Simulacrum

Legal

Privacy policy

Effective April 1, 2026. This policy describes how we process personal data when you use Simulacrum at simulacrum.dev and related services.

Version date: 2026-04-01. For prior versions, contact us using the channels described under Contact below.

1. Scope and who this applies to

This Privacy Policy applies to visitors of our marketing website, users of our documentation and onboarding flows, purchasers and licensees of the Simulacrum command-line interface and related digital products, and anyone who interacts with our license validation or scaffolding APIs when those endpoints are operated by us.

If you access Simulacrum through an employer or client, your organization may have its own policies that also apply.

2. Data controller and roles

For personal data collected through this website and our infrastructure (excluding payment card data handled solely by our payment processor), the data controller is the operator of the Simulacrum product and simulacrum.dev. For purchases processed by Lemon Squeezy (or another designated merchant of record), that party acts as the seller and may independently process personal data as described in its privacy policy and your checkout experience.

Where we process personal data on behalf of another party under a written agreement, we act as a processor and follow the instructions in that agreement.

3. Categories of personal data we collect

Depending on how you interact with us, we may collect:

  • Identity and contact data: name, email address, and similar identifiers you provide or that appear on purchase receipts.
  • Transaction and licensing data: license keys, product variant or tier, purchase timestamps, activation and deactivation events, machine or instance identifiers submitted for license enforcement, approximate request metadata (such as timestamps and error codes), and support correspondence tied to a license or email.
  • Technical and usage data: IP address, browser type and version, device type, operating system, referring URLs, pages viewed, and diagnostic data from our web stack (for example load balancers or application logs) when you use the site or APIs.
  • Communications: messages you send to us, including email content and metadata necessary to respond.

We do not intentionally collect special categories of data (such as health information) or use them for profiling. Please do not send us such information unless we explicitly request it for a documented purpose.

4. Sources of personal data

We obtain personal data from:

  • you, when you browse, purchase, activate a license, or contact us;
  • our payment and licensing partners (for example order confirmations and license status webhooks or API responses necessary to deliver the product);
  • automated technologies on our site and infrastructure (see Cookies and similar technologies).

5. Purposes and legal bases (EEA, UK, and Switzerland)

Where the GDPR or similar laws apply, we rely on one or more of the following legal bases:

  • Contract: to perform a contract with you (for example to deliver a license, validate activations, and provide support you request).
  • Legitimate interests: to secure our services, prevent fraud and abuse, improve reliability and performance, understand aggregate product usage, communicate about the product, and enforce our terms, balanced against your rights.
  • Legal obligation: to comply with applicable law, tax, accounting, or regulatory requests.
  • Consent: where required for non-essential cookies or similar technologies, or for specific marketing communications when we offer an opt-in.

6. How we use personal data

We use personal data to:

  • provide, operate, and improve Simulacrum and this website;
  • process purchases, issue and validate licenses, enforce seat and activation limits, and detect misuse or credential sharing;
  • respond to inquiries, provide technical support, and send transactional messages (such as receipts or security notices);
  • monitor and protect the security and integrity of our systems, including rate limiting, abuse detection, and incident response;
  • comply with law, enforce our agreements, and defend legal claims;
  • analyze aggregated or de-identified usage to improve documentation and product experience.

7. Cookies and similar technologies

We and our service providers may use cookies, local storage, pixels, and similar technologies that store or access information on your device. These may include:

  • Strictly necessary: required for core site functions, security, load balancing, or session continuity.
  • Analytics: to measure traffic and performance. We aim to configure analytics in a privacy-conscious way and to avoid invasive advertising networks where practicable.
  • Functional: to remember preferences you set on the site.

Where required by law, we will obtain your consent before using non-essential cookies. You can control cookies through your browser settings; disabling some cookies may limit certain features.

8. Disclosure, subprocessors, and recipients

We do not sell your personal data as that term is defined under the CCPA/CPRA. We may share personal data with:

  • Payment and commerce providers: for example Lemon Squeezy (merchant of record, checkout, tax, invoicing, and fraud screening as applicable).
  • Hosting and infrastructure: cloud and edge providers that host our website, APIs, logs, and backups.
  • Analytics and observability: vendors that help us measure site performance or diagnose errors, subject to our instructions and agreements.
  • Professional advisers: lawyers, accountants, or auditors where necessary and subject to confidentiality obligations.
  • Authorities and parties to legal process: when we believe disclosure is required by law, regulation, legal process, or governmental request, or to protect rights, safety, and security.
  • Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards and notice where required.

We require subprocessors to protect personal data in line with this policy and applicable law, including through contracts where required.

9. International transfers

We may process and store personal data in the United States and other countries where we or our subprocessors operate. If we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate protection, we will implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms approved under applicable law, unless an exception applies.

10. Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Factors include:

  • the duration of your license relationship and any statutory limitation periods;
  • the need to resolve disputes, enforce agreements, and maintain security logs;
  • legal, tax, and accounting obligations related to transactions.

When retention ends, we delete or de-identify personal data where feasible, or isolate it with restricted access where deletion is not technically possible without disproportionate effort.

11. Security

We implement administrative, technical, and organizational measures designed to protect personal data against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; we encourage you to use strong credentials, protect license keys, and report suspected compromise promptly.

12. Your privacy rights

Depending on your location, you may have rights to access, correct, delete, or port your personal data; to restrict or object to certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority. Residents of certain U.S. states may have additional rights under local privacy laws (for example to know, delete, or opt out of certain processing).

To exercise rights, contact us using the information in the Contact section. We may need to verify your identity before responding. You may designate an authorized agent where permitted by law, subject to verification requirements.

We will not discriminate against you for exercising privacy rights where such discrimination is prohibited by law.

13. California notice

If you are a California resident, the CCPA/CPRA may grant you specific rights regarding personal information. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CPRA. We may use personal information for the business purposes described above. You may have the right to request access to categories and specific pieces of personal information we hold, to request deletion subject to exceptions, and to correct inaccurate information. Instructions for submitting requests appear under Contact.

14. Automated decision-making

We do not use automated processing to make decisions with legal or similarly significant effects solely based on profiling. License validation may automatically allow or deny technical operations based on license status; this is a technical enforcement step tied to your purchase terms, not profiling in the GDPR sense.

15. Children

Simulacrum is not directed to children under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will take appropriate steps to delete it.

16. Third-party sites and generated software

Our website may link to third-party sites, packages, or services we do not control. Software you generate with Simulacrum may include third-party dependencies with their own privacy practices. This policy does not govern those third parties.

17. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the effective date. If changes are material and we are required to notify you under applicable law, we will provide notice in an appropriate manner (for example by email or a prominent notice on the site). Continued use after the effective date constitutes acceptance of the updated policy where permitted by law.

18. Contact

For privacy-related requests or questions, contact us using the support or contact details shown on your purchase receipt from our merchant of record, or through any official support channel we publish for Simulacrum. Please include enough detail for us to verify and respond to your request.

European Union consumers may use the European Commission online dispute resolution platform at https://ec.europa.eu/consumers/odr/. Participation in alternative dispute resolution is voluntary unless otherwise required by law.