Privacy Policy
Last updated: April 2026
Overview
Simply Experiment LLC, an Indiana limited liability company ("Simply Experiment", "we", "us", or "our"), operates the website at simplyexperiment.com (the "Service") and the Simply Experiment Chrome Extension (the "Extension"). This privacy policy describes how we collect, use, store, and protect your information when you use our Service and Extension.
We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).
Information We Collect
Account Information
When you create an account, we collect your email address and name. This information is necessary to provide the Service and manage your lab membership.
Purchase Request Data
When you use the Service, we store data you provide including purchase requests, item details, vendor information, funding allocations, and inventory records. This data is necessary for the core functionality of the Service.
Chrome Extension Data
The Extension only collects data when you explicitly click to extract product information from a vendor website. We collect product name, catalog number, price, page URL, and vendor name. We do not collect browsing history, personal information from web pages, form inputs, passwords, or any background data.
Billing and Payment Information
When you start a paid subscription, we collect limited billing information needed to provide the subscription: the PI email associated with the lab, the billing country (if provided), the subscription plan, and identifiers returned by our payment processor (such as a Stripe customer ID, subscription ID, invoice references, payment date, and payment amount). We also record whether your most recent invoice has been paid so we can correctly grant or suspend access.
Payment card numbers, bank account numbers, and similar financial credentials are collected and stored directly by Stripe, our PCI-DSS compliant payment processor. We do not receive or store these details on our servers. Stripe processes this information under its own security controls and privacy policy.
Usage Analytics
With your consent, we collect anonymous usage analytics via Vercel Analytics to understand how the Service is used and improve it. This data does not identify individual users. You can opt out at any time via the cookie preferences on this site.
Cookies and Local Storage
We use a minimal set of storage technologies. Below is a complete list:
| Technology | Category | Purpose | Duration |
|---|---|---|---|
| Supabase Auth (localStorage) | Necessary | Stores your authentication session (JWT token) so you stay logged in. | Session / until sign-out |
| Cookie consent preferences (localStorage) | Necessary | Remembers your cookie consent choice so we don't ask again. | Persistent |
| Vercel Analytics | Analytics (optional) | Anonymous page view and usage statistics to improve the Service. | Session |
Necessary storage is required for the Service to function and cannot be disabled. Analytics is only enabled if you consent via the cookie banner. You can change your preferences at any time by clearing your browser's local storage for this site, which will re-display the consent banner on your next visit.
How We Use Information
We use the information described above to:
- Provide, maintain, and improve the Service and the Extension;
- Authenticate you and manage your account and lab membership;
- Process subscriptions, trials, invoices, renewals, and refunds;
- Send operational and transactional emails (such as verification, invoices, and notifications you request);
- Detect, prevent, and respond to abuse, fraud, and security incidents;
- Comply with legal, tax, accounting, and regulatory obligations;
- Understand aggregate usage to prioritize improvements (only when analytics consent is granted);
- Build and improve product features such as search, vendor and product suggestions, and pricing or purchasing insights, and analyze purchasing trends, benchmarks, and statistics — typically using data in aggregated or de-identified form that does not identify you or your lab.
As described in our Terms of Service, Simply Experiment LLC owns the content and data you submit to the Platform and may use it for the purposes above and for other lawful purposes. Where that data includes personal data about you, this Privacy Policy continues to govern how we protect and share it, and you may still exercise the rights described below.
Information We Share and How
We do not sell your personal information. We only disclose your information in the limited circumstances described below, always over encrypted HTTPS connections and using authenticated API calls or standard email transport protocols:
| Recipient | Data Disclosed | Purpose | Method |
|---|---|---|---|
| Supabase (database & auth hosting) | Account, profile, and Service data | Secure storage and authentication | Encrypted HTTPS API (TLS 1.2+) |
| Stripe, Inc. (payments) | Billing email, lab identifier, subscription plan, and payment details you enter on Stripe's hosted checkout or invoice pages | Process subscriptions, invoices, renewals, and refunds; fraud prevention | Encrypted HTTPS API (TLS 1.2+); signed webhooks |
| Vercel (application & analytics hosting) | Request logs and, with consent, anonymous analytics events | Serve the Service and understand aggregate usage | Encrypted HTTPS |
| Resend (transactional email) | Recipient email address and message content | Deliver account, verification, and notification emails | Authenticated HTTPS API; SMTP over TLS |
| Your lab members | Purchase request and inventory data you create | Collaboration within your own lab | Inside the Service under row-level security |
| Legal authorities | Only the specific data required | Respond to lawful legal process or protect rights, safety, and security | As directed by valid legal process |
| Successor entity (business transfer) | Relevant account data | Merger, acquisition, or sale of assets, under confidentiality | Due diligence / asset transfer |
Payment-related data shared with Stripe is governed by Stripe's own privacy policy, available at stripe.com/privacy.
Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
- Contract performance: Processing your account, purchase request, and billing data is necessary to provide the Service and subscription you signed up for.
- Legal obligation: Retaining invoices and tax records for the period required by applicable law.
- Consent: Analytics data is only collected with your explicit consent, which you can withdraw at any time.
- Legitimate interest: Securing the Service, preventing fraudulent payments and abuse, and communicating with you about the Service you use.
Your Privacy Rights
GDPR Rights (EU/EEA Users)
If you are located in the EU or EEA, you have the right to:
- Access your personal data
- Rectify inaccurate personal data
- Erase your personal data ("right to be forgotten")
- Restrict processing of your personal data
- Data portability — receive your data in a structured format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
CCPA/CPRA Rights (California Residents)
If you are a California resident, you have the right to:
- Know what personal information is collected and how it is used
- Delete your personal information
- Opt out of the sale or sharing of personal information
- Non-discrimination for exercising your privacy rights
We do not sell or share your personal information as defined under the CCPA/CPRA.
Data Storage and Security Practices
We implement industry-standard administrative, technical, and physical safeguards to protect your information against loss, misuse, and unauthorized access, including:
- Encryption in transit: All traffic between your browser, the Extension, the Service, Supabase, Stripe, and other sub-processors uses HTTPS/TLS 1.2+.
- Encryption at rest: Data stored in our Supabase-hosted PostgreSQL database is encrypted at rest by the hosting provider.
- Row-level security: Database-level policies restrict every query so lab data is only visible to authenticated members of that lab.
- Authentication: Accounts are protected by hashed passwords and short-lived JWT session tokens issued by Supabase Auth.
- Payment isolation: Card and bank details are entered directly into Stripe's PCI-DSS compliant environment; we never see or store them.
- Rate limiting and abuse controls: API endpoints are protected by per-IP rate limits and security headers to mitigate automated attacks.
- Least-privilege access: Only a small number of authorized personnel can access production systems, and access is logged.
- Monitoring: We monitor for suspicious activity, and we will notify affected users without undue delay of any confirmed data breach affecting their personal data, as required by applicable law.
The Chrome Extension stores authentication tokens and cached data locally using Chrome's secure storage API. This data is cleared when you sign out or remove the extension.
No method of transmission or storage is 100% secure; while we work hard to protect your data, we cannot guarantee absolute security.
Third-Party Sub-processors
We rely on the following sub-processors to operate the Service. Each is bound by its own terms and privacy commitments, and data is only shared with them to the extent needed to deliver their service:
- Supabase — Authentication and PostgreSQL database hosting (United States).
- Vercel — Application hosting and, with your consent, anonymous analytics (United States).
- Stripe, Inc. — Payment processing, subscription management, invoicing, and fraud prevention (United States). See Stripe's privacy policy at stripe.com/privacy.
- Resend — Transactional email delivery for notifications, verification, and invoice emails (United States).
We do not sell, rent, or trade your information, and we do not transfer your data to any third parties beyond the sub-processors above and the limited categories listed in "Information We Share and How".
Data Retention and Deletion
We retain your account data and purchase request history for as long as your lab has an active account, and afterwards as described in our Terms of Service. Simply Experiment LLC may also continue to retain and use aggregated, de-identified, or derived information that no longer identifies you or your lab, even after your account is closed.
While your subscription is active, you may request deletion of identifying Customer Data associated with your account by using the deletion tools in the Service or by contacting us. We honor reasonable deletion requests within a commercially reasonable time, subject to retention for security, fraud-prevention, legal, tax, accounting, backup, and audit purposes, and for data that has already been aggregated or de-identified.
Billing records, invoices, and related financial data are retained by us and by Stripe for the period required by applicable tax, accounting, and anti-fraud laws (generally up to seven years after the transaction), even after your account is closed. Backups may persist for a limited period before being overwritten in the ordinary course of operations.
Chrome Extension Permissions
The Extension requests the following browser permissions:
- storage: To save your authentication and preferences locally
- activeTab: To read the current page when you click extract
- scripting: To parse product information from vendor pages
- sidePanel: To provide the TDX integration interface
- Host permissions (all URLs): Because laboratory researchers purchase from hundreds of different vendor websites, the extension needs access to extract product data from any site. This access is only used when you explicitly click to extract.
Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will delete it.
Changes to This Policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. If we make material changes, we will notify users through the Service.
Contact
If you have questions about this privacy policy or wish to exercise your privacy rights, please contact us through the Simply Experiment web application.