Privacy Policy

This Privacy Policy describes how Simple Plan IT (“Simple Plan IT,” “we,” “us,” or “our”) handles information collected through www.simpleplanit.comand any subpages (the “Site”).

Simple Plan IT is a cybersecurity and GRC firm operating under the laws of the State of Ohio, United States. For the purposes of the EU and UK General Data Protection Regulation, Simple Plan IT is the “data controller” of personal data collected through the Site.

This policy applies to the Site only. It does not cover services offered by third parties whose content is embedded on the Site, even when accessed from a page on www.simpleplanit.com. Those services operate under their own privacy policies, and we identify them by name in Section 6.

This policy also does not cover information we process during a paid engagement. That is governed by your Statement of Work and our Master Services Agreement, not by this policy.

3.1 Information you provide directly

We collect information you choose to share with us:

• Email and phone contact. If you email us at info@simpleplanit.com or call us, we receive your name, contact details, and the content of your message.
• Risk call bookings. The booking calendar on our Site is operated by Lunacal. When you book a call, Lunacal collects the information you submit (typically your name, email address, company, and scheduling preferences) and provides it to us so we can prepare for and attend the call.
• Exposure Snapshot. When you run the Exposure Snapshot, you submit a domain name. We send that domain to our server, which queries publicly available sources (described in Section 6) to compute the result we show you. The Snapshot does not require your email address or any other personal information. We keep a non-personal record of each run, the domain queried, the summary findings, and the country the request came from, so we can understand demand and improve the tool. That record contains no personal data.
• Newsletter subscriptions. When you subscribe through the signup form on our Site, we collect your email address and store it in our database so we can send you our newsletter. You can unsubscribe at any time.

3.2 Information collected automatically

When you visit the Site, we automatically collect limited data:

• Analytics. We use Cloudflare Web Analytics to understand how the Site is used. Cloudflare Web Analytics does not use cookies, does not fingerprint visitors, and does not collect personal data. It records anonymized page-level data such as URLs visited, referring URL, browser type, country, and approximate visit duration.
• Newsletter signup metadata. When you subscribe, we store a small amount of technical context alongside your email (the page you subscribed from, your browser type, and the country your request came from) to help us prevent abuse and understand where subscribers come from.
• Hosting and security logs. Our Site is hosted on Cloudflare, which is also our content delivery network and security provider. Cloudflare maintains short-term logs of requests for purposes including security, abuse prevention, and infrastructure reliability. These logs can include IP addresses and request metadata.
• Bot protection. The Exposure Snapshot is protected by Cloudflare Turnstile, a privacy-preserving check that distinguishes real visitors from automated abuse, and by rate limiting at the Cloudflare edge. Turnstile is cookieless and does not track you across sites; it and the rate limiter process limited technical signals, including your IP address, at the edge to verify the request. We do not store your IP address ourselves.

We do not use advertising trackers, retargeting pixels, session replay tools, or behavioral profiling on the Site.

We use the information described above to:

• Respond to inquiries you send us.
• Schedule, prepare for, and follow up on risk calls you book.
• Run the Exposure Snapshot and return your result.
• Send newsletter editions to subscribers.
• Understand which pages are read, so we can improve what we publish.
• Operate, secure, and maintain the Site, including detecting and preventing abuse.
• Comply with legal obligations and enforce our Terms of Use.

We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data protection law, we rely on the following legal bases under the GDPR and UK GDPR:

• Consent for newsletter subscriptions and other cases where you actively opt in. You can withdraw consent at any time by unsubscribing or by contacting us at info@simpleplanit.com.
• Performance of a contract or pre-contractual steps when you book a risk call, run the Exposure Snapshot, or otherwise contact us about a potential engagement.
• Legitimate interests for operating and securing the Site, understanding aggregate usage, and improving our content. We assess these interests against your rights and freedoms before relying on this basis.
• Legal obligation where we are required to process information to comply with applicable law.

We rely on a small number of third-party service providers to operate the Site. Each one acts as a processor or independent controller of the limited data described below.

• Cloudflare, Inc. Hosting, content delivery, security, privacy-preserving analytics (Cloudflare Web Analytics), bot protection (Cloudflare Turnstile), and the DNS-over-HTTPS lookups the Exposure Snapshot relies on. See Cloudflare's Privacy Policy.
• Lunacal. Booking calendar that opens when you choose to book a call. See Lunacal's Privacy Policy.
• Supabase, Inc. Database hosting for newsletter subscriptions. See Supabase's Privacy Policy.
• Exposure Snapshot data sources. When you run the Snapshot, the domain you submit is queried against publicly available certificate-transparency, attack-surface, and breach-exposure sources, including crt.sh (Sectigo), CertSpotter (SSLMate), HackerTarget, and Hudson Rock. These sources receive only the domain being looked up, not your personal information.
• Email and productivity providers. When you email us, the message is processed by the provider that hosts our business email and stored in our business systems.

We may add or change providers from time to time and will update this section accordingly.

The Site itself does not set cookies on your device. We do not use analytics cookies, advertising cookies, or consent cookies, because we do not run any tracking that would require them. Our analytics are cookieless by design.

The Lunacal booking widget is the one third-party feature that may set its own cookies. We do not load it when the page first opens. It loads only after you begin interacting with the Site, and any cookies it sets are controlled by Lunacal, not by Simple Plan IT, and are governed by its privacy policy linked above.

You can block or delete cookies in your browser settings at any time. Doing so may affect the booking widget, but it will not affect your ability to read the rest of the Site.

The Exposure Snapshot reports on the domain you enter using publicly available information about that domain. It is provided for general informational purposes, reflects a point in time, and is not a guarantee that your systems are or are not secure. You should only submit a domain you own or are authorized to assess. We keep a non-personal record of each run (the domain and the summary findings) and protect the tool with bot detection and rate limiting to prevent abuse. The full terms that govern the Snapshot are in our Terms of Use.

Simple Plan IT is based in the United States, and our service providers operate primarily in the United States. If you access the Site from outside the United States, the information described in this policy will be transferred to, processed in, and stored in the United States.

When personal data of EU, EEA, or UK residents is transferred outside those regions, we rely on appropriate safeguards recognized under the GDPR and UK GDPR, including Standard Contractual Clauses with our processors and applicable adequacy frameworks, where required.

We retain information only as long as we have a reason to:

• Email and call correspondence is retained for as long as the conversation is reasonably active, and for a period afterward consistent with legitimate business and legal-record needs.
• Newsletter subscriptions are retained until you unsubscribe or request deletion.
• Booking records are retained for a reasonable period to support follow-up and dispute resolution.
• Exposure Snapshot records are non-personal (the domain queried, the summary findings, and coarse country) and are retained to understand demand and improve the tool. They contain no personal data.
• Analytics and hosting logs are retained for the period set by the relevant service provider, generally short by design.

When we no longer have a legitimate reason to retain information, we delete it or anonymize it.

11.1 Rights under the GDPR and UK GDPR

If you are in the EEA or the UK, you have the following rights with respect to your personal data:

• Access a copy of the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data, subject to legal exceptions.
• Request that we restrict processing.
• Receive your data in a portable, machine-readable format.
• Object to processing based on legitimate interests, including direct marketing.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with your local data protection authority.

11.2 Rights under U.S. state privacy laws

Depending on your state of residence, you may have rights similar to those above, including the right to know what personal information we have collected, the right to request deletion, and the right to opt out of the sale or sharing of personal information. Simple Plan IT does not sell personal information and does not share personal information for cross-context behavioral advertising.

11.3 How to exercise your rights

To exercise any of these rights, email info@simpleplanit.com from the address associated with the request. We may need to verify your identity before acting on the request. We will respond within the timeframes required by applicable law.

We use reasonable administrative, technical, and physical measures to protect information collected through the Site, including transport-layer encryption (HTTPS), access controls on our internal systems, and the security capabilities of our hosting provider.

No method of transmission or storage is fully secure. If we discover a security incident that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

The Site is intended for business audiences and is not directed at children. We do not knowingly collect personal data from children under 16 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided personal data to us, contact info@simpleplanit.com and we will delete it.

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top of this page and, where the change is material, provide additional notice. Your continued use of the Site after changes take effect constitutes acceptance of the revised policy.

For any privacy question or request, contact:

Simple Plan IT
175 S. 3rd St., STE 200
Columbus, OH 43215
info@simpleplanit.com