Privacy Policy

Last updated: April 9, 2026

1. Introduction

Simpl_Markup ("we", "us", "our") is operated by Jordon Jane trading as Simpl_Markup. This policy explains what data we collect when you use Simpl_Markup at app.simplmarkup.com and our Slack integration, how we use it, who we share it with, and your rights.

We believe in data minimisation. We collect only what is needed to provide the service, we do not run analytics or advertising trackers, and we do not sell your data.

2. Data We Collect

2.1 Account Information

When you create an account we collect your email address, full name, and password (hashed — we never store or see your plaintext password). You may also upload a profile photo.

2.2 Workspace and Team Data

We store your workspace name, team member email addresses (for invitations), and roles (Owner, Admin, Member). When you invite someone, we store their email address until the invitation is accepted or expires after 7 days.

2.3 Content You Create

This includes project URLs you submit for screenshot generation, uploaded images, comments (including text, position data, priority, and resolution status), drawing annotations, @mentions, emoji reactions, and file attachments (max 5 MB each). All content is scoped to your workspace and is not visible to other workspaces.

2.4 Screenshots of Third-Party Websites

When you submit a URL, we generate screenshots of that website across desktop, tablet, and mobile viewports. The URL is sent to our screenshot provider (ScreenshotOne) to capture the page. The resulting images are stored in your workspace. We do not screenshot pages behind authentication or paywalls — only publicly accessible URLs.

2.5 Slack Integration Data

If you connect Slack, we collect your Slack workspace ID, Slack user ID, display name, email address (via Slack's API with your authorisation), and OAuth tokens (encrypted at rest using AES-256-GCM). We also store Slack channel IDs and message timestamps to keep comments synchronised between Slack and the app.

When you interact with Simpl_Markup from Slack (reply, resolve, or approve), we may automatically create an account for you using your Slack profile information. You will receive a password-setup email so you can access the web app directly if you choose.

2.6 Automatically Collected Data

We collect your browser timezone (e.g. "Europe/London") at login to display timestamps in your local time. We may also collect usage data through cookies and analytics tools to understand how the Service is used and to improve it (see Section 8). We do not collect device fingerprints, browsing history, or geolocation data.

2.7 Payment Data

Payments are processed by Stripe. We store a Stripe customer ID and subscription status in our database but we never see or store your card number, CVV, or billing address. Stripe handles all payment data under their own privacy policy.

3. How We Use Your Data

  • Provide the service — authenticate you, display your projects and comments, generate screenshots, synchronise with Slack.
  • Send transactional emails — password resets, workspace invitations, and comment notification digests.
  • Enforce workspace isolation — every database query is scoped to your workspace so your data is never visible to other workspaces.
  • Monitor errors — we use Sentry to capture application errors so we can fix bugs. Error reports may include your user ID and the action that triggered the error but never include passwords or payment data.
  • Enforce storage limits — we track how much storage your workspace uses against your 50 GB allowance.

We do not use your data for advertising or training AI models.

4. Third-Party Services We Use

We share data with the following services only to the extent necessary to operate Simpl_Markup. We do not sell data to any third party.

Service Purpose Data Shared
Supabase Database, authentication, file storage, real-time sync All account and content data (hosted in their infrastructure)
Vercel Application hosting, serverless API All HTTP requests/responses pass through Vercel infrastructure
Slack Messaging integration (optional, user-initiated) User profile info (name, email), comments, screenshots, message metadata
ScreenshotOne Website screenshot generation URLs you submit (they capture the page but do not retain images)
Stripe Payment processing Payment details (handled entirely by Stripe — we never see card data)
Novu In-app and email notifications User ID, email, name, notification content (comment excerpts, project names)
Resend Transactional email delivery Recipient email address, email content (password resets, invitations)
Sentry Error monitoring Error details, stack traces, user ID (for debugging context only)

5. Data Storage and Security

  • All data is transmitted over HTTPS/TLS.
  • Passwords are hashed by Supabase Auth (bcrypt). We never store plaintext passwords.
  • Slack OAuth tokens are encrypted at rest using AES-256-GCM.
  • Database access is enforced by Row-Level Security (RLS) policies — every query is scoped to your workspace membership. Data from one workspace cannot be accessed by another.
  • Slack webhook requests are verified using HMAC-SHA256 signature verification.
  • File uploads are validated for type and size before storage. Avatar images are automatically resized and compressed.
  • URLs submitted for screenshot generation are validated against SSRF (Server-Side Request Forgery) attacks — we block internal network addresses and restricted domains.

6. Data Retention

We retain your data for as long as your account and workspace are active.

  • Workspace deletion permanently deletes all associated data — projects, screenshots, comments, attachments, team memberships, and Slack integration data. This is enforced at the database level via cascading deletes.
  • Workspace invitations expire after 7 days if not accepted.
  • Password reset links expire after 1 hour.
  • Comments are permanently deleted when removed by their author or an admin (hard delete, not soft delete).

7. Your Rights

Depending on your location, you may have the following rights under applicable data protection laws (including the UK GDPR and EU GDPR):

  • Access — request a copy of the personal data we hold about you.
  • Rectification — update or correct your data (you can do this directly in your profile settings).
  • Erasure — request deletion of your account and all associated data.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to specific uses of your data.
  • Restrict processing — request that we limit how we use your data.

To exercise any of these rights, contact us at privacy@simplmarkup.com. We will respond within 30 days.

8. Cookies and Tracking

We use cookies and similar technologies to operate the Service and to understand how it is used. These may include:

  • Essential cookies — required for authentication and session management. These cannot be disabled.
  • Analytics cookies — help us understand how visitors use the Service so we can improve it. These may be provided by third-party analytics services.
  • Preference cookies — remember your settings and choices (e.g. workspace selection).

We do not use cookies for advertising or to sell data to third parties. You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core functionality.

We also collect your timezone (e.g. "Europe/London") automatically at login to display timestamps in your local time.

9. Children's Privacy

Simpl_Markup is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or via an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

11. Contact Us

If you have questions about this privacy policy or how we handle your data: