Privacy Policy

Last updated: February 28, 2026

This Privacy Policy describes how SimpleRMD ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our service at simplermd.com. By using SimpleRMD, you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Account Information: Name and email address provided through your OAuth provider (Google). We do not collect or store passwords.
  • Financial Data: Retirement account balances, account types (IRA, 401(k), etc.), beneficiary designations, and date-of-birth information necessary to calculate Required Minimum Distributions (RMDs).
  • Payment Information: Billing details processed through Stripe. We do not store full payment card numbers on our servers.
  • Usage Data: Log data, IP address, browser type, pages visited, and other diagnostic information collected automatically when you use the service.
  • Communications: Messages and support requests you send to us.
2. How We Use Your Information

We use your personal information to:

  • Provide, operate, and maintain the SimpleRMD service, including computing your RMD calculations
  • Process payments and manage your subscription
  • Send transactional emails (account confirmations, receipts, alerts) via Resend
  • Respond to your support requests and communications
  • Improve and develop the service
  • Comply with applicable law and legal obligations
  • Protect the security and integrity of our systems

We do not sell your personal information to third parties. We do not use your financial data for advertising purposes.

3. Third-Party Service Providers

We share your information with the following third-party service providers solely as necessary to operate the service. Each provider processes your data under their own privacy policy and applicable data protection agreements.

  • Supabase (supabase.com) — Database and authentication infrastructure. Your account information, financial data, and beneficiary details are stored in Supabase-managed PostgreSQL databases hosted in the United States. Supabase is SOC 2 Type 2 certified.
  • Stripe (stripe.com) — Payment processing. Stripe collects and processes your payment card information directly. We receive only a tokenized reference and billing metadata. Stripe is PCI DSS Level 1 certified.
  • Resend (resend.com) — Transactional email delivery. Your email address and the content of system-generated emails are processed by Resend to deliver confirmations, receipts, and service notifications.
  • Vercel (vercel.com) — Hosting and infrastructure. The SimpleRMD application is deployed on Vercel's edge network. Vercel may process request logs and usage analytics as part of infrastructure operations. Vercel is SOC 2 Type 2 certified.
  • Google Analytics (analytics.google.com) — Web analytics. We use Google Analytics 4 to collect anonymized usage data such as pages visited, session duration, and general location (country/region level). Google Analytics sets first-party cookies (e.g., _ga, _ga_*) to distinguish unique visitors. This data helps us understand how the service is used and improve it. Google may process this data on servers in the United States. See Google's Privacy Policy for more information.

We do not authorize these providers to use your personal information for their own purposes beyond performing services on our behalf.

4. Cookies and Tracking Technologies

SimpleRMD uses cookies and similar technologies for the following purposes:

  • Strictly Necessary Cookies: Authentication session tokens required to keep you logged in and maintain the security of your session. These cannot be disabled without breaking core functionality.
  • Functional Cookies: User preferences such as display settings and previously entered data to improve your experience.
  • Analytics: We use Google Analytics 4 and Vercel Analytics to collect aggregated, anonymized usage data (pages visited, session duration, general location) to understand how the service is used and improve it. Google Analytics sets first-party cookies such as _ga and _ga_* to distinguish unique visitors. We do not use third-party advertising trackers.

You may disable cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in and using the service. Most browsers allow you to review and delete existing cookies.

5. Data Retention
  • Account and Financial Data: Retained while your account is active. When you delete your account or request data deletion, we remove your personal and financial data within 30 days.
  • Payment Records: Payment processing is handled by Stripe, which retains transaction records per its own retention policies. We retain basic subscription metadata (plan type, billing dates) while your account is active and delete it alongside your account data.
  • Server Logs: Managed by our hosting provider (Vercel) and retained for up to 90 days for security and debugging purposes.
  • Deletion Requests: When you request deletion (via in-app settings or by emailing data@simplermd.com), we delete your personal data within 30 days.
6. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Regular security assessments of our infrastructure and service providers

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@simplermd.com.

7. Your Rights and Choices

Depending on your location, you may have the following rights with respect to your personal information:

GDPR Rights (EEA/UK Residents)

  • Right to access the personal data we hold about you
  • Right to correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") subject to legal retention requirements
  • Right to restrict processing in certain circumstances
  • Right to data portability in a machine-readable format
  • Right to object to processing based on legitimate interests
  • Right to lodge a complaint with your local data protection authority

Our lawful basis for processing your personal data is (a) contract performance—processing necessary to provide the service you requested; (b) legal obligation—where required by applicable law; and (c) legitimate interests—for security, fraud prevention, and service improvement.

CCPA Rights (California Residents)

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information we have collected, subject to exceptions
  • Right to opt out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information

To submit a verifiable consumer request, contact us at data@simplermd.com. We will respond within 45 days as required by the CCPA.

8. How to Request Data Deletion

You may request deletion of your account and personal data by either:

  • In-App: Navigate to Account Settings and select "Delete Account." This will initiate the deletion process immediately.
  • Email: Send a deletion request to data@simplermd.com with the subject line "Data Deletion Request" and include your account email address.

We will confirm receipt within 5 business days and complete deletion within 30 days. Certain data may be retained longer where required by law (see Section 5, Data Retention). We will notify you of any such exceptions at the time of your request.

9. Children's Privacy

SimpleRMD is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice within the application prior to the change taking effect. Your continued use of SimpleRMD after the effective date of a revised policy constitutes acceptance of the updated terms. We encourage you to review this policy periodically.

11. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Privacy Inquiries
SimpleRMD
data@simplermd.com

We aim to respond to all privacy inquiries within 10 business days.