Privacy Policy

1. Who we are

Simuka ("Simuka", "we", "us") is a sole-trader consultancy operated by Jason Frankham, registered in Kinsale, Cork, Ireland. We provide forensic deal analysis and advisory services to enterprise SaaS companies.

For the purposes of the EU General Data Protection Regulation (GDPR), Simuka acts as a data controller for personal data we collect directly (e.g. through our intake form, website signups, or email correspondence) and as a data processor for personal data contained within client engagement material processed on behalf of our clients under a separate Data Processing Agreement (DPA).

2. What we collect

From visitors to this website

• IP address and approximate geographic location (via standard server logs)
• Browser type and device information
• Pages visited and time on site (no third-party analytics tracking)

From people who submit an intake form

• Name, email, phone number, company, role
• Deal context and qualification information you choose to provide
• Any supporting documents you upload

From people who sign up for blog notifications

• Email address only

From clients during engagements

We process whatever material you choose to provide to support the engagement — typically including names and contact details of individuals at your prospect organisation, commercial proposals, contract drafts, and related deal material. This data is processed under a separate DPA and is not retained beyond the engagement period.

3. Why we collect it

• To deliver our services — intake data and engagement material are processed to produce the forensic deliverables you have engaged us to produce
• To communicate with you — about your engagement, deliverables, and follow-up
• To send insights — only if you have explicitly opted in to receive them
• To meet legal and accounting obligations — we retain invoicing records as required by Irish tax law
• To operate the website — basic server logs are retained for security and operational integrity

4. Legal basis for processing

We process personal data on the following GDPR Article 6 bases:

• Contract — for delivering the services you have engaged us to provide
• Legitimate interest — for security logging, fraud prevention, and operational integrity
• Consent — for blog notifications and any marketing communication
• Legal obligation — for tax and accounting records

5. Data retention

Our default approach is zero retention beyond what is operationally necessary.

• Client engagement material: deleted within 14 days of final deliverable acceptance
• Email correspondence with clients: retained for 30 days post-engagement, then deleted
• Intake form submissions (unconverted): retained for 90 days, then deleted
• Invoicing and tax records: retained for 7 years as required by Irish law
• Blog notification email list: retained until unsubscribed
• Website server logs: retained for 30 days

You may request earlier deletion at any time. We will confirm in writing once deletion is complete.

6. Who we share data with

We do not sell or rent personal data under any circumstances. We share data only with the following categories of recipients, and only to the extent strictly necessary:

• Anthropic, PBC — AI model API provider, used for Kinetic Engine analysis under enterprise zero-retention terms. Anthropic does not retain or train on submitted data.
• Stripe Payments Europe Ltd. — payment processor for transactional services. Stripe handles all payment card data; Simuka never sees or stores payment card numbers.
• Formspree, Inc. — form submission processor (intake form). Data is forwarded to Jason's email and deleted from Formspree's storage within 48 hours.
• Dropbox International Unlimited Company — secure file transfer for client document upload, under their standard data processing terms.
• Google Workspace — email and calendar provider for jfrankham@gmail.com.
• Netlify, Inc. — website hosting provider.
• Our accountant and tax advisor — for invoicing and tax compliance, bound by professional confidentiality obligations.
• Legal counsel — in the rare circumstance of a legal dispute, bound by professional confidentiality.

We do not share client engagement material with any of the above beyond strict operational necessity (e.g. AI inference via Anthropic API). All sub-processors are subject to GDPR-compliant data processing agreements.

7. International transfers

KSP processes all client engagement material in Ireland. We do not transfer engagement material outside the European Union.

Some of our sub-processors (notably Anthropic, Stripe, Dropbox, Google, Netlify) are US-based companies. Where data is transferred to these processors, the transfer is governed by the EU Standard Contractual Clauses (SCCs) or, where applicable, the EU–US Data Privacy Framework. We have selected sub-processors whose contractual commitments are compatible with GDPR.

8. Security

We apply technical and organisational measures appropriate to the sensitivity of the data we process:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2 or higher)
• Multi-factor authentication on all systems handling client data
• Principle of least privilege — only Jason has access to client engagement material
• Local processing on hardware physically located in Ireland
• Encrypted, password-protected backups overwritten within standard backup cycles
• Operational practices aligned to SOC 2 Type II principles (formal certification on roadmap)
• Documented incident response procedure with 72-hour breach notification commitment

9. Your rights under GDPR

If you are an EU/UK data subject (or otherwise covered by GDPR), you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete personal data
• Erase your personal data ("right to be forgotten"), subject to legal retention obligations
• Restrict processing of your personal data
• Object to processing, particularly for direct marketing
• Portability — receive your data in a structured, commonly used format
• Withdraw consent at any time, where consent is the basis for processing
• Complain to the Irish Data Protection Commission (DPC) or your local supervisory authority

To exercise any of these rights, email jfrankham@gmail.com. We respond within 30 days.

10. Cookies

This website uses essential cookies only. We do not use third-party analytics cookies, advertising cookies, or social tracking cookies. We do not maintain a marketing pixel or remarketing infrastructure.

If you have JavaScript enabled, the website may use localStorage to remember in-progress intake form data so you don't lose your input if you navigate away. This data stays in your browser and is not transmitted to Simuka unless you submit the form.

11. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. Material changes will be notified to active clients by email. Continued use of our services after a change constitutes acceptance of the updated policy.

12. Contact

Questions about this policy, or about how we handle your data:

Jason Frankham
Simuka
Kinsale, Cork, Ireland
Email: jfrankham@gmail.com

Supervisory authority: Data Protection Commission of Ireland (dataprotection.ie).

Note: This privacy policy describes Simuka's general practices for personal data. A separate Data Processing Agreement (DPA) governs the processing of personal data contained within client engagement material and is executed alongside the master engagement terms. Clients should refer to their DPA for engagement-specific data handling commitments.