Privacy Policy.
This policy explains how Simples handles personal data when you visit the website, run the free assessment, pay for access, and prepare a declaration file.
Last updated: June 16, 2026
Controller
Cozmo Technologies, Inc., 2810 N Church St STE 88630, Wilmington, DE 19802, United States, operates Simples and is responsible for the processing described in this policy.
For privacy questions or rights requests, contact [email protected].
Product privacy model
Simples is designed so that declaration preparation happens mainly in your browser. You upload a prefilled XML file, answer questions, and download an updated XML file. In the normal builder flow, Simples does not intentionally send the full uploaded tax XML to our servers.
We do not ask for your Portal das Finanças password and we do not submit your tax declaration for you.
Data we process
| Context | Data | Purpose |
|---|---|---|
| Website visit | IP address, browser/device data, pages visited, referrer, technical logs, analytics events. | Provide the site, secure it, measure product usage, and fix errors. |
| Free assessment | Questionnaire answers about your tax situation, stored in your browser. | Show likely annexes, eligibility, pricing, and next steps. |
| Paid access | Email, name when available, payment status, checkout session id, Stripe ids, access-link tokens. | Process payment, unlock the product, send or restore access links, prevent abuse. |
| Declaration builder | Uploaded-file metadata, extracted prefill fields, builder answers, generated XML, local progress state. | Prepare your downloadable declaration file and help you review missing items. |
| Support and waitlist | Email address, message content, product preferences, and correspondence. | Reply to you, provide support, and improve Simples. |
Local storage
Simples uses browser localStorage for questionnaire answers, paid-access status, uploaded-file metadata, declaration-builder progress, and UI state. This data stays on your device unless you clear browser storage, use another device, or your browser removes it.
Legal bases
Where GDPR or similar law applies, we rely on these legal bases: contract performance for paid access and declaration preparation; legitimate interests for security, fraud prevention, product analytics, support, and service improvement; consent where required for optional communications or non-essential tracking; and legal obligation for accounting, tax, payment, dispute, or compliance records.
Service providers
We use specialist providers to operate Simples. They process data only as needed for their role and under their own terms or data-processing commitments.
- Cloudflare hosts the website, Pages Functions, security services, and key-value records.
- Stripe processes checkout, payment, fraud-prevention, refund, and dispute data.
- Resend may send access links, transactional emails, or product emails if enabled.
- PostHog provides product analytics such as page views, funnel steps, and error events.
- GitHub hosts source code and deployment workflows used to maintain the service.
Payments
Payment details are entered on Stripe-hosted checkout pages or Stripe-controlled payment elements. Simples does not receive full card numbers. Stripe may process payment data as an independent controller for parts of its service, including fraud prevention and legal compliance.
Analytics
We use analytics to understand whether users can complete the assessment, payment, upload, builder, and download flows. We do not use third-party advertising pixels. We avoid intentionally sending full tax XML contents to analytics tools.
Retention
Browser-local declaration data remains until you clear it. Paid-access and magic-link records are retained for limited operational periods, currently up to 90 days for payment restore records and up to 30 days for magic-link tokens. Support messages are kept while needed to handle the request and for reasonable business records. Payment and accounting records may be kept longer where required by law, payment-network rules, tax rules, dispute handling, or fraud prevention.
International transfers
Cozmo Technologies, Inc. and some service providers are based in the United States or other countries outside the European Economic Area. Where required, transfers are protected through provider safeguards such as data-processing agreements, standard contractual clauses, adequacy decisions, or equivalent transfer mechanisms.
Your rights
Depending on where you live, you may have rights to access, correct, delete, restrict, object to processing, receive a copy of your data, or withdraw consent. You may also have the right to complain to a data-protection authority.
To make a request, email [email protected]. We may need to verify your identity before acting on a request.
Security
We use HTTPS, Cloudflare infrastructure, Stripe-hosted checkout, access tokens for paid restore links, and secret-managed serverless functions. No service can guarantee perfect security. Do not send Portal das Finanças passwords or unnecessary tax files by email.
Children
Simples is intended for adults preparing their own tax filing. It is not directed to children.
Changes
We may update this policy as the product, providers, or law changes. The date above shows the latest version.