Legal · SimuLyn OÜ
Privacy Policy
Last updated: June 2026 · Effective immediately
SimuLyn OÜ is a European Union company registered in Estonia (reg. no. 17395925, VAT EE 102935811) and is fully subject to the General Data Protection Regulation (GDPR). We take your privacy seriously and process your data only for the purposes described in this policy.
1. Controller Identity
This Privacy Policy is issued by SimuLyn OÜ, a company registered in Estonia with registration number 17395925 and VAT number EE 102935811, whose registered contact agent is Dalanta OÜ (registrikood 14330221), Harju maakond, Tallinn, Kesklinna linnaosa, Pärnu mnt 105, 11312, Estonia. SimuLyn OÜ is the data controller for all personal data processed through the simulyn.io platform and the DTAP simulator. For all privacy-related enquiries, contact us at contact@simulyn.io.
2. Scope and Applicability
This policy applies to all users of simulyn.io and the DTAP (Digital Twin Automation Process Simulator) desktop application. By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. Use of our platform is restricted to individuals aged 18 and over. SimuLyn OÜ operates as an EU-registered company and is subject to the General Data Protection Regulation (GDPR) and applicable Estonian data protection law.
3. Data We Collect
When you register for an account we collect: your first name, surname, email address, and selected subscription plan. We automatically generate and assign you a unique D Number (format: D-XXXXX) which serves as your training identity. We also collect usage data including module completion status, scores, attempt counts, login timestamps, and last login date. Payment processing is handled entirely by Stripe — we do not store, process, or have access to your card details. We collect only the minimum data necessary to provide our services.
4. Legal Basis for Processing
We process your personal data on the following legal bases under GDPR Article 6: Performance of a contract — your name, email, and D Number are necessary to create and manage your account and provide access to DTAP. Legitimate interests — usage and progress data is processed to provide your training dashboard and improve our platform. Legal obligation — we may retain certain data to comply with Estonian tax law and EU financial regulations. We do not rely on consent as a legal basis for core service processing, however we will seek consent for any optional communications such as newsletters.
5. D Number System
Your D Number (format: D-XXXXX) is a unique identifier generated at the moment of registration and permanently associated with your account. It is used to authenticate your access to the DTAP simulator and to associate your progress data with your profile. Your D Number is personal and confidential. You must not share it with third parties. SimuLyn OÜ is not responsible for unauthorized access resulting from a disclosed D Number. If you believe your D Number has been compromised, contact us immediately at contact@simulyn.io.
6. How We Use Your Data
We use your personal data to: create and maintain your account, generate and deliver your D Number, authenticate your access to the DTAP simulator, display your training progress and module completion on your dashboard, process your subscription payments via Stripe, send transactional emails such as registration confirmation and D Number delivery, respond to support and enquiry requests, and comply with applicable legal obligations. We do not use your data for advertising purposes. We do not sell your data to any third party.
7. Data Sharing and Third Parties
We share your data only with the following service providers, each bound by data processing agreements: Firebase by Google (authentication and database infrastructure), Stripe (payment processing — they are an independent controller for payment data), Resend (transactional email delivery), and Vercel (hosting and deployment infrastructure). All providers operate under appropriate data protection frameworks. We do not share your data with any other third parties, advertisers, or data brokers.
8. Data Storage and Security
Your data is stored in Firebase Firestore, hosted on Google Cloud infrastructure within the EU where possible. Data is encrypted in transit using TLS and encrypted at rest. Access to your data is enforced at the database level — each user can only read and write their own records. Our API endpoints are rate-limited and protected by API key authentication. Session cookies are httpOnly, secure, and sameSite=strict. Full details of our technical security measures are available on our Security page.
9. Data Retention
We retain your account data for as long as your account remains active. If you request account deletion, we will permanently delete your personal data within 30 days of your request. We may retain anonymised, aggregated usage statistics that cannot be linked to any individual. Where we are legally required to retain financial records (for example, invoicing data under Estonian accounting law), we will retain only the minimum required data for the legally mandated period.
10. Your Rights Under GDPR
As an EU data subject you have the following rights: the right to access the personal data we hold about you, the right to rectification of inaccurate data, the right to erasure ("right to be forgotten"), the right to restriction of processing, the right to data portability, the right to object to processing, and the right to withdraw consent where consent is the legal basis. To exercise any of these rights, contact us at contact@simulyn.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee.
11. Cookies
We use a single session cookie named simulyn_session to maintain your authenticated state on the platform. This cookie is httpOnly (not accessible by JavaScript), secure (only transmitted over HTTPS), and sameSite=strict (not sent with cross-site requests). We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under GDPR.
12. Children and Age Restriction
The DTAP simulator and Simulyn platform are intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has created an account, please contact us at contact@simulyn.io and we will delete the account and associated data promptly.
13. International Data Transfers
SimuLyn OÜ is registered in Estonia and operates within the European Union. Our service providers — including Google (Firebase), Stripe, Resend, and Vercel — may process data in countries outside the EU. Where such transfers occur, they are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring your data receives equivalent protection to that provided under GDPR.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. We will notify you of material changes by email at least 14 days before they take effect. The date at the bottom of this page indicates when the policy was last updated. Continued use of the platform after the effective date of any changes constitutes your acceptance of the updated policy.
15. Contact and Complaints
For any privacy-related questions, data subject requests, or complaints, contact us at contact@simulyn.io. We aim to respond to all privacy enquiries within 5 business days. If you are not satisfied with our response, you may contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at info@aki.ee or visit www.aki.ee.