PRIVACY POLICY — SIMPLYWOODPLAN

Version effective as of May 13, 2026

This Privacy Policy describes how Simplywoodplan collects, uses, and protects the personal data of its users, in accordance with the European General Data Protection Regulation (GDPR) and the French Data Protection Act.

ARTICLE 1 — DATA CONTROLLER

The data controller responsible for the personal data collected via Simplywoodplan is:

Michel Guiot

Sole proprietor (French micro-enterprise)

French business registration number (SIRET): 941 722 324 00014

Address: Saussey (50200), Normandy, France

Contact e-mail: simplywoodplan@gmail.com

In the absence of a designated Data Protection Officer (DPO), any request concerning personal data may be addressed directly to the data controller at the above e-mail address.

ARTICLE 2 — PERSONAL DATA COLLECTED

Simplywoodplan collects the following data from the User, strictly within the scope of service provision:

E-mail address (provided at subscription, used for authentication and transactional communication); payment data (card number, expiration date, security code) processed exclusively by Stripe and never visible to, stored by, or recorded by Simplywoodplan; technical data of the wood project entered by the User (dimensions, selected model, configuration options); project name (free-text field chosen by the User, integrated into the generated PDF plan); Stripe transaction identifiers (customer ID, session ID, subscription ID) necessary for subscription monitoring and billing; service usage metadata (subscription date, expiration date, number of PDFs generated, subscription status).

No sensitive data within the meaning of Article 9 of the GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, etc.) is collected.

ARTICLE 3 — PURPOSES OF PROCESSING

The personal data collected is used exclusively for the following purposes: enabling the User to access and use the Simplywoodplan application; generating and delivering the PDF plans requested by the User; managing payment, subscription tracking, and billing; sending transactional e-mails (payment confirmation, plan delivery, renewal or termination notifications); responding to support requests and complaints; complying with the Publisher's legal and accounting obligations (retention of invoices, tax declarations).

Data is in no case used for advertising purposes, commercial profiling, or resale to third parties.

ARTICLE 4 — LEGAL BASES FOR PROCESSING

In accordance with Article 6 of the GDPR, the processing operations carried out by Simplywoodplan are based on the following legal grounds: performance of the contract concluded with the User (subscription, service provision, PDF generation, billing); compliance with the Publisher's legal obligations (accounting retention, tax declarations, fraud prevention); the Publisher's legitimate interest, particularly in connection with service security and the prevention of usage abuse.

No processing is based on advertising or commercial consent.

ARTICLE 5 — DATA RECIPIENTS AND PROCESSORS

The User's personal data may be transmitted to the following technical processors, strictly within the scope of service provision and on the basis of GDPR-compliant contractual commitments:

Glide Apps (Glide, Inc., United States): hosting of the web application and storage of user data;

Stripe (Stripe, Inc., United States): payment processing and subscription management;

SendGrid (Twilio Inc., United States): delivery of transactional e-mails;

PDF.co (ByteScout, United States): technical generation of plans in PDF format;

Squarespace (Squarespace, Inc., United States): hosting of the marketing website;

n8n: orchestration of data flows between the above services.

The Publisher undertakes to use only processors offering sufficient guarantees regarding data protection, and to transmit only data strictly necessary for each purpose.

No data is resold, transferred, or shared with third parties for commercial purposes.

ARTICLE 6 — TRANSFERS OUTSIDE THE EUROPEAN UNION

Several technical processors mentioned in Article 5 are established in the United States (Glide, Stripe, SendGrid, PDF.co, Squarespace). The User's personal data may therefore be subject to transfers outside the European Union.

These transfers are framed by the mechanisms provided for by the GDPR, in particular the Standard Contractual Clauses adopted by the European Commission and, where applicable, the processors' adherence to the EU-U.S. Data Privacy Framework.

The User may obtain a copy of the applicable safeguards upon simple request to simplywoodplan@gmail.com.

ARTICLE 7 — DATA RETENTION PERIODS

Personal data is retained for the period necessary for the purposes for which it was collected, according to the following durations:

Account and usage data: for the entire duration of the active subscription;

After subscription termination: three (3) years, in order to meet the accounting, tax, and legal obligations applicable to French micro-entrepreneurs;

Invoices and accounting documents: ten (10) years, in accordance with the French Commercial Code;

Payment data (Stripe): retained according to Stripe's own policy, available at https://stripe.com/privacy.

At the end of these periods, the data is deleted or irreversibly anonymized.

ARTICLE 8 — USER RIGHTS

In accordance with Articles 15 to 22 of the GDPR, the User has the following rights regarding their personal data:

Right of access: to obtain confirmation that their data is being processed and receive a copy;

Right of rectification: to have inaccurate or incomplete data corrected;

Right to erasure ("right to be forgotten"): to request the deletion of their data, subject to legal retention obligations;

Right to restriction of processing: to request the suspension of processing in certain cases;

Right to portability: to receive their data in a structured, machine-readable format;

Right to object: to object to processing for legitimate reasons;

Right to define post-mortem directives regarding the fate of their data after death.

These rights may be exercised at any time by writing to simplywoodplan@gmail.com. A response will be provided within a maximum of one (1) month from receipt of the request.

ARTICLE 9 — DATA SECURITY

The Publisher implements appropriate technical and organizational measures to guarantee the security, confidentiality, and integrity of the personal data processed, in particular: encryption of communications via HTTPS across the entire service; authentication by magic link or single-use code (PIN); storage of payment data exclusively with Stripe, in compliance with PCI-DSS standards; access to data limited to what is strictly necessary for the data controller; selection of processors offering contractual guarantees regarding data protection.

In the event of a data breach likely to result in a risk to the rights and freedoms of Users, the Publisher undertakes to notify the French Data Protection Authority (CNIL) within seventy-two (72) hours and to inform the concerned Users in accordance with Article 34 of the GDPR.

ARTICLE 10 — COOKIES

The simplywoodplan.com website and the Simplywoodplan application use technical cookies that are essential to the operation of the service (session, authentication, Stripe payment). No advertising, third-party audience measurement, or profiling cookies are used.

A dedicated cookie policy specifies the types of cookies used, their duration, and their purpose.

ARTICLE 11 — COMPLAINT TO THE CNIL

The User has the right to lodge a complaint with the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés — CNIL), the supervisory authority for personal data protection in France:

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France

Website: https://www.cnil.fr

Phone: +33 1 53 73 22 22

Before filing any complaint with the CNIL, the User is invited to first contact the Publisher at simplywoodplan@gmail.com to attempt an amicable resolution.

ARTICLE 12 — MODIFICATIONS TO THIS POLICY

This Privacy Policy may be modified at any time to reflect changes in the service, its processors, or applicable regulations. The version in effect is the one published on the website on the date of consultation. In the event of substantial modification, the User will be notified by e-mail.