1. Who we are & how to contact us
Simplon is the developer and operator of the Simplon mobile app (available on Google Play) and the website simplon.ai. Simplon lets you create a personal "bio page" (a public profile at simplon.ai/[username]) and write that page's URL onto an NFC card or tag, so anyone who taps the card opens your profile.
The entity responsible for your data under this Privacy Policy is Simplon (the developer name shown on the Google Play Store listing).
For any privacy question, request, or complaint, contact our privacy point of contact:
- Email: privacy@simplon.ai
- Subject line: "Privacy inquiry — Simplon"
You may also use this email to request access, correction, or deletion of your data, or to ask any question about how your information is handled.
2. What data we collect & why
We only collect the data needed to create and run your account and your public bio page. Below is a complete list of what we collect, why, and whether it is required.
2.1 Account registration & login
- Phone number — Required. Used as your unique account identifier and the lookup key for login. We store the digits-only form of your number. It is also used to build WhatsApp/phone links on your public bio page if and only if you add such a link.
- Username — Required. A unique public handle (lowercase letters, digits,
_,-) that also forms the URL of your public bio page (/[username]). - Password — Required. Used only for authentication. It is hashed before storage and never stored in plaintext (see Section 5).
- Display name — Optional. Shown at the top of your public bio page. If you do not provide one, your username is used.
Note: Simplon identifies accounts by phone number only. We do not verify your phone number by SMS/OTP at registration, and we do not collect an email address.
2.2 Your public bio page content
- Bio text (up to 180 characters) — Optional.
- Avatar photo — Optional. Either an image you upload (stored inline as a base64 data URL, max ~185 KB) or an external
http(s)image URL you provide. - Social links (up to 25) — Optional. Each link has a title (max 70 characters) and a URL. WhatsApp links are converted to
https://wa.me/{digits}and phone links totel:+{digits}using Iraqi phone normalization.
This content is user-generated content that you choose to publish on your public profile.
2.3 Session & technical data
- Session tokens. When you log in to the app, we create a 30-day session and return a Bearer token to your device, which stores it securely. Only a SHA-256 hash of the token is stored in our database — the raw token is never kept, so a database leak would not expose valid tokens.
- Timestamps. We record
created_at/updated_aton your account and page for record-keeping.
2.4 Analytics & performance data
- Google Analytics 4 (property
G-4D3M6J31XY) runs on every page of our site and on every public bio page (/[username]). It collects: pageview events, the page URL, an approximate location derived from your IP address, browser/user-agent, and referrer. This data is processed by Google under Google's privacy terms. - Cloudflare Web Analytics (Insights) is loaded on the homepage only and collects anonymized performance and usage metrics.
2.5 What we do NOT collect
For transparency, Simplon does not collect or process:
Location (precise or approximate) Financial / payment info Purchase history Health & fitness Email / SMS / MMS messages Device contacts Calendar Web browsing history Audio files Files & documents
The WhatsApp / Instagram / etc. "links" on your profile are URLs you type in yourself — we do not access your messaging apps or your device's contact list.
2.6 Summary table
| Data | Collected? | Shared? | Purpose | Required? |
|---|---|---|---|---|
| Phone number | Yes | Yes (public profile, if you add a call/WhatsApp link) | Account management / login | Required |
| Username (User ID) | Yes | Yes (public URL) | Account management / App functionality | Required |
| Password (hashed) | Yes | No | Authentication | Required |
| Display name | Yes | Yes (public profile) | App functionality (profile) | Optional |
| Bio text | Yes | Yes (public profile) | App functionality (profile) | Optional |
| Avatar photo | Yes | Yes (public profile) | App functionality (profile) | Optional |
| Social links (WhatsApp, Instagram, etc.) | Yes | Yes (public profile) | App functionality (profile) | Optional |
| Session token (hash only) | Yes | No | Keep you logged in | Required |
| Analytics data (GA4 / Cloudflare Insights) | Yes | Yes (to Google / Cloudflare) | Usage & performance measurement | Required (on by default) |
3. How the NFC writer uses your data
The core function of Simplon is to write the URL of your public bio page onto your NFC card/tag. When you use the app's Write feature, the app encodes your public profile URL (https://simplon.ai/[username]) into the NFC tag's memory. Anyone who then taps or scans your card with their phone is sent to that URL.
This means:
- The URL written to the NFC tag points to your public bio page.
- Anyone with physical access to your card can read that URL and open your profile.
- The data shown to them is exactly the data you chose to publish on your profile (see Section 4).
The app does not write any other personal data to the tag — only the public URL.
5. How we store & protect your data
We take reasonable technical measures to protect your personal and sensitive data:
- HTTPS / TLS in transit. All traffic to simplon.ai is encrypted via HTTPS enforced by Cloudflare at the edge. The web session cookie is set with the
Secureflag so it is only sent over HTTPS. - Hashed passwords. Your password is hashed with PBKDF2 (SHA-256, 100,000 iterations) using a 16-byte cryptographically random salt, producing a 256-bit key. We store only the result (
pbkdf2$100000$<salt>$<hash>), never your plaintext password. Verification uses a constant-time comparison to resist timing attacks. - Hashed session tokens. Login tokens are 32-byte cryptographically random values. Only a SHA-256 hash of each token is stored in our database; the raw token is never persisted, so a database leak would not expose valid tokens. The web session cookie is
HttpOnly(not readable by JavaScript) andSameSite=Laxto mitigate cross-site request forgery. - Parameterized database queries. All database access uses parameterized queries, which prevents SQL injection.
- Output escaping. All text shown on public bio pages is HTML-escaped, and link/avatar URLs are validated (only
http,https,tel,mailtoprotocols;data:URLs allowed only for the avatar and capped at ~185 KB) to prevent cross-site scripting andjavascript:links. - Access controls. Only you can edit your own page; editing requires a valid session token tied to your account.
- We do not currently rate-limit login or registration attempts at the application layer. Choose a strong, unique password.
- The mobile API endpoints allow cross-origin requests from any origin (
Access-Control-Allow-Origin: *). Sensitive operations still require a valid Bearer token, but this is broader than strictly necessary. - No email verification or phone-number OTP verification is performed at registration; accounts are identified by phone number alone.
- Inline uploaded avatars are stored as base64 text inside our database alongside your other page data.
6. How long we keep your data
- Account data (phone number, username, hashed password) is kept for as long as your account exists — until you request deletion (see Section 8).
- Public page content (display name, bio, avatar, social links) is kept for as long as your account exists and is visible to the public until you edit or delete it.
- Sessions expire automatically 30 days after login. Expired session rows are deleted from the database on the next access after expiry.
- Analytics data is retained by Google (GA4) and Cloudflare (Insights) according to their own retention policies, over which we have limited control.
Because Simplon does not currently perform automatic deletion of accounts after any fixed period, your data will remain until you ask us to delete it. We will then remove it as described in Section 8.
7. Your rights & how to exercise them
You have the following rights regarding your personal data:
- Access: You can view your data at any time by logging in to the app, where your phone number, username, display name, bio, avatar, and links are shown.
- Correction / Edit: You can edit your display name, bio, avatar, and social links at any time from the app. If you need to change your phone number or username, contact us at privacy@simplon.ai.
- Deletion of specific content: You can remove your bio text, avatar, or any individual social link at any time by editing your page in the app. Logging out clears your current session but does not delete your account.
- Account & full data deletion: See Section 8.
- Withdrawal / opt-out of analytics: You can block Google Analytics and Cloudflare Insights with browser privacy extensions or by blocking third-party scripts. This does not affect your use of the app.
- Lodge a complaint: You may contact us at privacy@simplon.ai with any privacy concern.
To exercise any of these rights, email privacy@simplon.ai and include your username and the phone number on your account so we can verify your identity.
8. How to delete your account & data
You have the right to delete your Simplon account and the data associated with it. Account deletion is currently handled on request — there is not yet an automated one-click deletion button in the app or on the website.
8.1 In-app
Inside the app, you can request account deletion by contacting us from the app's Contact / Privacy entry (which links to this page and to privacy@simplon.ai). Selecting "Request account deletion" opens an email pre-addressed to privacy@simplon.ai — simply send it and we will process your request.
8.2 Web
Outside the app, you can request deletion at any time by emailing privacy@simplon.ai (or by using the contact route on simplon.ai/privacy). The dedicated web deletion request URL for Google Play purposes is: https://simplon.ai/delete, which provides a form/email link to submit your deletion request.
8.3 What we delete
When you request account deletion, we will permanently delete:
- Your row in the
userstable (phone number, username, hashed password, timestamps). - Your public bio page and all of its content (display name, bio, avatar, and social links) — this is removed automatically because the page is linked to your account.
- All of your session tokens.
Deletion is permanent and cannot be undone. Your public bio URL (/[username]) will stop working and your username will become available to others.
We may retain minimal data where we have a legitimate need — for example, to prevent fraud or repeated abuse, to comply with legal obligations, or to keep records required by Iraqi law. We will inform you of any such retention when responding to your request. Temporary deactivation or freezing of your account does not qualify as deletion.
Note: Because deletion is handled manually on request, it may take up to 30 days from the date we receive and verify your request. You may also edit or blank out your public page content yourself at any time if you want it removed quickly while your request is processed.
9. Children's privacy
Simplon is not directed to children and is not intended for use by anyone under the age of 13 (or the minimum age required in your country to provide consent to process personal data). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@simplon.ai and we will take steps to delete such data.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top of this page and, for material changes, we will also notify you in the app or by other means. We encourage you to review this page periodically.
Continued use of Simplon after a change means you accept the updated policy.