This Privacy Policy explains how Simpliya Ltd ("Simpliya", "we", "us" or "our") collects, uses, shares and protects personal data when you use the Simpliya mobile application, our website at simpliya.com (including the launch waitlist and any newsletter sign-up), and related services (together, the "Service").

We are committed to protecting your privacy and handling your data transparently and in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) and — for users in India — India's Digital Personal Data Protection Act, 2023 (DPDP Act), together with other applicable data protection laws. Where the DPDP Act applies, references in this policy to "data controller" and "data processor" should be read as "Data Fiduciary" and "Data Processor" respectively.

Please read this policy together with our Terms of Service.


1. Who we are

Simpliya Ltd is a private limited company registered in England and Wales.

  • Registered office: 167-169 Great Portland Street, Fifth Floor, London, England, W1W 5PF
  • Company number: 12759762
  • ICO registration number: ZC183934
  • Contact: [email protected]

For the purposes of data protection law, Simpliya is the data controller of the personal data described in Section 3 (your account, device and usage data). For the business records you create about your own customers, suppliers and contacts, you are the data controller and Simpliya acts as your data processor — see Section 9.


2. Summary (the short version)

  • Simpliya is a small-business invoicing and bookkeeping app. Most of your data lives on your device in a local database.
  • If you sign in, your business data is synced to our servers so you can use Simpliya across multiple devices and restore it if you lose your phone.
  • We use Google Sign-In and Sign in with Apple to let you log in. We do not receive or store your account password.
  • The voice-to-invoice feature sends a short audio recording to our servers, which use a third-party AI service provided by Google to turn your speech into a draft invoice, expense or reminder.
  • Images you attach are stored in Cloudflare's object storage and served through our CDN.
  • We do not sell your personal data. We do not use third-party advertising SDKs in the app. We do not run ads.
  • You can request access to, correction of, or deletion of your data at any time by sending us a data processing request.

3. What personal data we collect

3.1 Account and profile data

When you create an account or sign in, we collect:

  • Your name and email address (from your Google or Apple account, or as you enter it).
  • A Google account identifier and/or Apple account identifier used to authenticate you.
  • Optional profile details you choose to add: phone number and address.
  • Your app settings and preferences (theme, language, notification preferences, auto-lock settings).

We do not receive or store your Google or Apple password. Authentication is handled by those providers.

3.2 Security credentials

  • If you set an app PIN, we store only a one-way cryptographic hash of it on your device — never the PIN itself.
  • Biometric authentication (Face ID / Touch ID / fingerprint) is handled entirely by your device's operating system. Simpliya never receives or stores your biometric data.
  • A session token for syncing is stored securely on your device using the platform secure store (iOS Keychain / Android Keystore).

3.3 Business records you create

Simpliya is a tool for recording your business activity. The content you enter is stored on your device and, if you are signed in, synced to our servers. This includes:

  • Business profiles (business name, address, phone, email, tax/GST/VAT registration number, tax settings, country).
  • Customers (name, phone, email, address, optional photo).
  • Products and inventory (name, price, cost, stock levels, categories).
  • Invoices and line items, payments, and payment status.
  • Expenses (amount, category, vendor, notes, date).
  • Purchase lots and stock records.
  • Reminders and related notes.
  • Images you attach to the above (e.g. customer or product photos).

Much of this data — particularly your customers' contact details — is personal data of other people. You are responsible for that data as its controller; see Section 9.

3.4 Voice recordings (voice-to-invoice)

When you use the voice feature, the app records a short audio clip of your speech and sends it, together with limited context (such as your existing customer and product names, to improve accuracy), to our servers for processing. See Section 5 for how this is processed and retained.

3.5 Contacts (optional)

If you grant contacts permission, Simpliya can read a contact you select so you can quickly fill in a customer's name, phone and email. Contacts are accessed only at the moment you pick one. We do not upload, scan or store your full address book.

3.6 Device and technical data

  • A device/push notification token (if you enable notifications) so we can deliver reminders and alerts.
  • Sync metadata (record revisions, timestamps, change cursors) required to keep your devices consistent.
  • Basic technical and diagnostic information necessary to operate the Service (for example, error conditions and request logs on our servers, which may include IP address and timestamps for security and abuse prevention).

3.7 What we do not collect

  • We do not embed third-party advertising SDKs in the app.
  • We do not sell personal data.
  • We do not track you across other apps or websites.
  • We do not process payment-card details. Simpliya records that a payment happened; it does not take card payments or act as a payment processor.

3.8 Website, newsletter and launch waitlist

When you use our website we may also process:

  • Waitlist / newsletter sign-ups: if you ask us to notify you when the app launches, or subscribe to updates, we collect your email address (and any label you are tagged with, such as "App launch waitlist") to send you those communications. We rely on your consent, and every email includes an unsubscribe link so you can opt out at any time.
  • Enquiries: if you contact us through the site, we process the details you provide in order to respond.
  • Cookies and similar technologies: our website uses a small number of strictly necessary and functional cookies (for example, to operate the subscription/members features and remember your preferences). We do not use advertising cookies. Where required by PECR and the UK GDPR, any non-essential cookies are only set with your consent, which you can manage or withdraw through your browser settings.

3.9 Subscription and purchase data

If you buy a Pro subscription through the App Store or Google Play, we receive subscription status and purchase records from Apple or Google — such as the product purchased, the transaction and subscription identifiers, purchase and renewal dates, and whether the subscription is active, in a trial, renewing or cancelled — so we can unlock Pro features on your account, validate purchases and support you. We do not receive your card or bank details; those are handled by Apple or Google.


4. How we use your data and our legal bases

Under the UK GDPR we must have a lawful basis for processing your personal data. We rely on the following:

PurposeExamplesLawful basis
Provide the ServiceCreate your account, store and display your records, sync across devices, generate invoices and reportsPerformance of a contract (our Terms of Service)
Manage subscriptions & entitlementsUnlock Pro features, validate purchases and renewals, and prevent abuse of trials/offersContract and Legitimate interests (preventing fraud)
Authentication & securityVerify your identity via Google/Apple, app lock, secure session tokens, prevent fraud and abuseContract and Legitimate interests (keeping accounts secure)
Voice-to-invoiceConvert your speech to draft records using AIContract (you requested the feature)
Multi-device sync & backupReplicate your data to our servers and back to your other devicesContract
Send operational notificationsPayment, reminder, overdue and milestone alerts you have enabledContract / Consent (where you have opted in)
Send optional email summaries / promotionsWeekly/monthly summaries, product news (only if enabled)Consent (you can withdraw at any time)
Launch waitlist & website communicationsNotify you when the app launches; send updates you subscribed to; respond to your enquiriesConsent (you can unsubscribe at any time)
Maintain, debug and improve the ServiceDiagnose errors, ensure reliability and securityLegitimate interests (running a reliable service)
Comply with legal obligationsRespond to lawful requests, keep required recordsLegal obligation

You can withdraw consent at any time where we rely on it, without affecting processing already carried out.


5. Voice-to-invoice and artificial intelligence

When you use the voice feature:

  • The app records your audio locally and uploads it to Simpliya's backend over an encrypted connection.
  • Our backend sends the audio (and limited context such as your customer/product names) to a third-party AI service provided by Google (see Section 8) to transcribe and interpret it into a structured draft (for example, a draft invoice, expense, reminder, customer, product or payment).
  • The structured result is returned to your device, where you review and confirm it before anything is saved.

Important points:

  • The audio is processed transiently to fulfil your request. We do not use your voice recordings or business content to train our own models.
  • Google processes the audio as our sub-processor under its enterprise/API terms. Google states that data submitted through its AI APIs in this manner is not used to train Google's models. Note that we do not control Google's infrastructure; hence we recommend reviewing Google's terms referenced in Section 8 for further clarification.
  • AI output can be inaccurate. You are responsible for reviewing each draft before saving or sending it.

If you do not wish to use AI processing, simply do not use the voice feature; all other features work without it.


6. How your data is stored

  • On your device: Your records are stored in a local SQLite database. Sensitive credentials (session token, PIN hash) are protected by the platform secure store and by your device's own security (passcode, biometrics).
  • On our servers (if signed in): Your synced records are stored on our hosted backend infrastructure. Images are stored in Cloudflare's object storage and delivered through our content delivery network (cdn.simpliya.com).
  • Data in transit is encrypted using TLS/HTTPS. Data at rest is protected by the encryption controls of our hosting and storage providers.

If you use Simpliya without signing in, your data remains only on your device and is not synced to us. Uninstalling the app will permanently delete that local data, so we recommend signing in if you want a backup.


7. How long we keep your data

  • Account and synced business data: retained while your account is active and for as long as you use the Service.
  • Voice recordings: processed transiently for the request and not retained as a durable archive after the draft is produced (short-lived processing logs may persist briefly for reliability and abuse prevention).
  • Server logs and security records: retained for a limited period necessary for security, troubleshooting and legal compliance.
  • After account deletion: we delete or irreversibly anonymise your synced personal data within 30 days, except where we must retain certain records to comply with legal obligations or to establish, exercise or defend legal claims.

Data stored only on your device is under your control and is removed when you delete it or uninstall the app.


8. Who we share your data with (sub-processors and recipients)

We do not sell your data. We share it only with service providers who help us run Simpliya, and only as needed. Our key sub-processors are:

ProviderPurposeData involved
Google LLC / Google CloudGoogle Sign-In authentication; Google's AI processing for voice features; push delivery (Android); Google Play subscription billing and statusAccount identifier; voice audio and limited context; subscription/purchase records
Apple Inc.Sign in with Apple; Apple Push Notification service; App Store subscription billing and statusAccount identifier; device push token; subscription/purchase records
Cloudflare, Inc.Image object storage (R2) and content delivery (CDN)Images you attach and their metadata
Expo (Expo / EAS notification service)Delivery of push notificationsDevice push token, notification content
Our cloud hosting providerHosting of the Simpliya backend and synced databaseYour synced account and business data

These providers act on our instructions under data-processing agreements. We may also disclose data where required by law, to enforce our Terms, or to protect the rights, safety and security of Simpliya, our users or the public.

If Simpliya is involved in a merger, acquisition or sale of assets, your data may be transferred as part of that transaction; we will notify you and ensure it remains protected under this policy.


9. Your customers' data — data-processing terms

When you use Simpliya to store information about your own customers, suppliers and contacts, you are the data controller of that information and Simpliya is your data processor (under the DPDP Act, you are the Data Fiduciary and we are your Data Processor). This Section 9 forms the data-processing agreement required by Article 28 of the UK GDPR between you and Simpliya, and applies for as long as we process that data on your behalf.

9.1 Your responsibilities as controller

  • Having a lawful basis to collect and store your contacts' personal data, and providing them with any required privacy information.
  • Honouring their data-protection rights.
  • Only entering data you are entitled to process, and issuing only lawful instructions to us.

9.2 Scope of our processing

  • Subject matter & duration: processing of your business records for as long as you use the Service and until deletion as described in Section 7.
  • Nature & purpose: storing, syncing, backing up, displaying and processing your records (including voice-to-invoice) solely to provide the Service to you.
  • Types of personal data: such as names, phone numbers, email and postal addresses, transaction, invoice, payment and balance information, and any images you attach.
  • Categories of data subjects: your customers, suppliers and contacts.

9.3 Our obligations as processor

Simpliya will:

  • process that data only on your documented instructions (including this policy and our Terms), unless required otherwise by law, in which case we will inform you where legally permitted;
  • ensure that personnel authorised to process the data are bound by a duty of confidentiality;
  • implement appropriate technical and organisational security measures as described in Section 12 (Article 32 UK GDPR);
  • assist you, so far as reasonably possible, in responding to data-subject rights requests and in meeting your security, breach-notification and data-protection-impact-assessment obligations (Articles 32–36);
  • notify you without undue delay after becoming aware of a personal-data breach affecting your data;
  • on termination, delete or return your data as described in Section 7; and
  • make available the information reasonably necessary to demonstrate compliance with this Section and allow for and contribute to audits, subject to reasonable notice and appropriate confidentiality.

9.4 Sub-processors

You give us general authorisation to engage the sub-processors listed in Section 8 to process your data. We impose data-protection obligations on them equivalent to those in this Section, and we remain responsible for their performance. We will give you a reasonable opportunity to object to material changes to our sub-processors, for example by updating this policy or notifying you in the app. If your instruction would infringe applicable data-protection law, or if we can no longer meet our obligations under this Section, we will inform you.


10. International data transfers

Simpliya is based in the United Kingdom, but some of our sub-processors (for example Google, Apple and Cloudflare) operate globally and may process data outside the UK or European Economic Area. Where data is transferred internationally, we rely on appropriate safeguards such as UK adequacy regulations, the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum, so that your data remains protected to UK standards.


11. Your rights

Under UK data protection law you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict or object to certain processing.
  • Data portability — receive your data in a structured, machine-readable form.
  • Withdraw consent at any time where we rely on consent.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects (the voice feature always requires your manual confirmation).

To exercise any of these rights, email [email protected]. We will respond within one month as required by law. You can delete much of your data directly in the app, and you can request full account deletion at any time.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 — ico.org.uk

We would, however, appreciate the chance to address your concerns first.

11.1 For users in India

If you are in India, the DPDP Act 2023 gives you rights to access, correct, complete, update and erase your personal data, to grievance redressal, and to nominate another individual to exercise your rights in the event of death or incapacity. To exercise these rights or raise a grievance, contact our grievance contact at [email protected]; we will respond within the timeframes required by law. If your grievance is not resolved, you may escalate it to the Data Protection Board of India.


12. Security

We take reasonable technical and organisational measures to protect your data, including TLS encryption in transit, encryption at rest with our storage providers, secure credential storage on-device, hashed PINs, optional biometric app lock and auto-lock, and access controls on our backend. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify you and the ICO of any qualifying personal-data breach as required by law.


13. Children's privacy

Simpliya is a business tool intended for users aged 18 and over. It is not directed at children, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.


14. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in the app or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.


15. Contact us

If you have any questions, requests or complaints about this policy or your data:

Simpliya Ltd
167-169 Great Portland Street, Fifth Floor, London, England, W1W 5PF
Email: [email protected]