If special categories of personal data (Art. 9 GDPR) are transmitted by the user, their technical processing for the provision of the service is carried out on the basis of Art. 9 (2) (a) GDPR (express consent, which is implied by the deliberate entry/upload of such data for processing in the service) or Art. 9 (2) (e) GDPR (data made manifestly public), whereby Simpliant itself does not evaluate this data for its own purposes.

Recipients:

  • Simpliant Technologies GmbH: As the controller responsible for hosting and transcribing the audio files.
  • OpenAI Ireland Ltd.: Exclusively when using the prompt function (“Generate” button) as a processor for processing text prompts via API. No audio files are transmitted to OpenAI.
  • Technical service providers: Other technical service providers (hosting, infrastructure) as processors in accordance with Art. 28 GDPR, if applicable.

Transfer to a third country:

The processing of audio files and transcription takes place within the EU. When using the prompt function, text data is transferred to OpenAI Ireland Ltd. It cannot be ruled out that subcontractors of OpenAI Ireland Ltd. (see: https://platform.openai.com/subprocessors) may also process data in the USA. The transfer is based on appropriate safeguards, such as standard contractual clauses or an adequacy decision (e.g., EU-US Data Privacy Framework, provided that the respective subcontractor is certified accordingly).

Retention period:

Uploaded audio files are deleted from Simpliant Technologies GmbH's servers after transcription is complete. The transcripts are primarily stored locally in the user's browser, where they can be managed and deleted by the user. Data related to the prompt function is processed in accordance with OpenAI's guidelines and is not stored permanently by Simpliant, except for the short-term provision of the result in the browser. Account and usage data is stored in accordance with the general retention periods (see Section 3) or until the account is deleted, unless longer statutory retention obligations apply.

6. Changes to the privacy policy

We reserve the right to amend this privacy policy in order to always comply with current legal requirements or to reflect changes to our offerings in the privacy policy (e.g., when introducing new services). The current version of the privacy policy applies.