Privacy Policy

Last updated: 22 February 2026

1. Introduction

Simple Cap ("we", "our", "us") respects your privacy. This Privacy Policy explains what personal data we collect, how we process it, the legal bases for doing so, and your rights under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

2. Data Controller

Simple Cap is the data controller responsible for your personal data. If you have any questions about how we process your data, please contact us using the details in Section 15 below.

3. Information We Collect

Account information

When you create an account, we collect your name and email address through our authentication provider (Clerk). We do not store passwords directly.

Cap table data

We store the cap table models you create, including founder names, share counts, round details, investor names, and investment amounts. This data is stored in our database (hosted by Supabase) and is associated with your account. All cap table data is stored encrypted at rest and even database admins are unable to see stored user data.

Usage data

We may collect basic usage information such as pages visited and features used to help improve the Service.

4. Legal Bases for Processing

Under the GDPR, we process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)) โ€” processing your account information and cap table data is necessary to provide you with the Service you have signed up for.
  • Legitimate interests (Article 6(1)(f)) โ€” we process usage data to improve and secure the Service. Our legitimate interest is to maintain and enhance the quality, security, and reliability of the Service. We have assessed that this processing does not override your rights and freedoms.
  • Legal obligation (Article 6(1)(c)) โ€” we may process data where required to comply with applicable laws.

5. How We Use Your Information

We use your information to:

  • Provide and maintain the Service
  • Authenticate you and secure your account
  • Save and retrieve your cap table models
  • Enable collaboration features (sharing projects with team members)
  • Improve and develop the Service

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only with the following third-party sub-processors that are necessary to operate the Service:

  • Clerk โ€” authentication and account management (USA)
  • Supabase โ€” database hosting and storage (USA)
  • Vercel โ€” application hosting (USA)

Each sub-processor is contractually bound to process your data only on our instructions and in accordance with applicable data protection laws.

We may also disclose information if required by law or to protect the rights, safety, or property of ourselves or others.

7. International Data Transfers

Our sub-processors are located in the United States. Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision where applicable. You may request a copy of the relevant safeguards by contacting us.

8. Data Retention

We retain your data for as long as your account is active and as necessary to provide the Service. If you delete your account, we will delete your personal data and cap table data within 30 days, except where we are required to retain it by law or for legitimate business purposes (such as resolving disputes or enforcing our terms).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS), secure authentication, access controls, and database-level row-level security.

All cap table data (including founder details, round information, and investor data) is encrypted at rest using AES-256-GCM before being stored in our database. The encryption keys are held only by the application server and are never stored alongside the data. This means your cap table details are private to you and any team members you explicitly share them with โ€” they cannot be read directly from the database, even by database administrators.

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Your Rights Under the GDPR

If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR:

  • Right of access โ€” you may request a copy of the personal data we hold about you.
  • Right to rectification โ€” you may request that we correct inaccurate or incomplete personal data.
  • Right to erasure โ€” you may request that we delete your personal data, subject to any legal obligations requiring us to retain it.
  • Right to restriction of processing โ€” you may request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability โ€” you may request to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object โ€” you may object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
  • Right to withdraw consent โ€” where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at the address in Section 15. We will respond to your request within one month, as required by the GDPR.

11. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU or UK member state where you reside, where you work, or where the alleged infringement occurred.

12. Cookies

We use essential cookies that are strictly necessary for authentication and session management. These cookies do not require consent under the GDPR as they are necessary for the Service to function. We do not use advertising, analytics, or tracking cookies.

13. Children

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date. Where required by law, we will provide additional notice (such as by email) for significant changes. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we process your data, please contact us at support@royston.io.