GDPR Compliance

Last updated: March 04, 2026

1. Introduction

SimpliHome is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This GDPR Compliance document explains how we fulfill our obligations under GDPR and how you can exercise your rights.

This document is a supplement to our Privacy Policy and provides specific information about our GDPR compliance for users in the European Economic Area (EEA) and United Kingdom.

2. Who We Are (Data Controller)

For the purposes of GDPR, SimpliHome acts as the "data controller" for personal information we collect and process. This means we determine the purposes and means of processing your personal data.

Data Controller: SimpliHome

Contact Email: privacy@simplihome.co.uk

Data Protection Officer: dpo@simpli-home.com

3. Legal Basis for Processing Your Data

Under GDPR, we must have a valid legal basis to process your personal data. We rely on the following legal bases:

3.1 Contract Performance

Processing is necessary to provide our Services to you, including:

  • Creating and managing your account
  • Operating your Circle and facilitating family collaboration
  • Providing calendar, recipe, bill tracking, and other core features
  • Processing payments and managing subscriptions
  • Providing customer support

3.2 Consent

We process certain data based on your explicit consent, including:

  • Marketing communications and newsletters (you can withdraw consent at any time)
  • Optional features that require additional data processing
  • Cookies and tracking technologies (managed through our cookie consent banner)
  • Integration with third-party services (e.g., Google login, recipe importers)

3.3 Legitimate Interests

We process data based on legitimate interests, which include:

  • Improving and optimizing our Services
  • Detecting and preventing fraud and security threats
  • Analyzing usage patterns to enhance user experience
  • Internal research and development
  • Network and information security

3.4 Legal Obligations

We process data when necessary to comply with legal obligations, such as:

  • Tax and accounting requirements
  • Responding to lawful requests from authorities
  • Complying with court orders and legal processes
  • Maintaining records as required by law

4. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. We will respond to requests within one month (extendable by two additional months for complex requests).

4.1 Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data. You can also request information about:

  • The purposes of processing
  • The categories of personal data
  • The recipients or categories of recipients
  • The retention period
  • Your other GDPR rights

4.2 Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data. You can update most information directly through your account settings.

4.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

Note: This right is not absolute. We may need to retain certain data to comply with legal obligations or establish, exercise, or defend legal claims.

4.4 Right to Restriction of Processing (Article 18)

You can request that we restrict processing of your personal data in certain situations:

  • You contest the accuracy of the data (during verification)
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification of legitimate grounds)

4.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON) and to transmit that data to another controller. This applies to data you provided based on consent or contract performance.

You can export your data from your account settings, which includes:

  • Account and profile information
  • Circle member data
  • Calendar events and schedules
  • Recipes and meal plans
  • Bills and financial data
  • Notes, lists, and other user-generated content

4.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes:

  • Direct Marketing: You can object at any time, and we will stop processing for that purpose
  • Legitimate Interests: You can object, and we must stop unless we demonstrate compelling legitimate grounds that override your interests

4.7 Rights Related to Automated Decision-Making (Article 22)

SimpliHome does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. If this changes, we will notify you and provide appropriate safeguards.

4.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

5. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Account Settings: Many rights can be exercised directly through your account settings (edit profile, delete account, export data, manage notifications)
  • Email Us: Send a request to privacy@simplihome.co.uk with "GDPR Request" in the subject line
  • Contact Form: Use our contact form to submit your request

When submitting a request, please include:

  • Your full name and email address associated with your account
  • A clear description of the right you wish to exercise
  • Any relevant details to help us locate your information

We may need to verify your identity before processing your request to protect your personal data from unauthorized access.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy and this GDPR document, unless a longer retention period is required or permitted by law.

Retention Periods:

  • Active Accounts: Data retained while your account is active and for legitimate business purposes
  • Deleted Accounts: Most personal data deleted within 30 days of account deletion
  • Financial Records: Retained for 7 years to comply with tax and accounting regulations
  • Legal Claims: Data may be retained if involved in legal proceedings until resolution
  • Anonymized Data: May be retained indefinitely for analytics and research

After the retention period expires, we securely delete or anonymize your personal data.

7. Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Data in transit using TLS/SSL; sensitive data at rest using industry-standard encryption
  • Access Controls: Role-based access, authentication, and authorization mechanisms
  • Pseudonymization: Where appropriate, data is pseudonymized to reduce privacy risks
  • Regular Testing: Security assessments, penetration testing, and vulnerability scanning
  • Incident Response: Procedures to detect, report, and respond to data breaches
  • Staff Training: Regular privacy and security training for employees
  • Vendor Management: Due diligence and contracts with data processors

8. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible)
  • Notify affected users without undue delay if the breach is likely to result in a high risk
  • Document all data breaches, including facts, effects, and remedial actions

Notifications will include the nature of the breach, likely consequences, and measures taken or proposed to address the breach and mitigate potential adverse effects.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) and United Kingdom. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
  • Standard Contractual Clauses: EU-approved Standard Contractual Clauses (SCCs) with data processors
  • Binding Corporate Rules: Where applicable with multinational service providers
  • Additional Safeguards: Supplementary measures to ensure GDPR-level protection

You can request more information about the safeguards we use for international transfers by contacting us.

10. Third-Party Data Processors

We engage third-party service providers to process data on our behalf ("data processors"). All processors are bound by written contracts that include GDPR-compliant data processing agreements requiring them to:

  • Process data only on our documented instructions
  • Ensure confidentiality of processing
  • Implement appropriate security measures
  • Assist us in responding to data subject requests
  • Notify us of any data breaches
  • Delete or return data at the end of service provision

Key processors include:

  • Cloud hosting providers (for infrastructure)
  • Stripe (for payment processing)
  • Email service providers (for transactional and marketing emails)
  • Analytics providers (with pseudonymized data)

11. Children's Personal Data

SimpliHome requires account holders to be at least 18 years old. While families may add information about children to their Circle, this is done by the parent/guardian who controls the Circle.

We do not knowingly collect or process personal data from children under 16 (or the applicable age of digital consent in your country) without parental consent. Parents and guardians are responsible for:

  • Providing consent for processing of their children's data
  • Exercising GDPR rights on behalf of their children
  • Ensuring information shared about children is appropriate and necessary

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. You can contact:

  • The supervisory authority in your country of habitual residence
  • The supervisory authority of your place of work
  • The supervisory authority where the alleged infringement occurred

However, we encourage you to contact us first so we can address your concerns directly.

UK Users:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

13. Privacy by Design and by Default

We implement data protection principles into our development process:

  • Data Minimization: We collect only data necessary for specified purposes
  • Privacy Settings: Default settings are privacy-friendly; users can opt-in to additional features
  • Transparency: Clear communication about data processing activities
  • Security by Design: Security measures integrated from the start of development
  • User Control: Users can easily manage their data and privacy settings

14. Updates to This GDPR Policy

We may update this GDPR Compliance document to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated through:

  • Email notification to registered users
  • Prominent notice on our website
  • In-app notifications

Continued use of our Services after changes become effective constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this GDPR Compliance document, wish to exercise your rights, or have privacy concerns, please contact us:

GDPR Inquiries:

Email: privacy@simplihome.co.uk

Data Protection Officer: dpo@simpli-home.com

Subject line: "GDPR Request" or "Privacy Inquiry"

Additional Resources:

Quick Reference: Your GDPR Rights

Right What It Means How to Exercise
Access Get a copy of your data Account settings or email us
Rectification Correct inaccurate data Edit in account settings
Erasure Delete your data Delete account or email us
Portability Export data in machine-readable format Data export in account settings
Restriction Limit how we process your data Email us with your request
Object Object to processing Notification settings or email us
Withdraw Consent Revoke previously given consent Update preferences or email us
Back to home