Privacy Policy

SimplyCal (“we”, “us”, or “our”) is committed to protecting your personal data in accordance with the Singapore Personal Data Protection Act 2012 (“PDPA”) and its subsequent amendments. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our web application at simplycal.app (the “Service”).

By using the Service, you consent to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Data We Collect

1.1 Personal Data

When you register or use SimplyCal, we collect:

• Email address — used to authenticate you via a magic link and to contact you about the Service.
• Display name — optionally provided and used to personalise your in-app experience.

1.2 User-Generated Health Data

Data you voluntarily enter into the app, including:

• Food entries (name, calories, macronutrients, date);
• Body weight logs (weight, date);
• Daily nutritional goals.

Under the PDPA, health-related data may constitute sensitive personal data. We handle it with additional care as described in this Policy.

1.3 Technical Data

We automatically collect limited technical data to operate the Service:

• Session tokens (stored as secure HTTP-only cookies via NextAuth.js);
• Standard server logs (IP address, browser type, page requests) retained for up to 30 days.

2. How We Use Your Data

We use your personal data only for the following purposes:

• To authenticate you and provide access to your account;
• To store and display your food and weight entries;
• To send you magic link sign-in emails via Resend;
• To notify you of material changes to these policies (where you have opted in);
• To maintain the security and integrity of the Service.

We do not use your data for advertising, profiling, or any purpose beyond operating the Service.

3. Legal Basis for Processing

We collect and process your personal data on the following bases under the PDPA:

• Consent — you provide your email address and voluntarily input health data when using the Service;
• Contractual necessity — processing is required to provide the Service you have signed up for;
• Legitimate interests — maintaining the security and functionality of the Service.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We only share your data with the following trusted third-party service providers, strictly as required to operate the Service:

• MongoDB Atlas — cloud database used to store your account and tracker data (servers may be located outside Singapore; covered by MongoDB’s data processing agreements);
• Resend — transactional email provider used to deliver magic link sign-in emails;
• Vercel — hosting platform for the web application.

All third-party providers are contractually required to handle your data securely and only for the purposes we specify. We require that they provide an equivalent standard of data protection as required under the PDPA.

We may also disclose your personal data if required by Singapore law, court order, or any regulatory or government authority.

5. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. If you request account deletion, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS), secure session management, and access controls on our database infrastructure.

In the event of a data breach that is likely to result in significant harm to you, we will notify the Personal Data Protection Commission (PDPC) and affected individuals as required under the PDPA Mandatory Data Breach Notification Obligation.

7. Cookies

SimplyCal uses a single secure session cookie (set by NextAuth.js) to keep you signed in. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

8. Children’s Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without appropriate consent, please contact us and we will delete it promptly.

9. Your Rights Under the PDPA

As a data subject in Singapore, you have the right to:

• Access — request a copy of the personal data we hold about you;
• Correction — request that we correct any inaccurate or incomplete personal data;
• Withdrawal of consent — withdraw consent for us to use your personal data at any time (note: this may require us to close your account);
• Data portability — request your data in a structured, machine-readable format;
• Erasure — request deletion of your account and associated personal data.

To exercise any of these rights, please contact us at the address below. We will respond within 30 business days as required by the PDPA.

10. International Transfers

Your data may be processed and stored on servers located outside Singapore (e.g., through MongoDB Atlas or Vercel). Where we transfer personal data internationally, we take steps to ensure that the recipient provides a standard of protection comparable to the PDPA, including through contractual arrangements.

11. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or Singapore law. When we make material changes, we will update the “Last updated” date above and notify you via the email address associated with your account. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.

12. Contact & Data Protection Queries

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us at:

SimplyCal
Singapore
Email: hello@simplycal.app

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.