Privacy Policy

Effective date: 18 May 2026
Last updated: 18 May 2026

Plain-language summary. SimplifyDynamics builds custom AI assistants for individual executive clients. To do that, we access the email and calendar accounts you grant us. We process that data with Anthropic's Claude API so the AI can generate briefings and (with your approval) drafts. We don't sell your data. We don't use your data to train AI models. We share your data only with the third-party providers named below. You can revoke our access at any time, and that revocation takes effect immediately. If you read nothing else, read the Your rights section.

Who we are

SimplifyDynamics is operated by Dan Williams as a sole proprietorship, based in Glasgow, United Kingdom.

Contact: dan@simplifydynamics.com

What data we access

When you grant us OAuth access to your Google or Microsoft accounts, we access:

Email (Gmail and/or Outlook): message metadata (sender, recipient, subject, date, labels) and email bodies. With your consent we can apply labels, archive emails, move them to trash, create drafts in your drafts folder, and (under the Google scope gmail.send or the Microsoft equivalent) send email on your behalf. Sending is always subject to per-message approval rules you have signed off on — we never send email outside the rules you authorized. We do not receive scope to permanently delete email.
Calendar (Google Calendar and/or Outlook Calendar): event metadata (title, time, attendees, location), event descriptions, and your calendar list. With your consent (under the Google scope calendar.events or the Microsoft equivalent), we can also create, edit, and decline events on calendars you authorize. We treat "delete" via the calendar's trash where supported (events remain restorable).
Account email address — the email of the account you authorize, used to confirm the right account was selected during consent.

We do not access:

Email attachments
Drive, OneDrive, or any other file storage
Contact lists separate from email metadata
Any account, calendar, or service you have not explicitly authorized via OAuth consent

The exact scopes we request appear on the Google or Microsoft consent screen at the time you grant access. The consent screen is the authoritative source on what we can and cannot do. If a scope is not on that screen, we cannot exercise it.

How we use your data

We use your data only for the following purposes:

Generating your daily briefing — a personalized morning summary of meetings, priority emails, and overdue follow-ups across your authorized accounts.
Learning your patterns — analyzing your historical email and calendar behavior (what you respond to, what you ignore, who you prioritize) so the assistant's recommendations match your actual workflow rather than a generic default.
Acting on your inbox per your calibrated ruleset — applying Gmail labels, archiving low-priority email, moving spam-or-unwanted email to trash (with a configurable grace period that gives you time to override before deletion), and sending email on your behalf when the calibrated rules and your per-message approvals call for it. All of this is governed by a ruleset you have reviewed and signed off on.
Drafting replies — creating drafts in your drafts folder for you to review and send.
Managing calendar events — creating, editing, and declining events on calendars you authorize, when you ask the assistant to do so or per a pre-approved scheduling pattern. Calendar deletions go through the calendar's trash where supported.

We do not use your data for:

Training AI models (ours, Anthropic's, or any third party's)
Advertising, marketing, or audience profiling
Selling, renting, or sharing with third parties other than the sub-processors named below
Any purpose beyond delivering the assistant service to you

This use complies with the Google API Services User Data Policy, including the Limited Use requirements: information received from Google APIs is used only to provide the user-facing features of the assistant, not transferred to other parties except as required to provide those features, and not used for advertising.

Where your data lives

Authentication tokens (the OAuth refresh tokens that prove you authorized us): stored in Azure Key Vault on our SimplifyDynamics-owned Azure subscription. Encrypted at rest and in transit. Access is restricted to specific service identities and audited.
Processed data (summaries, briefing content, derived rule sets): stored in client-isolated infrastructure on Azure. Each client has their own dedicated environment; we do not mix data across clients.
Raw email and calendar content during processing: passes through Anthropic's API for the request being processed, then is discarded. We do not retain raw email or calendar content beyond the request lifetime — only the resulting summaries are persisted.
Logs: metadata only (timestamps, IDs, status codes, error types). We do not log full email bodies, calendar event details, or any pulled content. Logs are retained for 90 days.

Sub-processors

We use these third-party services to deliver the assistant. Each is bound by their own privacy policy and data-protection commitments.

Sub-processor	Purpose	What they receive
Anthropic (anthropic.com)	AI processing — generates briefings, drafts, and analyses	Email and calendar content for the specific request being processed. Anthropic's API does not train on customer data per their commercial terms.
Microsoft Azure (microsoft.com/privacy)	Hosting infrastructure (Azure VMs, Key Vault, Azure Functions, Storage)	Encrypted storage of tokens and processed data. Microsoft Azure is SOC 2, ISO 27001, HIPAA-aligned.
Google (when you authorize Gmail or Calendar)	Account access via OAuth	We receive OAuth tokens scoped to the permissions you grant. We never receive your password.
Microsoft 365 (when you authorize Outlook or Microsoft Calendar)	Account access via OAuth	Same OAuth model as Google.

We do not use Anthropic, Microsoft, Google, or any other party's services to advertise to you, sell your data, or profile you for any purpose other than delivering the assistant.

Your rights

You can exercise any of these rights at any time. We respond within 30 days for written requests; technical revocations (e.g. revoking OAuth access in Google account settings) take effect immediately.

Revoke our access — go to your Google account settings → Security → Third-party apps with access → remove SimplifyDynamics. (Or the equivalent Microsoft setting.) Effective immediately. You do not need to contact us to do this.
Request a copy of your data — email dan@simplifydynamics.com asking for what we hold about you. We send a structured export within 30 days.
Request deletion — email dan@simplifydynamics.com requesting deletion. We delete within 30 days, including from backups (which roll over within the same 30-day window).
Change your mind on scopes — you can grant or revoke individual scopes (e.g. allow email but revoke calendar). Use the same Google or Microsoft account-level controls.
Object or restrict processing — under GDPR, if applicable to you, you can object to or restrict our processing. Contact us.
Lodge a complaint with your data protection authority — if you are based in the EEA, UK, or Switzerland and believe we have processed your data unlawfully.

Security

All data encrypted at rest (AES-256) and in transit (TLS 1.2 or higher).
Authentication tokens stored in Azure Key Vault with managed-identity-only access.
Each client's infrastructure is isolated — no shared databases, no cross-client access paths in code.
Access to client systems is limited to named operators (currently: Dan Williams and Krystian, both at @simplifydynamics.com). New operators require explicit agreement with the client.
We log all access and changes to credentials and infrastructure. Logs retained for 90 days.
Suspected security incidents are investigated and disclosed to affected clients within 72 hours of confirmed discovery, with details on blast radius and remediation.

Data retention

Tokens: retained until you revoke them or the engagement ends, whichever first.
Processed summaries and briefings: retained for the duration of the engagement, plus 30 days for transition.
Logs: 90 days, then automatically purged.
At end of engagement: all client data — tokens, summaries, derived rule sets, logs — is deleted within 30 days, including from backups.

International transfers

Our infrastructure is hosted on Microsoft Azure in the United States. If you are based in the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to the United States under the Standard Contractual Clauses (SCCs) approved by the European Commission, which appear in our data processing agreement.

Changes to this policy

We will post changes here and update the Last updated date. Material changes (significant changes to data use, retention, or sub-processors) will be communicated to active clients via email at least 30 days before they take effect.

Limited Use disclosure (Google API requirements)

SimplifyDynamics's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Information from Google APIs is used only to provide or improve user-facing features of the SimplifyDynamics assistant.
Information is not transferred to third parties except as necessary to provide those features (i.e. the sub-processors named above), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
Information is not used or transferred for advertising, including retargeted advertising.
Information is not used to determine credit-worthiness or for lending purposes.
Humans do not read the data unless we have your specific consent, the data is required for security investigations or compliance with law, or the data has been aggregated and anonymised.

Contact

For any privacy-related question, request, or complaint:

Email: dan@simplifydynamics.com

We respond to all privacy correspondence within 5 business days.