Privacy Policy
How we collect, use, and share your information
Last updated: 2026-05-10
Quick Summary
- SimDex LLC is the data controller of every page on www.simdex.org.
- We collect what you submit through our contact, quote, and support forms; what Stripe collects when you subscribe to a plan; and standard server / analytics signals.
- We use Cloudflare (hosting + CDN + bot protection), Mailgun (form delivery), Stripe (payments), Calendly (scheduling), and Google Analytics (consent-gated traffic stats) — every other sub-processor is listed below.
- We do not sell your personal information. We do not use HubSpot or any third-party form vendor — form submissions go straight from our server to email.
- You can email privacy@simdex.org at any time to access, correct, or delete your information.
Who We Are
SimDex LLC ("SimDex," "we," "us") is a Minnesota Limited Liability Company (MN SOS file #2786046-2) that operates the website at https://www.simdex.org. For the purposes of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), SimDex LLC is the "data controller" (or "business") of the personal information described in this policy.
Mailing address: SimDex LLC, Saint Paul, Minnesota, USA. The fastest way to reach our privacy team is privacy@simdex.org.
Information We Collect
From Our Forms
The contact, quote, and support forms on simdex.org submit directly to our server. Depending on the form, you may give us:
- Contact form (/contact): first name, last name, email address, phone number (optional), company name (optional), company website (optional), and your message.
- Quote form (/quote): the same identification fields as the contact form, plus the services you're interested in, your project budget, your project timeline, your business goals, and the problems you want solved.
- Support form (/support): the same identification fields as the contact form, plus optional CC email addresses, the support category, your request subject and description, an optional issue URL, your operating system, your browser, and your acknowledgement of our terms / hourly-rate agreement.
From Subscription Checkout
When you purchase a WordPress maintenance or hosting plan, your name, email address, billing address, and payment-method details are collected by Stripe (our payments processor) on a Stripe-hosted page. We do not store, log, or transmit your full card number — Stripe handles that under PCI-DSS. We receive: your email address, the plan you bought, the subscription status (active / canceled / past-due), and a Stripe customer ID we can use to look up your billing history.
From Scheduling
When you book a call on /schedule, the form is hosted by Calendly. Calendly collects your name, email address, the date / time you choose, and any answers to questions Calendly displays. Calendly only loads if you have accepted cookies — until then we display direct contact options instead.
Automatically (Server / CDN / Analytics)
When you visit any page, the following information is processed by our server / CDN, regardless of whether you accept cookies:
- IP address, user-agent string, requested URL, HTTP referrer, and timestamp (standard web-server log data).
- Approximate geographic location (country, region, city) and network operator (ASN) derived from the IP address by Cloudflare.
- The Cloudflare data-center ("colo") that handled your request and basic bot-detection signals.
If — and only if — you accept the cookie banner, we additionally load Google Analytics 4 which collects page views, click events, screen size, browser, language, and a randomized analytics identifier. Google Analytics is configured with IP-anonymization on. Until you accept the banner, no Google Analytics script is loaded and no GA cookies are set.
In Form-Submission Emails
Each contact / quote / support email we receive is annotated by our server with the visitor's IP address, user-agent, geo (city / region / country), timezone, ISP / ASN, the Cloudflare data-center that handled the submission, the page URL the form was submitted from, and an ISO timestamp. This metadata is used to triage spam and to follow up effectively; it stays inside the email and our inbox and is not joined to any identifier outside the form itself.
From Bot / Spam Protection
Forms are protected by Cloudflare Turnstile, a privacy-preserving CAPTCHA alternative. Turnstile evaluates browser signals (TLS fingerprint, request timing, etc.) to decide whether you're a human. It does not require you to solve puzzles or click on traffic lights, and it does not track you across sites.
How We Use Your Information
- To respond to you — when you fill out a form we email you back, follow up on your project, and (if you're a customer) deliver the work you've hired us for.
- To process payments — Stripe processes your card and we use the resulting customer record to manage your subscription, send receipts, dunning emails, renewal reminders, and the customer-portal link for self-service cancellation.
- To prevent fraud and abuse — IP, user-agent, ASN, and Turnstile signals help us reject spam submissions and blocked bots.
- To improve the site — aggregated Google Analytics data tells us which pages are visited, which CTAs convert, and which devices our visitors use. We do not target advertising based on this data, and we do not run third-party ad pixels.
- To comply with law — to retain tax / accounting records (Stripe / Mailgun receipts) and to respond to lawful requests.
Our legal basis under GDPR Article 6 is contract performance for form responses and subscriptions; legitimate interests for fraud prevention and aggregate analytics where you have not affirmatively consented (we still gate Google Analytics on consent); and your consent for cookies and analytics where consent is required.
Sub-Processors and Vendors
We rely on the following service providers (sub-processors) to operate the site. Each one is contractually obligated to protect personal information consistent with this policy. Privacy policies link to each vendor's authoritative document.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Cloudflare, Inc. (policy) | Workers hosting, CDN, DNS, edge logs, bot management, Turnstile CAPTCHA | IP, user-agent, request URL, headers, request body for our API routes | Global edge (CCPA-compliant DPA available) |
| Mailgun (Sinch) (policy) | Outbound email delivery for form submissions and Stripe-event notifications | Form-field contents, your email (as Reply-To), our team's email (as recipient) | United States |
| Stripe, Inc. (policy) | Subscription payments, customer billing portal, webhook events | Name, email, billing address, payment-method details, subscription status | United States |
| Calendly, LLC (policy) | Booking the discovery call on /schedule (loaded only after consent) | Name, email, chosen time, any custom-question answers | United States |
| Google LLC — Google Analytics 4 (policy) | Aggregated traffic analytics (loaded only after consent) | Truncated IP, user-agent, page views, click events, randomized GA client ID | United States / EU (depending on visitor) |
Our blog images and other media files are served from wp.simdex.org, a self-hosted WordPress instance operated by SimDex LLC and protected by Cloudflare. WordPress on that subdomain is the source for our blog content; it is not used for runtime user data collection.
We do not use: HubSpot, Salesforce, or any third-party CRM for form delivery (forms go directly to email via our own server); Google Tag Manager, Facebook Pixel, LinkedIn Insight Tag, or any retargeting / advertising pixel; chat widgets; session-replay tools (Hotjar, FullStory, etc.); or third-party ad networks.
Cookies and Local Storage
We use the minimum cookies needed to operate the site. The first time you visit, you see a banner asking whether to accept analytics cookies. Until you click Accept All, no analytics scripts run.
| Cookie / storage key | Set by | Purpose | Duration |
|---|---|---|---|
simdex-cookie-consent | SimDex (this site) | Remembers whether you accepted or declined the cookie banner | 1 year |
__cf_bm, cf_clearance | Cloudflare | Bot management; clears Turnstile challenges so you don't see them on every form submit | Up to 30 minutes (__cf_bm) / 1 year (cf_clearance) |
_ga, _ga_<ID> (only after consent) | Google Analytics | Aggregated traffic analytics | Up to 2 years |
| Stripe cookies (only on checkout pages) | Stripe | Fraud prevention and session continuity for the checkout flow | Per Stripe's policy |
| Calendly cookies (only on /schedule after consent) | Calendly | Maintains your scheduling session | Per Calendly's policy |
You can revisit your consent choice at any time using the Cookie Preferences link in the site footer. Clearing cookies in your browser will trigger the banner on your next visit.
Your Rights
If You're in the EU / EEA / UK (GDPR / UK GDPR)
You have the right to:
- Access the personal information we hold about you.
- Have it corrected or completed.
- Have it erased (the "right to be forgotten"), subject to our legal obligations to retain payment / tax records.
- Restrict or object to our processing.
- Port your data in a machine-readable format.
- Withdraw consent at any time, where consent is the legal basis for processing.
- Lodge a complaint with your local data-protection authority.
If You're a California Resident (CCPA / CPRA)
You have the right to:
- Know what personal information we collect and how it's used.
- Request deletion of personal information we hold (subject to legal exceptions for billing, fraud prevention, and tax records).
- Correct inaccurate personal information.
- Opt out of the "sale" or "sharing" of personal information. SimDex does not sell or share personal information for cross-context behavioral advertising. We have no "Do Not Sell or Share" mechanism because we have nothing to opt out of — there are no buyers.
- Limit the use of sensitive personal information.
- Be free from retaliation for exercising these rights.
How to Exercise Your Rights
Email privacy@simdex.org from the address you originally contacted us with, or include enough information for us to verify your identity. We respond within 30 days for GDPR requests and within 45 days for CCPA / CPRA requests.
Data Retention
- Contact / quote / support form emails: retained in our inbox until the request is closed plus a reasonable archive window for follow-up; typically 24 months. Deleted earlier on request.
- Stripe customer records: retained for the life of the subscription plus seven (7) years after termination, to satisfy IRS / state tax records.
- Mailgun delivery logs: per Mailgun's retention defaults (typically up to 30 days for full message bodies and longer for metadata).
- Cloudflare edge logs: per Cloudflare's retention defaults (typically a few days to weeks for raw logs; longer for security events).
- Google Analytics: we use Google's default retention (currently 14 months); aggregated reports may be kept indefinitely.
- Cookie / consent records: per the durations in the cookie table above.
International Data Transfers
SimDex LLC is based in the United States, and most of our sub-processors (Cloudflare, Mailgun, Stripe, Calendly, Google) are also U.S.-based. If you are in the EU, EEA, or UK, your personal information will be transferred to and processed in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs), and where applicable our sub-processors' certifications under the EU-U.S. Data Privacy Framework, as the legal mechanism for those transfers.
Security
We protect personal information using HTTPS for all traffic, a Content-Security-Policy header (currently in report-only mode while we tune it), HSTS, server-side validation of every form submission, Stripe-hosted payment pages so that we never see your full card number, and least-privilege access controls on Mailgun, Stripe, Cloudflare, and Calendly. We host on Cloudflare Workers, which deploys our code globally on a vetted, audited platform.
No system is perfectly secure. If you become aware of a security concern with simdex.org, please email security@simdex.org.
Children's Privacy
SimDex's services are directed at businesses, not children. We do not knowingly collect personal information from anyone under 13 (in the U.S., per COPPA) or under 16 (in the EU, per GDPR Article 8). If you believe a child has submitted information through our forms, please email privacy@simdex.org and we will delete it.
Changes to This Policy
We update this policy whenever our processing changes — when we add or remove a sub-processor, when we change retention periods, or when applicable law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes that affect existing customers will be communicated by email at least 30 days before they take effect.
Contact Us
For privacy questions, data-subject-access requests, or anything in this policy:
- Privacy: privacy@simdex.org
- Security disclosures: security@simdex.org
- General: info@simdex.org · (651) 447-6247
Your Consent
By using simdex.org you acknowledge this privacy policy. Your choices in the cookie banner control whether optional analytics cookies (Google Analytics) are loaded; everything described under "Automatically (Server / CDN / Analytics)" runs regardless because it's required to deliver the site.