Legal

Privacy notice

Effective date: 26 April 2026

At a glance

Simplinuity is a trading name of GMS Suite Ltd, a UK company. We build custom automation tools for small businesses and run a public website at simplinuity.com.

  • We collect only what we need to reply to your enquiries, provide services to our business clients, and keep those services running.
  • We do not sell your data.
  • We use Plausible for cookieless site analytics — no cookies, no tracking across sites, no personal identifiers — to understand broad traffic patterns. This runs for every visitor without a banner.
  • We also run two marketing pixels (LinkedIn and Meta) for ad measurement and retargeting. They only load if you accept the cookie banner — if you reject, no pixel request is ever made.
  • Our servers are in Germany. Plausible is in Estonia. Google (business email) and LinkedIn / Meta (marketing pixels) are controlled from Ireland with US transfers covered by the UK Extension to the EU–US Data Privacy Framework.
  • You have rights over any personal data we hold about you. Email hello@simplinuity.com to use them.

1. Who we are

This notice is issued by GMS Suite Ltd, a company incorporated in England and Wales, trading as Simplinuity.

Registered company nameGMS Suite Ltd
Company number16655931
Registered office48 Jenkins Avenue, Bricket Wood, St. Albans, England, AL2 3RY
Contact emailhello@simplinuity.com
ICO registration numberZC130423

We are the data controller for personal data we collect through our website, our client portal, and the back-office of the tools we build. We have not appointed a Data Protection Officer; we are not required to appoint one under UK GDPR Article 37(1) because we are not a public authority, we do not carry out large-scale systematic monitoring, and we do not process large quantities of special-category data on our own account.

If you would like to raise a privacy question or exercise a right, write to hello@simplinuity.com with "Privacy" in the subject line. We aim to respond within 30 days (see section 9).

2. What personal data we collect and why

We collect personal data in eight distinct contexts. Each is described below, with what we collect, why, and from where.

2.1 Visitors to simplinuity.com

By default, our marketing site does not set cookies and does not profile individual visitors. We do use a privacy-first analytics tool — see section 2.10 — that loads for everyone without a banner; it is cookieless, does not identify you, and does not track you across sites.

On your first visit a banner asks whether you want to accept marketing cookies. If you decline (or ignore it), that default state is permanent for your browser. If you accept, we load two marketing pixels — see section 2.9 for what that means in practice.

Our server logs ordinary connection metadata — IP address, timestamp, requested URL, user agent — for a short period for security and operational purposes (diagnosing errors, blocking abuse). Those logs are rotated and discarded on a rolling basis.

2.2 Enquiries through our contact form

If you use the "Get in touch" form on the site, we collect the name, email address, company name (optional), and the message you provide. We use this to read and respond to your enquiry. A hidden anti-spam field and a per-IP rate limit apply.

We also attach any utm_* marketing parameters that were on the URL when you first landed on our site, along with the referring page, so we can tell which ad or link brought you here. These parameters are set by us when we run ads and are not personal data on their own; they become associated with your contact details only at the moment you submit the form, which is the basis for including them in our legitimate-interests processing.

2.3 Discovery briefs

If you fill in the longer "Discovery" brief on the site, we also collect your role, the problem you are trying to solve, the tools you currently use, and how you would measure success. We use this to understand whether we can help, to prepare for a first conversation, and, if we agree to work together, as an input into scoping. The sameutm_* attribution described in section 2.2 applies.

2.4 Client portal accounts

If your business becomes a Simplinuity client and is given access to our portal at simplinuity.com/portal, we hold an account for you that contains your name, business email, and an access password, together with an API token used to reach the tools assigned to your business. When you sign in, your browser stores these values locally on your device so you do not have to sign in on every page; they are cleared when you sign out. See the separate Cookie Policy.

2.5 Client-staff use of our tools

When a client business deploys one of our tools (for example, a therapist payment portal for a clinic), staff at the client business use the tool to do their jobs. The tool may record the member of staff's name, a short access PIN (stored only as a one-way hash), timestamps of actions they take, and an audit trail showing who changed what. We process this on behalf of the client business, which is the controller for its own staff records. If you are a member of staff asking about your own data, your employer is the right first point of contact.

2.6 Data flowing through our tools

Some of our tools handle personal data about the client business's own customers — for example, bookings, contact details, and non-sensitive payment confirmation data (last four digits of a card, card brand, auth code, amount, timestamp — never the full card number, CVV, or PIN). We process this on behalf of the client business under their instructions. The client business is the controller for its customers' data and publishes its own privacy notice covering it. This Simplinuity notice covers data only to the extent that it reaches our systems (our server, our database, our support mailbox).

2.7 Support requests from inside our tools

Some of our tools include a "support" form that lets a user send a message to us from inside the app. If you use it, we receive your message, your identity as known to the tool (name, email, or staff reference), a timestamp, and the page you were on when you sent it. We use this to diagnose problems and respond.

2.8 Sales, marketing, and engagement contacts

If you speak to us about working together, we keep a contact record: your name, business email, company, any notes from our conversations, and the content of our correspondence. We do not currently run an email newsletter. If we start one in the future, it will be on a clear opt-in (consent) basis and you will be able to unsubscribe at any time.

2.9 Marketing measurement via LinkedIn and Meta pixels

When you accept the cookie banner, your browser loads a small measurement script from LinkedIn (the "Insight Tag") and a small measurement script from Meta (the "Meta Pixel"). These scripts set third-party cookies associated with your browser and send events to LinkedIn and Meta when you visit pages on simplinuity.com.

The data they transmit includes the URL you are on, a timestamp, your IP address, your browser user-agent, and — if you arrived from a LinkedIn or Meta ad — the identifier of that ad. LinkedIn and Meta use this data to tell us how our ads perform (which ads are reaching which audiences, who is converting) and to let us show further ads to people who visited our site but did not get in touch.

The full list of cookies these pixels set, and their lifetimes, is on the Cookie Policy page. You can withdraw consent at any time from the same page — the banner will reappear and any already-loaded pixels will be cleared from your page by a reload.

Server-side Conversions API. Separately from the browser pixel, when you successfully submit the contact or discovery form (section 2.2 or 2.3), our server sends a single "Lead" event to Meta's Conversions API containing your email address (SHA-256 hashed before transmission — never in plain text), our best-guess first and last name (also hashed), your IP address, user-agent, and the utm_* parameters from your visit. This happens once per submission and is unrelated to the browser pixel. The purpose is narrowly scoped to measuring which ad campaigns produce real enquiries. Our lawful basis is legitimate interests — measuring marketing spend effectiveness — and you can object at any time by emailing hello@simplinuity.com and we will exclude your email address from future CAPI transmissions.

2.10 Site analytics via Plausible

We use Plausible Analytics, provided by Plausible Insights OÜ (Estonia), to see broad traffic patterns on simplinuity.com. For every visitor, Plausible sends a request to its servers when a page loads; that request contains the page URL, the referring page (if any), your browser and operating system (from the user-agent string), your device type, screen size, and country (derived from your IP, which is not stored).

Plausible does not set cookies, does not use device fingerprinting, and does not track you across other websites. Visitor identity inside a single day is a hashed value (IP + user- agent + rotating daily salt); the hash cannot be reversed to your IP, and is discarded at the end of the day. This architecture is the reason Plausible does not require a cookie banner under UK GDPR + PECR — no information is stored on your device, and the server-side processing does not identify individuals.

Our lawful basis for this processing is legitimate interests — understanding how many people visit each page so we can improve the site. You can object to this processing at any time by emailing hello@simplinuity.com or by installing a browser extension that blocks Plausible (most content blockers handle it automatically).

4. Who we share data with

Two different things happen here, and we want to keep them clearly separated.

4.1 Providers we contract with directly (our sub-processors)

These are the providers that actually receive your personal data because we send it to them. The list is short and we keep it that way on purpose.

ProviderWhat they do for usWhereWhat they see
Hetzner Online GmbHHosting (our server and database live here)Germany (EU)Everything stored on our server, under our control
Google LLC (Google Workspace)Outbound business email from hello@simplinuity.com — enquiry replies, operational mailUnited StatesThe email body and headers of messages we send and receive
Plausible Insights OÜCookieless site analytics — aggregate traffic patterns on simplinuity.com. Loaded for every visitor; no consent banner.Estonia (EU)Page URL, referrer, user-agent, screen size, country (from IP, not stored)
LinkedIn Ireland Unlimited CompanyMarketing measurement — the LinkedIn Insight Tag. Loaded only if you accept the cookie banner.Ireland (with onward transfer to LinkedIn Corporation, United States)Visit events (URL, timestamp, IP, user-agent, ad click identifier where present) from visitors who have consented
Meta Platforms Ireland LimitedMarketing measurement — the Meta Pixel. Loaded only if you accept the cookie banner.Ireland (with onward transfer to Meta Platforms, Inc., United States)Visit events (URL, timestamp, IP, user-agent, ad click identifier where present) from visitors who have consented

Apart from the two marketing pixels listed above (which only fire after consent), we do not use third-party analytics, advertising networks, customer-data platforms, CRM tools, chat widgets, or session recorders. If that ever changes, we will update this notice before we start.

4.2 Third-party services your business uses via our tools

When a client business runs one of our tools, the tool typically integrates with services the client already uses. The categories below describe the kinds of providers that may sit at the other end of an integration. The client has their own account and their own contract with each provider; they are the controller for data flowing between them and those providers. We list the categories here for transparency, not because Simplinuity has contracted with any specific provider on your behalf.

CategoryRole in the client's workflow
Online booking platformSource of the client's online booking data
Calendar providerSource of the client's calendar data; SSO sign-in to the client's own account
In-person card terminalReads payment metadata (last four digits, brand, amount, auth code, timestamp) from the client's terminal over the client's local network. Full card numbers and CVV are never sent to us.
Voice platformVoice processing for AI receptionist tools

For the specific providers any individual client has integrated, the authoritative source is that client's own privacy notice — and where applicable our published case study for that client, where the integration is openly described.

If you are a customer of a client business (for example, a clinic patient) and want to know how your data flows through these services, the client business's own privacy notice is the primary source of truth.

5. International transfers

Our main server is in Germany, inside the United Kingdom's list of "adequate" jurisdictions, so no special transfer mechanism is needed for most of our processing.

Transfers to Google LLC (United States) for outbound business email rely on Google LLC's certification to the UK Extension to the EU–US Data Privacy Framework. Google LLC also operates an Alternative Transfer Solution covering UK personal data. Either mechanism is recognised as providing an adequate level of protection for UK personal data.

Transfers to LinkedIn Corporation and Meta Platforms, Inc. (United States) for marketing measurement (section 2.9) happen only after you accept the cookie banner. The EU/UK contracting entities are LinkedIn Ireland Unlimited Company and Meta Platforms Ireland Limited; onward transfers to their US parent companies rely on those parents' certifications to the UK Extension to the EU–US Data Privacy Framework, supplemented by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum as an additional legal safeguard.

Other US-based services that fall under the categories in section 4.2 (for example, an in-person card terminal vendor or a voice processing platform) are contracted by our clients, not by Simplinuity. The client business is the controller for those transfers and must disclose them in their own privacy notice.

6. How long we keep personal data

We keep personal data only for as long as we need it for the purpose we collected it for, or for as long as the law requires.

CategoryRetention
Server access logsShort rolling window (typically 7 to 30 days)
Enquiry and Discovery messagesWhile the conversation is live, plus a reasonable follow-up period; longer if a contract is formed
Client portal accounts (2.4)While the client relationship is active, plus a short grace period (typically 90 days) to allow re-activation
Client-staff records inside tools (2.5)Per the client's instructions; the client business decides
Customer data inside client tools (2.6)Per the client's instructions
Payment audit-log entriesUp to six years from the end of the financial year, aligned with HMRC retention for financial records
Support requests (2.7)12 months after resolution, unless the issue is ongoing
Sales and engagement records (2.8)As long as there is a reasonable prospect of a continuing relationship; on request, deleted sooner
LinkedIn and Meta pixel data (2.9)Retention is controlled by each provider. LinkedIn retains Insight Tag data for up to 90 days for measurement and up to 180 days for audience use. Meta retains Pixel data for up to 180 days. Their cookies live in your browser for the lifetimes listed on the Cookie Policy page.
Plausible analytics events (2.10)Plausible retains raw events for 24 months and aggregates them into daily statistics. The daily visitor hash is discarded at the end of each day — no persistent visitor record exists beyond that window.
Tax, accounting, and legally required recordsSix years from the end of the relevant financial year (HMRC)
Daily database backupsRotated on a 7-day daily and 4-week weekly cycle

You can always ask us to delete data about you sooner. See section 9.

7. Your rights

Under UK GDPR you have the following rights. Each one applies to personal data where we are the controller; for data we hold as a processor on behalf of a client business, please contact that business first.

  1. Right of access: ask us for a copy of the personal data we hold about you.
  2. Right to rectification: ask us to correct anything that is wrong.
  3. Right to erasure: ask us to delete personal data that we no longer have a lawful reason to keep.
  4. Right to restriction: ask us to pause a particular use of your data.
  5. Right to data portability: ask us to send a machine-readable copy of data you gave us, to you or to another provider.
  6. Right to object: object to processing based on legitimate interests, including any profiling; we will stop unless there are compelling legitimate grounds.
  7. Rights around automated decision-making: see section 8.
  8. Right to withdraw consent: where we rely on consent (for example, if we ever start a marketing newsletter), you can withdraw it at any time without affecting the lawfulness of processing done before you withdrew.

Exercising any of these rights is free in almost all cases and has no downside for you.

8. Automated decision-making

We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of UK GDPR Article 22.

Some of our tools use automated matching — for example, our therapist-portal software suggests links between bookings and card-terminal transactions based on amount, time, and other metadata, and can auto-mark a match as verified when confidence is high. This is internal bookkeeping for the client business and has no legal or significant effect on the individual whose booking or payment is being matched. A human at the client business can review and override any match at any time.

9. How to exercise your rights

Email hello@simplinuity.com with the subject line "Privacy request". Include:

  • the right you want to exercise;
  • enough information for us to identify the data you mean (for example, the email address you used when you contacted us, or the client business you worked with);
  • any constraint or deadline we should know about.

We aim to respond within one month of receiving the request, as required by UK GDPR Article 12. If a request is complex or we receive several requests from the same person, we may extend by a further two months and will tell you if we need to.

We will not charge you for a reasonable request. If a request is manifestly unfounded or excessive, we may refuse or charge a reasonable fee, and will explain why.

10. Security

We treat personal data we hold with care. The specific measures we take are:

  • All traffic between your browser and our services uses TLS (HTTPS).
  • Our server is a single, dedicated machine hosted by Hetzner in Germany, with access restricted to named administrators over SSH key authentication.
  • Staff access tokens in our tools are short-lived (typically 60 minutes) and a staff PIN is stored only as a one-way hash, never as plain text.
  • Portal sign-in uses per-user credentials, with passwords stored only as bcrypt hashes (never as plain text). Sessions are limited to 8 hours with sliding-window refresh, and accounts lock for 15 minutes after 5 consecutive failed sign-in attempts.
  • Our SQLite databases are backed up daily and weekly; backups live on the same server and are included in our disaster-recovery planning.
  • We do not share credentials between environments, do not write card numbers or CVVs into our systems at any point, and do not send sensitive data in email attachments.

No system is perfectly secure. If something does go wrong and personal data is at risk, we will notify the ICO within 72 hours where required by UK GDPR Article 33, and notify affected individuals where required by Article 34.

11. Children's data

Our services are not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact hello@simplinuity.com and we will delete it.

12. Cookies and browser storage

Our marketing site (simplinuity.com) sets no cookies by default. On your first visit you are shown a cookie banner; if you accept, two marketing pixels (LinkedIn and Meta) are loaded and set their own third-party cookies for measurement and retargeting. If you reject (or ignore the banner), no pixel request is ever made and no cookies are set.

Our client portal uses two small strictly-necessary items of browser storage to keep you signed in; those are not cookies and do not require consent. Our tools may use their own browser storage, which the client business documents in its own notice.

The full list — including cookie names, providers, and lifetimes — is in our separate Cookie Policy. You can withdraw cookie consent from the same page at any time.

13. Changes to this notice

We may update this notice from time to time. When we do, we will update the "Effective date" at the top. For material changes (for example, adding a new sub-processor or a new category of data), we will flag the change in the notice itself for 30 days. Continuing to use the site or the portal after a change indicates acceptance of the updated notice.

14. Complaints

If you are unhappy with how we have handled your personal data, we would like the chance to put it right — please email hello@simplinuity.com first.

You also have the right to lodge a complaint with the UK Information Commissioner's Office:

  • Online: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF