Privacy Policy
Effective .
Simulacra is an enterprise service for consumer and market research teams. We process customer research data only to provide the contracted service, do not sell it, do not use it to train models for other customers, and separate Studio and API retention because those products have different operating models.
1. Who we are and what this policy covers
This Privacy Policy describes how Simulacra Data, Inc. and Simulacra Synthetic Data Studio ("Simulacra," "we," "us," or "our") collect, use, disclose, and protect information when you visit simulacra-data.com, contact us, use the Synthetic Data Studio, or use the Headless API.
This policy is supplemented by customer order forms, statements of work, data processing agreements, and enterprise subscription agreements where those documents apply. If an executed agreement conflicts with this public policy, the executed agreement controls for that customer relationship.
2. Controller and processor roles
For website, sales, support, account, billing, and security-administration information, Simulacra generally acts as a controller or business. For customer research data uploaded to the Studio or API, Simulacra generally acts as a processor or service provider on behalf of the customer. Customers remain responsible for having the rights, notices, and consents needed to provide customer research data to Simulacra.
Privacy questions may be sent to privacy@simulacra-data.com.
3. Categories of information we process
| Category | Examples | Typical source |
|---|---|---|
| Business contact data | Name, work email, company, role, phone number, meeting notes, procurement requests. | You, your employer, referrals, public business sources. |
| Account and authentication data | User identifiers, company tenant, role, login events, API client identifier, credential metadata. We do not ask customers to send us API client secrets after issuance. | Customer admins, identity providers, Auth0, platform logs. |
| Customer research data | Survey rows, trackers, panel data, sales or pricing data, conjoint or choice-model inputs, questionnaire labels, and generated synthetic outputs. | Enterprise customers and authorized users. |
| Service and usage data | Rows uploaded/generated, buttons clicked, API routes called, request IDs, job IDs, timestamps, tenant identifiers, quota and billing usage. | The Studio, API, infrastructure, and support systems. |
| Security and support data | Audit logs, error reports, support tickets, questionnaire responses, compliance-document request records, incident records. | Platform systems, customers, auditors, and security tooling. |
| Payment and contract data | Order forms, invoices, billing contact information, payment status, tax and accounting records. | Customers, payment processors, finance systems. |
4. Sensitive and regulated data
Simulacra is used with research datasets that may contain demographic, behavioral, attitudinal, purchasing, or other personal data. Some customer datasets may include sensitive categories depending on the study design. Customers should not upload special-category, protected-health, children's, payment-card, account-secret, or highly regulated data unless the applicable agreement, DPA, and product configuration expressly allow it.
We do not intentionally collect children's personal data through the public website or standard product flows. The service is intended for enterprise customers and authorized business users.
5. How we use information
- Provide, operate, secure, monitor, and improve the Studio, API, documentation, and website.
- Fit customer-specific models, generate synthetic outputs, run scenarios, and return results to the customer that supplied the data.
- Administer accounts, authentication, support, procurement, billing, compliance documentation, audit evidence, and service communications.
- Detect, investigate, and prevent security events, abuse, fraud, service misuse, and policy violations.
- Meet contractual, tax, accounting, legal, audit, and regulatory obligations.
- Send product, security, legal, and marketing communications where permitted, with opt-out where required.
6. What we do not do with customer research data
- We do not sell customer research data.
- We do not share customer research data with third parties for their own marketing.
- We do not anonymize, aggregate, or publish customer research data for third-party use.
- We do not use customer research data to train or update models for other customers.
- We do not represent synthetic outputs as real respondent records.
7. Product retention and deletion
Studio and API retention are intentionally different. The Studio is optimized for ephemeral sessions; the API is optimized for repeatable integrations that need trained artifacts available for scenario reuse during an explicit short retention window.
| Data surface | Default retention | Notes |
|---|---|---|
| Studio uploaded/generated data | Session only | Customer uploaded and generated data is held for the active hosted session and is deleted when the session closes or times out. Simulacra cannot recover it after the session ends. |
| API uploaded seed bytes | Active processing window | The API reads seed data to clean and train the dataset, then retains cleaned data and trained artifacts according to the dataset retention window. |
| API cleaned dataset and trained artifacts | 24 hours since last use by default | Retention can be extended by explicit API action within the configured maximum. The standard maximum continuous dataset retention window is 7 days. |
| API generated outputs | 24 hours by default | Managed-mode download URLs are short-lived, with a 15-minute default. Enterprise storage mode may deliver through customer-controlled storage and key paths. |
| API delete action | Immediate active-access removal | DELETE /v1/datasets/{id} removes active dataset access and associated retrievable dataset artifacts from the API surface. Generation artifacts expire on their own retention windows. |
| Operational logs and audit records | As required for security, audit, support, and compliance | Logs and audit records are designed to record what happened, not uploaded seed rows or generated output content. Retention may vary by system and contractual requirement. |
| Contracts, invoices, compliance records | As required by law and business record obligations | These records are retained to support contracting, audit, tax, finance, and legal obligations. |
8. Legal bases for processing
Where GDPR or similar law applies, our legal bases may include performance of a contract, legitimate interests in operating and securing an enterprise service, compliance with legal obligations, consent where required for optional communications, and processing under customer instructions where Simulacra acts as processor.
9. Sharing and subprocessors
We use subprocessors and service providers for cloud infrastructure, identity, hosting, business systems, audit, compliance automation, and support operations. We require providers to protect information appropriately for their role and limit their use to providing services to Simulacra. The current public list is available at /subprocessors; customer DPAs may include additional notice and objection terms.
10. International transfers
Simulacra is based in the United States. Where personal data is transferred internationally, we use safeguards required by applicable law, such as Standard Contractual Clauses, data processing agreements, and vendor due diligence. Enterprise configurations may support customer-controlled storage and key paths for the API.
11. Security
Simulacra maintains independently audited and certified controls, including SOC 2 Type II controls for Security, Availability, and Confidentiality and an ISO/IEC 27001:2022 certified Information Security Management System. See Security and API Security for product-specific details.
12. Privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing of personal data, and to withdraw consent where processing is based on consent. For customer research data where Simulacra is a processor, requests should generally be directed to the customer that collected the data; we will support the customer as required by the applicable agreement.
To submit a privacy request, email privacy@simulacra-data.com. We may request information to verify your identity and authority.
13. Cookies and analytics
The website may use cookies or similar technologies for core site functionality, security, basic analytics, and form handling. We do not need third-party advertising trackers to provide the service. Where required by law, we provide a cookie consent control.
14. Changes
We may update this policy as products, controls, laws, or subprocessors change. Material updates will be reflected by updating the effective date and, where required, notifying affected enterprise customers.
15. Contact
Simulacra Data, Inc.
200 Water Street, Suite 2314
New York, NY 10038
Privacy: privacy@simulacra-data.com
Security: security@simulacra-data.com
Legal: legal@simulacra-data.com
Support: support@simulacra-data.com