1. Data we collect
We collect only what is necessary to operate the service. The categories below correspond to specific code paths in the platform; nothing in this section is collected speculatively.
- Account email. Required for the magic-link sign-in flow. Stored lower-cased on the user record; used to deliver authentication links and account-level notifications.
- API key metadata. We store a SHA-256 hash of each issued API key (never the raw key itself), the issuance timestamp, the last-used timestamp, and a short display prefix (e.g. sk_live_abc123) for dashboard rendering.
- Billing identity. Customer ID, subscription ID, plan tier, and invoice state, sourced from Stripe via webhook events. We do not store payment instrument details; those live with Stripe.
- Simulation request payloads. The persona inputs, prompts, and structured parameters you submit to the simulation API. These are processed in real time and persisted to the run record for debugging, replay, and the case-study auto-generation pipeline.
- Aggregated telemetry. Distributed-trace spans tagged with organization ID, user ID, and request endpoint. Per the Day-15b security review, no raw email addresses, raw API keys, or raw session tokens are ever attached to spans.
- Error events. Stack traces and contextual breadcrumbs from application errors, captured by Sentry with personally identifying fields redacted before transmission.
2. How we use your data
We use the data described above to authenticate users, reconcile billing, execute simulations, monitor service health, and respond to customer support requests. Simulation prompts are forwarded to Cloudflare Workers AI (the sole LLM provider per our Day-15b architectural decision); responses are returned through the same path and persisted to the run record.
We do not sell personal data. We do not share data with advertisers. We do not use customer-submitted simulation inputs to train upstream models.
3. Subprocessors
The following service providers process customer data on our behalf. Each is bound by a data processing agreement and is subject to our annual security review. Anthropic, OpenAI, Gemini, Cohere, and Mistral are deliberately absent from this list: Simulix routes all LLM inference exclusively through Cloudflare Workers AI.
| Subprocessor | Purpose | Data category | Region |
|---|---|---|---|
| Cloudflare | Workers AI (LLM inference), Pages (frontend hosting), DNS, Queues, R2, KV | Simulation prompts and persona payloads, web request metadata, queue payloads | Global edge network |
| Railway* | API + 8 worker process compute, plus co-located managed Redis for sessions, idempotency cache, rate limits, transient queues | Application traffic, environment variables, session cookies (hashed), idempotency keys (UUIDs), rate-limit counters | US-East |
| Neon | Postgres for production and sandbox tiers (two physical databases per ADR-005) | Account records, organization records, API key hashes, billing identity, simulation run metadata | US-East |
| Stripe | Payment processing, subscription lifecycle, Customer Portal | Billing identity, payment method tokens, subscription state, invoices | Global |
| Resend | Transactional email delivery (magic-link sign-in, account notifications) | Recipient email address only | Global |
| Honeycomb | Distributed tracing for the API and worker tier | Aggregated telemetry: span timings, organization IDs, user IDs (UUIDs only). No raw email addresses, API keys, or session tokens. | Global |
| Sentry | Error tracking and exception aggregation | Error events with redacted stack traces, environment tags, release identifiers | Global |
*Railway: Single vendor for application hosting + cache; internal-network Redis connection (no external Redis vendor; data does not leave the Railway network for cache operations).
For our complete data processing terms, including breach-notification timelines, audit rights, and international-transfer mechanisms, see our Data Processing Agreement.
4. Retention
Account records and organization records are retained for the lifetime of the account. After account cancellation, account-tier data is purged within thirty (30) days; this matches the termination clause in the Terms of Service.
Stripe-managed billing data follows Stripe's own retention policy. Distributed-trace spans in Honeycomb are retained for sixty (60) days. Error events in Sentry are retained per Sentry's default policy. Simulation run records are retained indefinitely as part of your project history and to enable the case-study auto-generation pipeline; you can request deletion of specific runs through the support channel.
5. Your rights
You can request access to, correction of, or deletion of your account data at any time by emailing privacy@simulix.com. We aim to respond within thirty (30) days.
For users in jurisdictions covered by the GDPR, the rights enumerated in Articles 15 through 22 (access, rectification, erasure, restriction, portability, objection, and protection from automated decision-making) apply. We honor verified data subject requests on the same thirty-day cadence and will work toward a self-service portal post-launch.
6. Security
All traffic to simulix.com and api.simulix.com is TLS-encrypted in transit (Cloudflare-terminated). Database storage at Neon and Redis storage at Railway use the vendor-default encryption-at-rest configuration. API keys are stored as SHA-256 hashes; raw keys are shown to the operator exactly once at issuance and never retained.
We run quarterly security reviews per the cadence documented in our internal security operations runbook, and gate every pull request through automated scanners (bandit, semgrep, pip-audit, pnpm audit). The current state of the security review is summarized on our security page.
7. Cookies
We set one first-party session cookie (named simulix_session) when you sign in to the dashboard. The cookie is HttpOnly, SameSite=Lax, and Secure on production hosts. We do not set analytics cookies, advertising cookies, or third-party trackers. No cookie banner is shown today; if we add analytics in the future, this section and the dashboard will be updated and EU visitors will see a consent banner.
8. Contact
Privacy questions, data subject requests, and subprocessor inquiries can be sent to privacy@simulix.com. Security disclosures should be sent to security@simulix.com.