Privacy Policy

This Privacy Policy explains what information SimpleChex collects, how we use it, who we share it with, and your choices regarding that information. It applies to all visitors to simplechex.com and all users of the Service.

Information you provide:

• Account information: email address, password (hashed), full name, workspace name
• Bank account information: bank name, routing number, account number, account holder name and address (used to render MICR-encoded checks)
• Payee information: vendor/recipient names, addresses, and email addresses you save
• Check details: payee, amount, date, memo, signature image or typed signature
• Billing information: processed by Stripe — we receive only the last 4 digits of your card and Stripe's customer ID; we never see or store your full card number

Information collected automatically:

• Authentication cookies (to keep you logged in)
• Server logs (IP address, request timestamps, user-agent) — retained 30 days
• Error events captured by our monitoring tools — used for debugging only

Information from third parties:

• Stripe sends us subscription status, billing events, and last-4 of payment method
• Our email provider sends us delivery, bounce, and complaint events for emails we send

We use the information we collect to:

• Provide the Service (render checks, send emails, process subscriptions)
• Authenticate you and protect your account
• Send transactional emails (check delivery, invite emails, password resets, billing receipts)
• Send service announcements and product updates (you may opt out anytime)
• Detect, investigate, and prevent fraudulent or unauthorized use
• Comply with legal obligations (subpoenas, court orders, regulatory requests)
• Improve the Service (debug errors, analyze aggregate usage trends)

We do NOT use your information to:

• Sell or rent it to third parties
• Train AI models
• Show you advertising
• Build profiles for marketing purposes

We share information with the following categories of recipients, only as needed to operate the Service:

• Stripe (billing) — your name, email, billing address, last-4 of card, subscription history
• Resend (transactional email) — recipient email and the email content you send
• Supabase (database hosting) — all data you store in the Service
• Vercel (web hosting) — request logs only (no Your Data)
• Sentry (error monitoring) — error stack traces, request URLs (no bank/routing numbers)
• Law enforcement — only when legally required (subpoena, court order, etc.)

We do NOT share your information with marketers, data brokers, or advertising networks.

We implement reasonable technical and organizational measures to protect your information:

• All data transmitted between you and the Service is encrypted with TLS 1.3
• Data at rest in our database is encrypted using AES-256
• Bank account and routing numbers are never displayed back to you in plain text after entry
• Access to our production database is limited to authorized personnel and logged
• Workspace data is isolated via Postgres row-level security policies

No system is perfectly secure. If we discover a breach affecting your data, we will notify you by email within 72 hours.

• Active accounts: we retain Your Data as long as your account is active
• Deleted accounts: we delete Your Data within 30 days of account deletion, except as required by law (e.g., billing records for tax purposes — retained 7 years)
• Server logs: 30 days
• Error events: 90 days
• Backups: up to 30 days

You can:

• Access and edit your account and workspace data anytime from within the Service
• Export your check history (email support@simplechex.com for a full export)
• Delete your account anytime (email support — completed within 7 business days)
• Opt out of marketing emails via the unsubscribe link in any marketing email; transactional emails cannot be opted out of while your account is active

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to request deletion, to opt out of “sale” of personal information (we don't sell), and to non-discrimination for exercising these rights. Email support@simplechex.com.

EU/UK residents (GDPR/UK-GDPR): You have rights of access, rectification, erasure, restriction, portability, and objection. Our lawful basis for processing is contractual necessity and legitimate interests. Email support@simplechex.com.

We use only essential cookies needed to keep you logged in and maintain your session. We do not use analytics, advertising, or tracking cookies. There is no cookie banner because no consent is required for strictly-necessary cookies under most privacy laws.

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, email support@simplechex.com and we will delete it.

SimpleChex is operated from the United States. If you access the Service from outside the US, you consent to the transfer and processing of your information in the US, which may have different data protection laws than your jurisdiction. We rely on Stripe and Supabase's standard contractual clauses (SCCs) for any EU-to-US transfers.

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The “Last updated” date above indicates when the policy was last revised.

Privacy questions, access/deletion requests, or DPO contact: support@simplechex.com