Privacy Policy

Effective: May 10, 2026 · VSS Inc dba Simple4u · New York, NY

Simple4u is an engineering firm. We embed into our clients' businesses as their full-stack technical team under a monthly retainer. This Privacy Policy describes how Simple4u (Very Simple Solutions Inc., "we", "us") handles personal data in two contexts: (1) visitors to simple4uhq.com, and (2) personal data we process on behalf of clients during retainer engagements.

For engagement-specific processing, the binding terms are in your Master Service Agreement (MSA) and our Data Processing Agreement (DPA). This Privacy Policy provides the public-facing summary.

1. Who we are

Simple4u is the trade name of Very Simple Solutions Inc., a Delaware corporation with offices at 1755 Ocean Parkway, Brooklyn, NY 11223. We operate as an engineering firm: software development, AI infrastructure, creative production, SEO, and ongoing technical operations, delivered as one embedded team under a monthly retainer.

The point of contact for privacy questions is nests@simple4uhq.com.

2. Information we collect

Website (simple4uhq.com)

When you visit the website, we collect a minimal set of data needed to operate it:

• Analytics: Google Analytics 4 collects standard metrics (pages viewed, referrer, approximate location at city level, device type) tied to a pseudonymous client identifier. IP addresses are anonymized in transit.
• Google Ads conversion tracking: When you click through from a Google Ads campaign and book a call, a conversion event is recorded.
• Search Console: Aggregate keyword data, no individual identification.
• Discovery calls (Calendly): Name, email address, and any notes you choose to provide when booking a call.
• Email correspondence: If you email us, we retain the message and any contact details you include.

Retainer engagements

If your business engages Simple4u under a Master Service Agreement, we may process personal data within the scope of the engagement. The categories depend on which capabilities are in scope (software development, marketing operations, AI infrastructure, etc.) and are documented in the engagement-specific DPA. Typical categories include:

• Business communications you direct us to ingest (emails, messages, docs in workspaces you grant access to)
• Analytics data from instrumentation we operate on your behalf (GA4, Search Console, Google Ads, Meta Ads)
• Customer or contact data within tools we manage as part of the engagement (CRM, project management, support systems)

We do not process this data for our own purposes. We process it only on documented instructions from the Client, as a Data Processor under GDPR Article 28 / CCPA terms.

3. How we use information

Website data

• Understand how the site is used and which pages convert
• Improve content based on what visitors actually search for and read
• Schedule and prepare for discovery calls you book
• Respond to messages you send us

Engagement data

• Deliver the services scoped in the MSA
• Operate analytics, marketing, and engineering infrastructure on the Client's behalf
• Generate reports and recommendations for the Client

We do not sell personal data. We do not use Client data to train models shared across clients. We do not repurpose engagement data for marketing back to the Client's customers.

4. Data storage and security

Website analytics live with their respective providers (Google Analytics, Google Ads). Discovery call bookings live in Calendly. Email correspondence lives in our corporate Gmail.

For retainer engagements, infrastructure choices are agreed in the MSA. Default posture: Client data stays on infrastructure under the Client's control or under VSS Inc-controlled infrastructure provisioned per engagement (DigitalOcean droplets, Vercel deployments, etc.). Access is restricted to authorized VSS Inc personnel via SSH key and OAuth, with no shared databases between clients.

Security measures include SSH-key-only authentication, credential isolation per engagement, daily backups, and quarterly access review. Specific measures for an engagement are documented in the DPA.

5. Third-party services and sub-processors

The website uses the following third-party services:

• Google LLC: Analytics, Ads, Fonts
• Calendly LLC: Discovery call booking
• Vercel Inc.: Site hosting
• Cloudflare Inc.: DNS

For retainer engagements, sub-processors depend on which services are in scope. Common sub-processors include Anthropic (Claude API), Google (Workspace integrations, Ads), Stripe (payments), and DigitalOcean / Vercel (hosting). The full sub-processor list applicable to your engagement is in your DPA, with at least 30 days' notice before adding a new sub-processor.

6. Data sharing

We do not sell or rent personal data. We disclose data only:

• To sub-processors strictly to deliver the services described above
• To comply with valid legal process (subpoena, court order)
• To protect against fraud or abuse of our infrastructure
• In a corporate transaction (acquisition, asset sale), with notice to affected parties

7. Your rights

Depending on your jurisdiction, you have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing or withdraw consent.

For website data, contact nests@simple4uhq.com. For engagement data where Simple4u is a Processor, please direct your request to the Client (Data Controller); we will assist the Client in fulfilling the request, as required by GDPR Article 28.

California residents have the additional rights described under the CCPA / CPRA. We do not sell personal data and do not use it for cross-context behavioral advertising.

8. Cookies

The site uses a small set of cookies:

• Google Analytics (_ga, _gid): Pseudonymous analytics. Expires after 24 months.
• Google Ads (_gcl_au): Conversion attribution from Google Ads. Expires after 90 days.
• Cookie acknowledgement (cookieAck): Remembers that you've seen our cookie notice. Local to your browser.

You can disable cookies in your browser settings or use the Global Privacy Control signal; the site will respect it where technically feasible.

9. Google API Services User Data Policy — Limited Use

When a retainer engagement involves Google Workspace data (Gmail, Drive, Calendar) or Google Ads data, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• Google user data accessed during an engagement is used only to provide the services agreed in the MSA
• We do not transfer Google user data to third parties except as necessary to provide those services, comply with legal process, or upon explicit Client instruction
• We do not use Google user data for serving advertisements or for any model training across clients
• We do not allow humans to read Google user data unless required for security, debugging, or support, with Client consent

10. Data Processing Agreement (DPA)

For Clients in regulated jurisdictions (EEA, UK, California, etc.), our DPA is incorporated by reference into the MSA. The DPA covers GDPR Article 28 obligations, sub-processor management, security commitments, breach notification, and Standard Contractual Clauses for international transfers.

11. Children's privacy

The site is intended for businesses, not for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the site, contact us and we will delete it.

12. Changes

We may update this Privacy Policy as our practices evolve. The "Effective" date at the top reflects the latest version. Material changes affecting active engagements will be notified to Clients directly per the MSA.

13. Contact

For privacy questions, data requests, or DPA inquiries:

• Email: nests@simple4uhq.com
• Mail: Very Simple Solutions Inc., 1755 Ocean Parkway, Brooklyn, NY 11223, USA