Privacy Policy

1. Introduction

Welcome to Simple Trust Portal. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Simple Trust Portal is a document sharing platform designed for B2B organizations to publish and manage trust portals where they can share security and compliance documents with prospective customers.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our service:

• Account Information: Name, email address, and password when you create an account
• Google Sign-In: If you choose to sign in with Google, we receive your name, email address, and profile picture from your Google account. We do not access your Google contacts, calendar, Drive, or any other Google services
• Organization Information: Organization name, logo, and trust portal configuration settings
• Access Request Information: When requesting access to documents, we collect your name, email, company name, and optional message
• NDA Acceptance: Records of Non-Disclosure Agreement acceptance when required by organizations

2.2 Automatically Collected Information

We automatically collect certain information when you use our service:

• Usage Data: Document uploads, downloads, access requests, and share link usage
• Audit Logs: Comprehensive activity logs including event types, timestamps, and user actions
• Version History: Complete document version tracking including uploader names, timestamps, version numbers, and file replacement chains
• Technical Information: IP addresses, browser type, device information, and user agent strings
• Cookies and Session Data: HTTP-only session cookies for authentication and security

2.3 Documents and Files

Organizations upload security and compliance documents (such as SOC2 reports, penetration test results, and policies) to share with prospective customers. These documents are stored securely and access is controlled by the uploading organization.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our document sharing platform
• Authentication: To verify your identity and manage your account access
• Access Control: To manage document visibility, approval workflows, and time-limited access
• Security: To detect, prevent, and respond to fraud, security incidents, and unauthorized access
• Audit Trail: To maintain comprehensive audit logs for compliance and security purposes
• Communication: To send email notifications about access requests, approvals, and account activity
• Document Watermarking: To add requester information to downloaded PDF documents for tracking purposes
• Analytics: To understand usage patterns and improve our service

4. Data Storage and Security

4.1 Infrastructure

Our service is hosted on secure infrastructure in the United States:

• Application Hosting: AWS EC2 (US-based servers)
• Database and Authentication: Supabase (PostgreSQL database with US-based servers)
• File Storage: Supabase Storage (secure, encrypted storage)

4.2 Security Measures

We implement industry-standard security measures to protect your information, aligning with the CIS Critical Security Controls (IG1) and NIST Cybersecurity Framework:

• HTTPS encryption for all data in transit (TLS 1.2+)
• Encrypted storage for all files and documents
• HTTP-only, secure session cookies to prevent XSS attacks
• Row-level security (RLS) policies on all database tables
• JWT-based authentication via Supabase Auth
• Role-based access control (admin/regular user roles)
• File type validation and size limits
• Time-limited share tokens with download count restrictions
• IP address tracking for audit purposes

4.3 Data Retention

We retain your information for as long as your account is active or as needed to provide services. Audit logs are retained for compliance and security purposes. Organizations can delete their account and associated data at any time through the dashboard settings.

Document Versioning: When documents are replaced, all previous versions are retained indefinitely for audit compliance and to maintain the integrity of external document shares. This ensures that external users with approved access can continue to access documents even after files are updated. When an organization is deleted, all document versions are removed along with other associated data.

5. Information Sharing and Disclosure

5.1 Within Organizations

When you request access to an organization's documents, your information (name, email, company, message) is shared with administrators of that organization to facilitate the approval process.

5.2 Service Providers

We use trusted third-party service providers to support our operations:

• Supabase: Database, authentication, and file storage
• Amazon Web Services (AWS): Application hosting
• Resend: Transactional email delivery and tracking
• Google: Optional authentication via Google Sign-In (OAuth 2.0). When you use Google Sign-In, Google's Privacy Policy applies to the authentication process

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies).

6. Cookies and Tracking

We use HTTP-only session cookies for authentication and security purposes. These cookies are essential for the service to function and cannot be disabled without affecting your ability to use Simple Trust Portal.

We do not use third-party advertising cookies or tracking pixels.

7. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: You can access your account information through the dashboard
• Update: You can update your profile information and organization settings at any time
• Delete: You can delete your organization and associated data through the settings page
• Audit Logs: You can view and export comprehensive audit logs of all activity
• Download: You can export your audit logs in CSV format

8. Data Protection Rights (GDPR/CCPA)

If you are a resident of the European Economic Area (EEA) or California, you have additional rights under GDPR or CCPA:

• Right to access, rectify, or delete your personal data
• Right to data portability
• Right to restrict or object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

Please note that our servers are located in the United States, and your data will be transferred to and processed in the US.

9. Children's Privacy

Simple Trust Portal is a B2B service not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• General Inquiries: Via our contact page
• Security Concerns: security@simpletrustportal.com
• Service: Simple Trust Portal