Privacy Policy

Last updated: 26 May 2026

This Privacy Policy describes how Simplexi HQ Inc. (“Simplexi,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use simplexi.io, our web and mobile apps, APIs, integrations, and related services (the “Services”). It is incorporated into and subject to our Terms of Service.

Simplexi provides an AI-native customer engagement platform that unifies voice, WhatsApp, SMS, email, social messaging, CRM, and AI agents. If you are a visitor to or recipient of communications from a Simplexi Customer (a “Customer End-User”), the Customer’s own privacy policy governs how your data is used; Simplexi processes that data on their behalf as a data processor.

By using the Services, you accept the practices described in this Policy.

1. Information we collect

Customer Data

When you register and use the Services, we collect information you provide, including name, email, phone number, company, job title, profile photo, billing details, and Account credentials. We also collect Customer Content you upload or generate through the Services: contacts, messages, call recordings, transcripts, AI agent prompts, knowledge bases, CRM records, campaigns, and configuration.

Information about identifiable individuals is “Personal Data” as defined by applicable law. Because Simplexi has no direct relationship with the individuals whose Personal Data is processed as part of Customer Content, the Customer is responsible for compliance with applicable data protection law. Our Data Processing Addendum (DPA) is available on request from privacy@simplexi.io.

Information you provide through our marketing

When you interact with our advertising, sign up for content (demos, events, webinars, reports), or contact our team, we collect your name, email, phone, company, and job title.

Automatically collected information

We automatically collect information about how you interact with the Services: IP address, browser and device data, operating system, pages and features used, timestamps, and email interactions (open and click events). We use cookies and similar technologies — see Section 12.

Third-party platforms

When you authorise an integration (such as Google, Meta, a CRM, or a payment processor), we receive only the data the platform makes available to us and only as needed to deliver the features you have enabled.

Sensitive personal data

The Services are intended for general business communications and not for processing special categories of personal data (health, biometric, racial or ethnic origin, religion, sexual orientation, government identifiers) unless agreed in writing with appropriate safeguards.

2. How we use information

Operations

To provide, maintain, secure, and improve the Services, deliver customer support, prevent fraud or abuse, and meet legal obligations. Customer Content is processed only on the Customer’s instructions.

Communications

To contact you for administrative reasons (service announcements, security alerts, billing), to handle support requests, and — where you have opted in or are otherwise permitted by law — to send marketing communications about Simplexi. You can opt out at any time as described in Section 10.

Development and analytics

To analyse usage trends, monitor traffic patterns, and develop new features. We exclude Google user data, Meta Platform data, and Customer End-User communication content from this analytics use.

Legal bases (EEA, UK, Africa)

Where required, we rely on: performance of a contract, consent (for optional integrations, marketing, and non-essential cookies), legitimate interests (security, fraud prevention, product improvement), and legal obligation.

3. Google user data

Limited Use disclosure. Simplexi’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Why we request Google access

If you connect your Google account, Simplexi uses Google APIs to provide user-facing features you have requested: scheduling meetings, synchronising availability, sending email on your behalf, surfacing contacts, and creating video meeting links.

Scopes we may request

OAuth scopeWhat it accessesWhy we need it
userinfo.emailYour Google email.To link your Google account to Simplexi.
userinfo.profileName and profile photo.To display your identity in the Services.
calendar.eventsRead, create, update, delete events.To schedule, reschedule, and cancel meetings booked through Simplexi.
calendar.readonlyRead your calendars, free/busy, attendees.To check your availability and prevent double-booking.
gmail.send (optional)Send email on your behalf.To send emails you compose or that follow up on calls.
gmail.readonly (optional)Read messages and threads.To display incoming customer emails in your unified inbox.
contacts.readonly (optional)Read Google Contacts.To make your contacts available within Simplexi.

We request the minimum scopes necessary and use Google’s incremental authorisation so scopes are requested in context. If we add a feature requiring a new scope, we will request it in context and update this Policy first.

How we use Google user data

Only to provide and improve the specific user-facing features you have enabled — displaying your calendar and availability, creating and modifying events you schedule, sending and receiving email through your unified inbox, and surfacing your contacts.

How we share Google user data

We do not transfer Google user data except as permitted by the Google API Services User Data Policy: to deliver the features you have enabled (with your consent); to infrastructure sub-processors strictly necessary to operate the Services; for security purposes (investigating abuse); to comply with law; or as part of a merger or acquisition, with your explicit prior consent.

What we do not do with Google user data

  • Sell or rent it to anyone.
  • Transfer it to advertising platforms, data brokers, or information resellers.
  • Use it for advertising of any kind (including personalised, retargeted, or interest-based ads).
  • Use it to determine credit-worthiness or for lending purposes.
  • Use it to develop, improve, or train generalised or non-personalised AI/ML models. AI features that act on Google user data do so only to deliver the user-facing feature you invoked, in that moment, on your behalf. The data is not retained or used for training.
  • Allow humans to read it, except with your affirmative consent, for security investigations, to comply with law, or in aggregated and anonymised form for internal operations.

How to revoke access and request deletion

Disconnect in Simplexi (Settings > Integrations > Google > Disconnect) or revoke at Google (myaccount.google.com/permissions). On disconnection, OAuth tokens are revoked immediately and cached Google data is deleted within 30 days. Email privacy@simplexi.io to request deletion at any time.

4. Meta Platform data

For our WhatsApp Business, Facebook Messenger, and Instagram Direct integrations: you are the data controller and Simplexi is the data processor. We collect your App-Scoped User ID (ASID) and business asset identifiers (WhatsApp Business Account ID, phone number IDs, Facebook Page IDs) when you authenticate with Meta. We use Meta data only to deliver messaging and conversational features you have enabled. We do not use it for advertising or to train generalised AI models. Deletion requests received via Meta’s automated callback or sent to privacy@simplexi.io are honoured within 30 days.

5. Voice, messaging, and AI

Voice calls and recordings

We process call metadata (numbers, times, duration, direction, agent assignment), recordings where you enable them, transcripts, AI-generated summaries, and voicemails. You are responsible for configuring call-recording notices and obtaining any consents required by applicable wiretap and data protection laws. The Services do not support emergency calls (911/999/112); see Section 7 of our Terms of Service.

SMS, email, and other channels

We route messages through licensed telecommunications carriers and channel providers in each region. We process sender and recipient identifiers, message content, delivery receipts, and engagement events. You are responsible for the lawfulness of the messages you send and for honouring opt-outs.

AI agents and AI features

The Services include AI features (summarisation, sentiment, intent detection, suggested replies, voice agents, messaging agents). We do not use Customer Content, Customer End-User data, recordings, transcripts, Google user data, or Meta Platform data to train generalised or third-party AI models. Our AI inference providers are contractually prohibited from retaining or training on your data. You are responsible for disclosing the use of AI to End-Users where required by law (for example, California SB 1001).

6. Sharing of information

We do not sell personal information and do not share it for cross-context behavioural advertising. We share information only as follows:

  • With your instructions: when you direct us to send data to an integration or recipient.
  • Service providers: trusted sub-processors who provide infrastructure on our behalf, bound by written contracts (see Section 7).
  • Carriers and channel partners: to route calls and messages through telecoms networks and platforms (e.g., Meta for WhatsApp).
  • Legal: where required by law, court order, or to enforce our agreements or protect rights and safety.
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, with notice and (where required) consent.

7. Sub-processors

We engage sub-processors to deliver the Services. A current named list is available on request from privacy@simplexi.io and is provided to enterprise customers under their DPA. Categories include:

  • Cloud hosting and infrastructure (AWS, Google Cloud)
  • Email and transactional messaging providers
  • Voice and SMS connectivity (licensed telecoms and CPaaS providers, regional)
  • Payment processing (PCI-DSS compliant)
  • Customer support, analytics, and error monitoring tooling
  • AI inference providers (configured not to retain or train on customer data)
  • Identity and authentication providers

Google user data is processed only by sub-processors strictly necessary to deliver Google-connected features and is never sent to advertising, profiling, or AI-training systems.

8. Data retention and deletion

  • Account data: retained for the Subscription Term and up to 90 days after closure, then deleted or anonymised (longer where law requires, e.g. tax records up to 7 years).
  • Customer Content: retained while your Account is active; deleted within 90 days of Account closure or earlier on written request.
  • Call recordings, transcripts, AI session data: retained per your Account configuration (default 90 days); deleted within 30 days of a valid deletion request.
  • Google user data: OAuth tokens revoked immediately on disconnection; cached Google data deleted within 30 days.
  • Meta/WhatsApp data: deleted or anonymised within 30 days of a valid request or Meta’s automated callback.
  • Log data: up to 12 months for security and diagnostics.
  • Backups: deleted records purged within the standard backup cycle (no more than 35 days).

To request deletion at any time, email privacy@simplexi.io with subject “Data Deletion Request.” If you are a Customer End-User, please contact the Simplexi Customer that communicates with you; they control your data and we will support their response.

9. Security

We follow industry-standard practices to protect information in transit and at rest:

  • TLS 1.2+ for connections to the Services and third-party APIs (including Google and Meta).
  • AES-256 encryption at rest for databases, file storage, recordings, and backups.
  • OAuth tokens and credentials stored with envelope encryption.
  • Role-based access, least-privilege, mandatory MFA for staff, just-in-time access for production, and full audit logging.
  • Web application firewall, intrusion detection, DDoS protection, and routine vulnerability scanning.
  • Secure development lifecycle with code review, dependency and secret scanning, and a responsible disclosure programme at security@simplexi.io.
  • Sub-processors assessed for security and bound by written data protection terms.
  • Breach notification within 72 hours of becoming aware, where required.

No system is perfectly secure, but we work continuously to improve and welcome reports at security@simplexi.io.

10. Your rights

Subject to applicable law, you have the right to access, rectify, delete, restrict or object to processing of, and port your personal information; to withdraw consent where processing is based on consent; and to lodge a complaint with your local supervisory authority (in the EU/UK, your national DPA; in Nigeria, the NDPC; in South Africa, the Information Regulator; in Kenya, the ODPC; in Ghana, the DPC; in Uganda, the PDPO).

California (CCPA/CPRA)

We do not sell personal information for money and do not share it for cross-context behavioural advertising. You have the right to know, delete, correct, and limit the use of sensitive personal information, and to be free from discrimination for exercising these rights.

How to exercise your rights

Email privacy@simplexi.io. We will verify your identity and respond within the timeframes required by law (typically 30 days under GDPR/UK GDPR; 45 days under CCPA). If you are a Customer End-User, contact the Customer that communicates with you first — they are the controller of your data.

Opt-out of marketing

Click unsubscribe in any marketing email, reply STOP to SMS, or email privacy@simplexi.io. We will still send transactional and service messages necessary to operate your Account.

11. International data transfers

Simplexi operates internationally. Personal data may be processed in the United States, United Kingdom, European Union, and African markets including Nigeria, Kenya, Ghana, South Africa, Uganda, and Rwanda. Where we transfer personal data out of the EEA, UK, or jurisdictions with cross-border restrictions, we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions where they apply, and supplementary technical and organisational measures. You can request a copy of the safeguards we use.

12. Cookies

We use cookies and similar technologies for authentication and security (strictly necessary), to remember preferences (functional), to understand usage (analytics, with consent where required), and on our marketing website only, to measure marketing effectiveness (with consent). You can manage cookies through your browser and through our cookie banner on the marketing site. Disabling cookies may limit some features.

13. Children

The Services are intended for business use and not directed to children. We do not knowingly collect personal information from children under 13 (or 16 where required by local law, such as the GDPR). If you believe a child has provided personal information, contact privacy@simplexi.io and we will delete it promptly.

14. Changes to this Policy

We may update this Policy from time to time. We will revise the “Last updated” date and, for material changes — including any change to how we access, use, store, or share Google user data — notify you by email or in-product notice and, where required, ask you to re-consent before the change takes effect.

15. Contact

Questions, requests, or complaints about this Policy:

© 2026 Simplexi HQ Inc. All rights reserved.