Privacy

Privacy Notice

Last updated: May 2, 2026

1. Data controller

The controller responsible for processing your personal data is the owner of the Simúlalo site (simulalo.app), operated by a natural person with general domicile in Mexico. Simúlalo is not a business entity nor a registered company: it is a personal project published on the internet. For any matter related to your privacy or the exercise of your rights, you can write to hola@simulalo.app.

2. Data we collect directly

The only account-level personal data we ask you for directly is your email address, needed to create your account, sign you in, and send operational communications (verification, password recovery, and alerts you configure). We do not ask for name, phone, address, ID document, date of birth, or any other identifying personal data. In addition, when you use the site's tools, we may process the business data, amounts, assumptions, files, or descriptions you enter in order to run calculations, simulations, or AI features. That data is not associated with a public profile and is not shared with third parties beyond the providers listed in this policy.

There are no optional profile fields. Your account is identified solely by the email you registered with; at no point do we ask you for a display name, a full name, or a company name. If you sign in with an external provider (for example, Google) we receive your verified email to associate it with your account; we do not store your public name or profile picture.

If in the future we enable a paid plan, processing will be handled by Stripe. Simúlalo does not store your card number or banking credentials; we only receive a customer identifier and the status of your subscription.

3. Data collected by third parties

To operate the site we use external providers that may autonomously collect technical data when you visit simulalo.app. We describe each one below.

Google Analytics 4

We use Google Analytics 4 to understand how the site is used (pages visited, duration, device type). Google receives your IP address and, where applicable, anonymizes it before storing it. Your consent is managed via Google Consent Mode v2: visitors from the European Economic Area, the United Kingdom, and Switzerland start by default in 'denied' mode, and data is only collected if you accept the consent banner. Outside those regions, analytics is enabled by default as a legitimate interest in understanding aggregate use of the service; you may object by writing to us.

Google AdSense

Simúlalo uses Google AdSense to display ads on public pages with primary content. AdSense never loads on login, account, monitor, embed, or API screens. When ads are shown, Google may use cookies or identifiers to measure performance, limit frequency, and personalize ads based on your consent. You can review Google's advertising policy and manage your ad preferences.

Consent management (self-hosted)

To show the cookie consent banner we use vanilla-cookieconsent, an open-source library self-hosted on our own domain. It does not depend on any external CMP provider. It is the tool that presents the accept / reject / configure dialog for analytics and advertising cookies. Preferences are synced to Google Consent Mode v2 so that GA4 and AdSense only collect data when the user explicitly consents.

Anthropic and OpenAI

When you use Simúlalo's AI features, we send the data needed to provide that feature to the corresponding provider: for example, free-text business descriptions to structure a model, simulation parameters, intermediate results, or follow-up questions inside a tool chat. We do not send your email address or directly identifying account data together with that content, except where strictly necessary inside our own systems to operate your account. Under Anthropic's (Claude) and OpenAI's API contractual terms, that content is not used to train their models.

Supabase

Supabase stores your email address, the encrypted password (hash), and the status of your account. Information is encrypted at rest and in transit. Supabase operates as a data processor under our instructions.

Brevo

We use Brevo (formerly Sendinblue) strictly for transactional emails: account verification, password recovery, waitlist confirmation, and operational notifications you configure. We do not sync your email to marketing lists in Brevo: your address travels to Brevo only at the moment a transactional message is sent. If we ever launch an informational communications program, we will announce it here and request explicit consent. For any related request, write to us at hola@simulalo.app. Brevo processes your email address in accordance with its privacy policy.

Vercel (hosting)

Vercel hosts the site. Its standard technical logs contain the IP address and user-agent of each request, and are retained for a limited time for security and service operation purposes.

Vercel Analytics

Vercel Analytics measures aggregate technical performance and traffic metrics (Core Web Vitals, page views, approximate country). Data is aggregated and, according to the provider's documentation, does not use tracking cookies or identify individuals.

Microsoft Clarity

When the corresponding environment variable is configured, we load Microsoft Clarity to understand how the site is interacted with (heatmaps, anonymous session recordings, and aggregate usage metrics). Clarity applies automatic text masking by default so as not to capture sensitive data; you can opt out by clearing cookies for the domain or using Microsoft's global opt-out option.

Stripe

Stripe will process payments when we enable the PRO subscription. This integration is currently disabled. When we activate it, Stripe will receive the data necessary to process the charge, and Simúlalo will only store a customer identifier and the status of your subscription.

4. Cookies and similar technologies

Simúlalo uses cookies classified in the following categories:

  • S4 functional
  • S4 analytics
  • S4 ads
  • Authentication: Supabase Auth manages your signed-in session securely.

We manage consent with a self-hosted banner powered by vanilla-cookieconsent. Preferences apply globally; in the European Economic Area, the United Kingdom and Switzerland the banner defaults to "denied" until you accept. You can review or revoke your choice at any time from the same banner or from the "Cookie preferences" button in the footer.

5. Legal basis for processing

The processing of your data relies on the following legal bases (GDPR Art. 6; LFPDPPP Art. 8, 9, and 10):

  • Performance of a contract: to create and maintain your account, authenticate you, and deliver the service.
  • Consent: for analytics and advertising cookies in regions where it is required, and to receive non-essential communications (waitlist, updates).
  • Legitimate interest: for service security, abuse prevention, aggregate usage metrics, and technical error logging.

6. Retention periods

  • Account data (email, profile): while your account is active. After account closure we retain it for up to 12 months to comply with legal obligations, and afterwards it is deleted or anonymized.
  • Technical logs (IP, user-agent): up to 90 days for security and operations purposes.
  • AI requests: may be retained for as long as needed to operate the feature, enforce usage limits, maintain cross-session history where that feature requires it (tool chat, cross-session memory), and preserve continuity in your product experience. They are not used as public data or shared as open content.
  • Waitlist: your email remains on the list until you request removal or until 24 months of inactivity, whichever comes first.

7. International transfers

Google, Microsoft, Anthropic, OpenAI, Supabase, Brevo, Vercel, and Stripe are providers with servers mainly in the United States and the European Union. These international transfers are carried out under the assumptions provided for in article 36 of the LFPDPPP (transfers necessary for the maintenance and fulfillment of the legal relationship between the data subject and the controller) and, for data of individuals in the European Economic Area, with the adequate safeguards required by the GDPR (Standard Contractual Clauses or other equivalent mechanisms).

8. Your rights

Under the LFPDPPP (Art. 22) and the GDPR (Art. 15 to 22) you have the right to:

  • Access: know what personal data we hold about you and how we process it.
  • Rectification: correct inaccurate or incomplete data.
  • Cancellation or erasure: request deletion of your data when it is no longer necessary.
  • Opposition: object to the processing of your data for a specific purpose.
  • Portability: receive your email and profile data in a commonly used, structured format.
  • Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, send an email to hola@simulalo.app indicating the right you wish to exercise. You can verify your identity by replying from the same address associated with your account.

We will respond to requests within the legal timeframe that applies based on your place of residence: Mexico, 20 business days (LFPDPPP Art. 22); European Union, United Kingdom, and Switzerland, 30 calendar days, extendable by an additional two months for complex cases (GDPR Art. 12); California, USA, 45 days, extendable once if reasonable (CCPA/CPRA § 1798.130).

9. Minors

Simúlalo is not directed to children under 18 and does not knowingly collect their data. If we identify an account created by a minor, we delete it. If you are a parent or guardian and believe a minor in your care has registered, contact us to delete the account.

10. Security

We apply reasonable technical and organizational measures to protect your data: encryption in transit (HTTPS/TLS), encryption at rest in Supabase, passwords stored as hashes, least-privilege access policies, anti-abuse protections (captcha and rate limiting) in the authentication flow, and periodic review of dependencies.

11. Changes to this notice

We may update this notice to reflect legal, operational, or provider changes. We will publish the current version on this same page with its last updated date. If the change is material (for example, a new provider with access to your data), we will notify you by email before it takes effect.

12. How to file a complaint

If you believe the processing of your data does not comply with the law, we ask you to first write to us at hola@simulalo.app to try to resolve it. You may also turn to the competent authority:

In Mexico, the National Institute of Transparency, Access to Information and Personal Data Protection (INAI). In Spain, the Spanish Data Protection Agency (AEPD). In other countries of the European Economic Area, the competent Data Protection Authority in your country of residence.

13. Regulatory reference framework