SimplePrivacy Policy
Effective date: 10 May 2026, Alexander Wasserman
1. Who We Are
SimpleOTA is operated by Alexander Wasserman, an individual based in the Netherlands (“we”, “us”, “our”). We are the data controller for personal data processed through the Service.
Contact: [email protected]
2. Data We Collect
We collect only what is necessary to provide the Service:
| Category | Examples | Lawful basis | Retention |
|---|---|---|---|
| Account data | Username, email address, hashed password | Contract (Art. 6(1)(b)) | Account duration + 30 days after deletion |
| Billing data | Stripe customer ID, subscription status, invoice records | Contract + Legal obligation (Art. 6(1)(b)(c)) | 7 years (Dutch administratieplicht) |
| Firmware artifacts | Uploaded binaries, metadata, manifest files | Contract (Art. 6(1)(b)) | Until deleted by you |
| Device telemetry | Device IDs, chip family, current build number, last seen timestamp | Contract + Legitimate interests (service reliability, rollout safety, and abuse prevention) (Art. 6(1)(b)(f)) | Until device is deleted |
| Audit logs | Action type, actor, target, timestamp | Legitimate interests (security monitoring and fraud prevention) (Art. 6(1)(f)) | 12 months |
| API tokens | Hashed token values (raw token never stored) | Contract (Art. 6(1)(b)) | Until revoked |
| Request logs | IP addresses, request paths, timestamps | Legitimate interests (operational security and abuse prevention) (Art. 6(1)(f)) | 30 days |
3. Cookies
We use only strictly necessary cookies. No analytics, advertising, or tracking cookies are set.
- Session cookie: maintains your authenticated session. Deleted when you log out or your session expires.
- CSRF token: protects against cross-site request forgery. Required for the Service to function securely.
Because these cookies are strictly necessary, no consent banner is required under GDPR / ePrivacy.
4. How We Use Your Data
We use your data solely to provide and improve the Service: authenticating you, processing payments, delivering firmware to your devices, sending service notifications, and maintaining security and audit trails. We do not sell your data or use it for advertising.
5. Data Processors
We share data with the following third-party data processors. All are bound by data processing agreements under Art. 28 GDPR:
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Stripe Payments Europe, Limited | Payment processing, invoicing | Dublin, Ireland (EU) | EEA processing; no restricted international transfer |
| Akamai Technologies / Linode | Cloud hosting, object storage for firmware binaries | United States | Standard Contractual Clauses (Art. 46(2)(c) GDPR) |
6. International Transfers
Personal data transferred to Akamai/Linode in the United States is governed by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. In line with our obligations following the Schrems II ruling (C-311/18), we assess transfer risks and apply appropriate technical and organisational measures, including TLS encryption in transit, access controls, and least-privilege operational access.
You may contact [email protected] for more information about international transfers.
7. Your Rights
Under GDPR you have the following rights in relation to your personal data:
- Access (Art. 15): request a copy of the personal data we hold about you.
- Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17): request deletion of your data where there is no compelling reason for continued processing.
- Restriction (Art. 18): ask us to restrict processing in certain circumstances.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interests.
- No automated decisions (Art. 22): we do not make decisions about you solely by automated means.
To exercise any right, email [email protected]. We will respond within one month, as required by Art. 12(3) GDPR. This may be extended by a further two months for complex or numerous requests; we will notify you of any extension within the first month.
8. Supervisory Authority
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)autoriteitpersoonsgegevens.nl
Postbus 93374, 2509 AJ Den Haag, Netherlands
9. Security
We implement appropriate technical and organisational measures to protect your data: passwords are hashed, API tokens are stored as hashed values only, firmware delivery uses short-lived pre-signed URLs, and all data in transit is encrypted via TLS.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service at least 30 days before the change takes effect.
11. Contact
For any privacy-related questions or requests, contact us at [email protected].
Last updated: 10 May 2026.