Privacy Policy

Privacy Policy & Written Information Security Program 

Effective Date: April 9, 2026 | Last Reviewed: April 9, 2026 

This Privacy Policy and Written Information Security Program (“Policy“) describes how PlanSimpli, LLC (“PlanSimpli,” “we,” “us,” or “our“), a Texas limited liability company, collects, uses, discloses, and protects personal information. It also describes the information security safeguards PlanSimpli maintains to protect that information. This Policy applies to personal information collected through our website at https://plansimpli.com (the “Site“) and in connection with our professional services (collectively, the “Services“). 

PlanSimpli provides financial planning and analysis (“FP&A“) technology implementation, customization, and managed services, primarily around Workday Adaptive Planning (“WDAP“) and Pigment platforms. In connection with certain client engagements, PlanSimpli also resells and deploys AI agent software developed by Plangentic, LLC (“Plangentic“), an affiliated entity. 

PART I: PRIVACY POLICY 

1. Information We Collect 

PlanSimpli collects personal information in the following contexts: 

1.1 Information You Provide Directly 

When you contact us, request information about our Services, or engage us for professional services, we may collect: 

  • Full name and job title 
  • Company name and business address 
  • Email address and telephone number 
  • Contact preferences 
  • Information included in correspondence, proposals, or contracts 

We do not collect or process sensitive personal information (such as Social Security numbers, financial account numbers, health information, or government identification numbers) through the Site. To the extent such information is provided in connection with a client engagement, it is governed by the applicable client services agreement. 

1.2 Information Collected Automatically 

When you visit the Site, we and our service providers may automatically collect: 

  • IP address and approximate geographic location 
  • Browser type and version, operating system 
  • Pages visited, time spent, referring URLs 
  • Cookie identifiers and similar tracking data (see Section 4 below) 

1.3 Information Received from Third Parties 

We may receive professional contact information about potential clients or referral contacts from business partners, referral sources, or publicly available sources, solely in connection with our business development activities. 

2. How We Use Your Information 

PlanSimpli uses personal information only for the following purposes: 

  • Service Delivery. To provide, manage, and fulfill the professional services requested by clients and their authorized personnel. 
  • Business Operations. To respond to inquiries, prepare proposals, manage contracts, and communicate about our Services. 
  • Security & Fraud Prevention. To monitor for unauthorized access, detect security incidents, and maintain the integrity of our systems. 
  • Legal Compliance. To comply with applicable law, respond to lawful governmental requests, and enforce our agreements. 
  • Improvement of Services. To analyze usage trends and improve the functionality and content of the Site. 

PlanSimpli does not sell personal information. PlanSimpli does not use personal information for targeted advertising or behavioral profiling. PlanSimpli does not use personal information for automated decision-making that produces legal or similarly significant effects on individuals. 

3. How We Share Your Information 

PlanSimpli does not sell, rent, or trade personal information. We may share personal information in limited circumstances: 

  • Service Providers. PlanSimpli may engage vetted third-party vendors (e.g., cloud infrastructure, communications, and analytics providers) that process personal information on our behalf under written agreements requiring them to protect the information and use it only as directed. 
  • Plangentic, LLC. In connection with AI agent deployments, certain client-related data may be shared with Plangentic as a sub-processor under the terms of our client data processing agreements. 
  • Professional Advisors. Attorneys, accountants, and insurers, to the extent necessary, under appropriate confidentiality obligations. 
  • Legal Requirements. When required by applicable law, court order, or lawful governmental authority, including to meet national security or law enforcement requirements. 
  • Business Transfers. In connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case the successor entity will be required to comply with this Policy. 

4. Cookies and Tracking Technologies 

PlanSimpli’s Site may use cookies and similar tracking technologies for functional and analytical purposes. Strictly necessary cookies are required for the Site to operate. You may configure your browser to reject non-essential cookies; however, some features of the Site may not function correctly if cookies are disabled. We do not use cookies for cross-site behavioral advertising. 

 

5. Data Retention 

PlanSimpli retains personal information for no longer than necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law. Generally: 

  • Client contact information is retained for the duration of the client relationship and for seven (7) years thereafter, consistent with our standard contractual records obligations. 
  • Website inquiry data is retained for twenty-four (24) months from last contact. 
  • Automatically collected technical data (logs, cookies) is retained for up to twelve (12) months. 

When personal information is no longer required, PlanSimpli will securely delete or de-identify it in accordance with the procedures described in Part II of this Policy. 

6. Data Security 

PlanSimpli maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. A description of these safeguards is set forth in Part II (Written Information Security Program) of this Policy. No method of transmission over the Internet or electronic storage is 100% secure; however, we are committed to using industry-standard measures appropriate to the sensitivity of the information we process. 

For security-related inquiries, contact us at privacy@plansimpli.com

7. Federal Trade Commission Jurisdiction 

PlanSimpli is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). As required by law, PlanSimpli will respond to any lawful request by public authorities, including to meet national security or law enforcement requirements. 

8. International Data Transfers and EU-U.S. Data Privacy Framework 

PlanSimpli’s operations and servers are located in the United States. If you are located outside the United States, please be aware that personal information you provide may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. 

8.1 EU-U.S. Data Privacy Framework 

PlanSimpli complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. PlanSimpli has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program and to view PlanSimpli’s certification, please visit https://www.dataprivacyframework.gov/

8.2 FTC Enforcement (DPF) 

In compliance with the EU-U.S. DPF, PlanSimpli is subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to its DPF obligations. 

8.3 Accountability for Onward Transfers 

PlanSimpli does not currently transfer personal data received under the DPF to third parties acting as agents on its behalf. In the event PlanSimpli does so in the future, it will enter into written contracts requiring the recipient to provide the same level of protection as the DPF Principles. PlanSimpli shall remain liable under the DPF Principles if any such agent processes personal data in a manner inconsistent with the DPF Principles, unless PlanSimpli proves that it is not responsible for the event giving rise to the damage. 

8.4 Binding Arbitration 

Under certain conditions, individuals may invoke binding arbitration for unresolved DPF complaints. For additional information, see Annex I of the DPF Principles at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

9. Individual Rights 

Depending on your jurisdiction of residence, you may have the following rights with respect to your personal information: 

  • Access. The right to request confirmation of whether we process your personal information and, if so, to receive a copy. 
  • Correction. The right to request correction of inaccurate or incomplete personal information. 
  • Deletion. The right to request deletion of personal information, subject to applicable legal exceptions. 
  • Restriction. The right to request that we restrict the processing of your personal information in certain circumstances. 
  • Portability. The right to receive personal information you have provided to us in a structured, machine-readable format. 
  • Objection. The right to object to processing based on our legitimate interests. 
  • Opt-Out of Marketing. The right to opt out of any marketing communications at any time. 

To exercise any of these rights, contact us at privacy@plansimpli.com. We will respond within the time frame required by applicable law (generally 30 days). We will not discriminate against you for exercising your privacy rights. 

9.1 DPF Complaint Resolution 

EU individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact PlanSimpli at privacy@plansimpli.com. If you do not receive timely acknowledgment or if your complaint is not resolved to your satisfaction, you may raise it with the International Centre for Dispute Resolution / American Arbitration Association (ICDR/AAA) at https://www.adr.org/

10. Children’s Privacy 

PlanSimpli’s Services are directed to business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will promptly delete it. 

11. Changes to This Policy 

PlanSimpli may update this Policy periodically. When we make material changes, we will update the effective date at the top of this document and, where required by law, provide notice to affected individuals. Your continued use of the Site or Services following any update constitutes acceptance of the revised Policy. 

12. How to Contact Us 

For questions, concerns, or requests regarding this Policy or your personal information: 

PlanSimpli, LLC 

Attn: Privacy / General Counsel 

PO Box 571728 

Dallas, TX 75357 

privacy@plansimpli.com 

PART II: WRITTEN INFORMATION SECURITY PROGRAM (WISP) 

This Written Information Security Program (“WISP”) establishes the administrative, technical, and physical safeguards that PlanSimpli maintains to protect personal information collected, processed, or stored in connection with its business operations. This WISP is intended to comply with applicable federal and state information security requirements, including but not limited to the FTC Safeguards Rule (16 C.F.R. Part 314) and applicable state data security laws. 

1. Purpose and Scope 

The purpose of this WISP is to: 

  • Ensure the confidentiality, integrity, and availability of personal information in PlanSimpli’s custody or control; 
  • Protect against reasonably anticipated threats or hazards to the security or integrity of personal information; 
  • Protect against unauthorized access, use, or disclosure that could result in substantial harm or inconvenience to individuals; and 
  • Ensure PlanSimpli’s compliance with applicable federal and state data security requirements. 

This WISP applies to all PlanSimpli employees, contractors, officers, and agents (collectively, “Personnel”) who access, process, or handle personal information. Contractors must comply with applicable provisions of this WISP under their service agreements. 

2. Data Security Coordinator 

PlanSimpli designates a Data Security Coordinator (“DSC”) responsible for: 

  • Implementing, supervising, and maintaining this WISP; 
  • Conducting or overseeing risk assessments; 
  • Overseeing employee security training; 
  • Managing the incident response process; and 
  • Reviewing and updating this WISP at least annually. 

The current Data Security Coordinator is Shawn Mathew. The General Counsel of PlanSimpli shall be notified of any material security incidents and any proposed amendments to this WISP. 

3. Risk Assessment 

PlanSimpli conducts periodic risk assessments to identify and evaluate reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information. Risk assessments address: 

  • The nature and sensitivity of the personal information PlanSimpli collects and maintains; 
  • Potential internal risks (unauthorized employee access, inadvertent disclosure, improper disposal); 
  • Potential external risks (cyberattacks, phishing, ransomware, third-party breaches); and 
  • The adequacy of existing safeguards. 

The DSC documents each risk assessment and reports findings to senior management. Identified risks are addressed through the safeguards described below. This WISP is reviewed and updated following each risk assessment and at least annually. 

4. Administrative Safeguards 

4.1 Access Controls 

Access to personal information is limited to Personnel with a legitimate business need. The DSC maintains a record of authorized users and their access levels. Access privileges are reviewed at least annually and are promptly revoked upon termination or change in role. All Personnel are assigned unique user credentials; shared login credentials are prohibited. 

4.2 Employee Training 

All Personnel who handle personal information receive security awareness training upon onboarding and at least annually thereafter. Training covers phishing, social engineering, password hygiene, acceptable use, and incident reporting obligations. 

4.3 Vendor Management 

PlanSimpli requires third-party service providers that access, process, or store personal information on its behalf to provide appropriate contractual assurances of data protection, including written data processing agreements with security obligations no less protective than this WISP. The DSC maintains a list of approved sub-processors. New vendor relationships involving personal information require DSC review and approval. 

4.4 Acceptable Use 

Personnel may use PlanSimpli systems and personal information only for legitimate business purposes. Personal information shall not be transmitted to personal email accounts, personal devices, or any medium not approved by the DSC. Personnel must report suspected unauthorized access or disclosure immediately to the DSC. 

4.5 Physical Security 

Physical access to facilities where personal information is stored or processed is limited to authorized Personnel. Visitor access is logged. Paper records containing personal information are stored in locked cabinets when not in use and destroyed by cross-cut shredding or equivalent means when no longer needed. 

4.6 Termination Procedures 

Upon termination of employment or contract, PlanSimpli shall: (a) immediately revoke system access credentials; (b) retrieve company-issued devices and storage media; (c) require the return or certified destruction of any personal information in the former employee’s or contractor’s possession; and (d) change access credentials for shared systems if any were used. 

5. Technical Safeguards 

5.1 Encryption 

Personal information transmitted over public networks must be encrypted using TLS 1.2 or higher (SFTP, HTTPS). Personal information stored on laptops, portable devices, and removable media must be encrypted using AES-128 or stronger encryption. Unencrypted personal information shall not be stored on portable devices or transmitted over unencrypted channels, except where technically infeasible and documented by the DSC. 

5.2 Authentication 

Access to PlanSimpli systems containing personal information requires strong authentication. Passwords must meet accepted complexity standards and must be changed at least annually and immediately following any suspected compromise. Multi-factor authentication (MFA) is required for remote access and for any system containing material volumes of personal information. 

5.3 Network Security 

PlanSimpli maintains firewall protection on all systems processing personal information. Operating systems and software are maintained on supported releases with security patches applied promptly. Antivirus and anti-malware software is installed and updated at least every three (3) days. Unauthorized software installations are prohibited. 

5.4 Audit Logging and Monitoring 

PlanSimpli maintains audit logs for access to systems containing personal information. Logs are reviewed periodically by the DSC. Anomalous access patterns are investigated promptly. The DSC tests key security controls at least annually. 

5.5 Secure Disposal 

Electronic media and devices containing personal information are physically destroyed or fully overwritten (minimum three passes) prior to disposal or reuse. Paper records are cross-cut shredded. The DSC maintains a log of disposal events. 

6. Incident Response 

Any Personnel who becomes aware of a known or suspected security breach or unauthorized access to personal information must immediately notify the DSC. The DSC will: 

  • Investigate the nature, scope, and cause of the incident; 
  • Take immediate steps to contain and remediate the breach; 
  • Notify PlanSimpli’s General Counsel within 24 hours of a confirmed breach involving personal information; 
  • If applicable, notify affected clients, individuals, and regulatory authorities in accordance with applicable breach notification laws; and 
  • Document the incident, response actions, and any remediation measures in a written incident report retained for at least five (5) years. 

If the incident involves potential exposure of client or partner data, the DSC will immediately notify the relevant client or partner security contact and coordinate the response accordingly. 

7. Data Lifecycle and Records Management 

PlanSimpli collects only the personal information necessary to fulfill its business purposes. The DSC conducts periodic audits of records containing personal information to ensure they are stored in approved, secured locations. Personal information that is no longer needed for business purposes or required by law to be retained is securely destroyed in accordance with Section 5.5 above. The DSC maintains a records inventory identifying categories of personal information, storage locations, and retention schedules. 

8. Annual Review and Program Updates 

The DSC reviews this WISP at least annually and whenever PlanSimpli’s business practices change in a manner that materially affects the collection, storage, or transmission of personal information. Review findings are reported to PlanSimpli’s senior management. This WISP is updated promptly to address identified deficiencies or changes in applicable law. All Personnel are notified of material changes to this WISP. 

 HOW TO CONTACT US

In compliance with the EU-U.S. DPF, PlanSimpli commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact PlanSimpli at: joseph@PlanSimpli.com.