Simply AskingLegal

Privacy Policy

Last Updated: April 27, 2026 | Version 1.5

Introduction

Simply Asking LLC ("Simply Asking," "we," "us," "our," or "the Service") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our knowledge management and AI-powered assistant service.

Please read this privacy policy carefully. By using Simply Asking, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, password for account creation and authentication
  • Profile Information: Display name, avatar, preferences for service personalization
  • Organization Data: Company name, domain, team members for workspace management
  • Payment Information: Billing address, payment method (via Stripe) for subscription processing
  • Content: Documents, notes, files you upload for core service functionality
  • Communications: Support tickets, feedback for customer support

1.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent for service improvement
  • Device Information: Browser type, operating system, device type for compatibility and optimization
  • Log Data: IP address, access times, error logs for security and troubleshooting
  • Cookies: Session identifiers, preferences for authentication and personalization

1.3 Information from Third-Party Integrations

When you connect third-party services (Google Drive, Notion, Dropbox, Trello, Slack, HubSpot CRM), we collect:

  • OAuth tokens (encrypted) to maintain your connection
  • Data you explicitly choose to import (documents, cards, etc.)
  • Basic profile information from the connected service

We only access data you explicitly authorize and import.

1.4 Google User Data

Simply Asking's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect your Google account to Simply Asking, we request the following access:

  • Google Drive (read-only): We access file names, metadata, and content of files within the folders you explicitly select for import. We use the restricted scope drive.readonly and do not modify, delete, or write any data to your Google Drive.

How We Use Google User Data

Google user data is used solely to provide the core functionality of Simply Asking:

  • Importing documents you select from Google Drive into your knowledge base
  • Processing imported content for AI-powered search, retrieval, and analysis
  • Displaying file names and sync status in your integrations dashboard

How We Store Google User Data

  • OAuth refresh tokens are encrypted at rest (AES-256) and stored in our database
  • Access tokens are not persisted and are refreshed on demand
  • Imported document content is stored encrypted in our database and processed into embeddings for search
  • All data is stored in the United States (AWS US-East-2 via Supabase)

Limited Use Disclosure

Simply Asking's access to Google user data is limited to the practices explicitly disclosed in this privacy policy. Specifically:

  • We do not use Google user data for advertising or marketing purposes
  • We do not sell, rent, or trade Google user data to third parties
  • We do not use Google user data for AI model training
  • We do not allow humans to read your Google user data unless (a) you provide explicit consent, (b) it is necessary for security purposes, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations
  • We do not transfer Google user data to other apps or services except as necessary to provide or improve the Service, as described in this policy

Revoking Access

You may disconnect Google Drive at any time from your Integrations page. When you disconnect, we delete your stored OAuth tokens immediately. You may also revoke access from your Google Account permissions page. Previously imported document content remains in your knowledge base until you delete it.

2. How We Use Your Information

2.1 Service Provision

  • Provide, maintain, and improve the Service
  • Process your documents and generate AI-powered responses
  • Manage your account and subscriptions
  • Enable collaboration within your organization

2.2 Communication

  • Send service-related notifications (security alerts, updates)
  • Respond to your inquiries and support requests
  • Send product updates and feature announcements (with opt-out)

2.3 Security & Compliance

  • Detect, prevent, and address fraud and abuse
  • Monitor for security threats
  • Comply with legal obligations

3. AI Processing & Your Content

3.1 How AI Processes Your Data

When you use Lumen (our AI assistant):

  • Your questions and relevant document excerpts are sent to AI providers
  • AI generates responses based on your content
  • No customer data is used to train AI models

3.2 AI Providers & Data Handling

  • OpenAI: Chat responses, analysis - Not retained after response, not used for training
  • Anthropic: Deep analysis, extraction - Not retained after response, not used for training
  • Google Gemini: Reranking, fast responses - Not retained after response, not used for training

3.3 Document Embeddings

We create mathematical representations (embeddings) of your documents to enable semantic search. These embeddings:

  • Are stored in our database (not with AI providers)
  • Cannot be reverse-engineered to reconstruct your documents
  • Are deleted when you delete the associated document

4. Information Sharing & Disclosure

4.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4.2 Service Providers (Sub-processors)

We share data with trusted service providers who assist in operating our Service:

  • Supabase: Database, authentication - All user data
  • Vercel: Application hosting - Application data
  • Stripe: Payment processing - Billing information
  • Sentry: Error monitoring - Error reports, performance metrics
  • OpenAI/Anthropic/Google: AI processing - Query content

All sub-processors are bound by data processing agreements.

4.3 Legal Requirements

We may disclose your information if required by law, such as:

  • Responding to valid legal processes (subpoenas, court orders)
  • Protecting our rights, privacy, safety, or property
  • Preventing fraud or security threats

5. Data Retention

  • Account Data: Duration of account + 30 days (deleted upon account closure)
  • Documents & Content: Until user deletion (you control when to delete)
  • Chat History: Until you delete it (you control when to delete)
  • Audit Logs: 24 months (required for security compliance)
  • Payment Records: 7 years (legal requirement)

Deletion Process

When you delete data:

  1. Soft Delete: Data marked as deleted, inaccessible to users
  2. Hard Delete: Data permanently removed within 30 days
  3. Backup Removal: Removed as backups naturally expire (up to 90 days)

6. Your Rights & Choices

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data
  • Portability: Receive your data in a portable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain processing activities
  • Withdrawal: Withdraw consent at any time

Exercising Your Rights

  • Self-Service: Most actions available in Account Center > Data Management
  • Email: legal@simplyasking.io
  • Response Time: Within 30 days of verified request

7. Cookies & Tracking

  • Essential: Authentication, security (Session duration)
  • Functional: Preferences, settings (1 year)
  • Analytics: Usage statistics (1 year)

We respect Do Not Track (DNT) browser signals. When DNT is enabled, we limit analytics collection.

8. Data Security

We implement comprehensive security measures to protect your data:

  • Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Access Controls: Role-based access with Row-Level Security
  • Monitoring: Security monitoring via Sentry and infrastructure provider tools
  • Auditing: CASA certified (Cloud Application Security Assessment) via ESOF AppSec, including OWASP ASVS Level 1

For full details, see our Security Policy.

9. Browser Extension

The Simply Asking browser extension extends our service into your browser. It runs only on tabs and contexts where it is actively used (the side panel and the Gmail compose toolbar) and does not monitor your general browsing.

9.1 What the Extension Stores Locally

  • Authentication tokens (Supabase access + refresh): Stored in chrome.storage.local. Authenticates API calls to Simply Asking on your behalf and persists across browser sessions so you do not have to sign in every time.
  • Notification state (last-checked-message timestamp, plus cached access token, user ID, and organization ID for background polling): Stored in chrome.storage.local. Lets the background service worker poll for new chat messages while the panel is closed without replaying old messages, and fire Chrome notifications for new team chats.
  • Pending chat conversation reference: Stored in chrome.storage.local. Routes a Chrome notification click to the correct conversation when the side panel opens.
  • Gmail compose-toolbar telemetry (a rolling list of which selectors broke, no user content, no email data): Stored in chrome.storage.local. Detects when Gmail's DOM changes break our compose-button injection so we can ship a fix. No email content, no recipients, no subjects.
  • Gmail compose attach context (which compose window your current attach action targets, expires after 15 minutes): Stored in chrome.storage.session (cleared on browser close). Passes your selection from the side panel to the Gmail compose toolbar during a single attach action.

The extension stores no personal data of yours that we do not already store on our servers. Local storage is scoped to the extension and is not accessible to websites you visit.

9.2 What the Extension Reads

  • When you click "Save this page": The URL and page title of your current tab, to pre-fill the URL field on the Add panel
  • When you select text and right-click: The selected text, to pre-fill the Add or Ask panel with that text
  • Inside Gmail (mail.google.com), only when a compose window is open: The DOM structure of the compose toolbar to inject our button so you can attach Simply Asking files to email

The extension does not read the body of your emails, your inbox, your contacts, or any Gmail data beyond the compose toolbar's structure. It does not read content from any other website.

9.3 What the Extension Sends to Simply Asking Servers

The extension calls the same Simply Asking APIs that the web app uses, with your authenticated credentials. Specifically:

  • Search queries you type into the Search tab
  • Questions you ask in the Ask tab
  • Files and content you save via the Add tab
  • Messages you send via the Chat tab
  • File requests when you attach a knowledge file to an email
  • Anonymized error reports (no PII) when the extension encounters an unexpected error, so we can detect breakages and ship a fix

We do not log additional data from the extension beyond what the web app already logs.

9.4 What We Do NOT Do With Extension Data

  • We do not sell your data
  • We do not use it for advertising
  • We do not use it to train AI models (consistent with Section 3.1 above)
  • We do not share it with third parties beyond what is required to deliver the service (Supabase as our data infrastructure provider, OpenAI, Anthropic, and Google for AI inference, with all bound by data processing agreements)

9.5 Data Retention

Extension-specific local data is cleared:

  • When you sign out of Simply Asking, your authentication tokens, notification state, and pending conversation reference are cleared from chrome.storage.local
  • When you uninstall the extension, all chrome.storage entries (including Gmail telemetry counters) are cleared by Chrome
  • When you close your browser, chrome.storage.session entries are cleared (the per-action attach context)
  • On Chrome's storage eviction policies (if you exceed your storage quota)

Server-side data follows our standard retention policy described in Section 5 above.

9.6 Encryption

  • All data in transit between the extension and Simply Asking servers uses TLS 1.3
  • All data at rest in Simply Asking infrastructure (Supabase Postgres + Storage) uses AES-256 encryption
  • Authentication tokens stored in the extension are scoped to the extension origin (chrome-extension://<id>) and are not readable by other websites or extensions

9.7 Limited Use Compliance

The Simply Asking browser extension's use of information received from Google APIs (specifically Gmail compose interaction via mail.google.com host permission and Google OAuth via chrome.identity) adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

10. Geographic Availability

The Service is currently available only to users located in the United States. We may expand availability to additional regions in the future.

  • Primary Storage: United States (AWS US-East-2 Ohio via Supabase)
  • Application Hosting: United States via Vercel
  • AI Processing: United States-based providers

11. Children's Privacy

Simply Asking is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under the age of 18.

If we learn we have collected data from someone under 18, we will promptly delete it. If you believe we may have collected information from someone under 18, please contact us at legal@simplyasking.io.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

  • Right to Know: Request disclosure of categories of personal information collected
  • Right to Delete: Request deletion of personal information we hold about you
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

13. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes:

  • We will update the "Last Updated" date
  • We will notify you via email or in-app notification
  • Continued use after changes constitutes acceptance

14. Contact Us

For questions about this privacy policy or our data practices:

  • Email: legal@simplyasking.io

Related Documents

TermsSecurity PolicyData RetentionCookie Policy