Privacy Policy | PracSim

1. Who We Are

Practical Simulation Solutions LLC ("PracSim," "we," "us," or "our") is a simulation consulting business based in Utah, USA. We provide simulation modeling and consulting services, and we may from time to time make tools available to our customers. This policy explains how we collect, use, share, and protect personal data when you visit our website, contact us, or use our products and services.

For privacy questions or to exercise your rights, contact us at .

2. Quick Summary

This is a high-level overview. The full policy below is the binding text.

What we collect: contact information you provide (name, email, optional company/phone/message), account details if you sign up, transaction records when you purchase, license + machine identifiers when you activate a module, and basic technical data (IP address, browser type) handled by our infrastructure providers.
What we don't collect: we do not use Google Analytics, Meta Pixel, advertising trackers, profiling cookies, or any third-party marketing analytics. We do not sell, rent, or trade your personal data, ever.
How we use it: to respond to your inquiries, fulfill purchases, license you to use our products, send transactional and operational emails, and meet legal/tax obligations.
Who we share with: a small set of named subprocessors that power core functions of our platform (hosting, database, payments, email, licensing). Listed in Section 5.
Your rights: you can ask us to access, correct, export, or delete your data. Specific rights vary by jurisdiction. Section 9 covers them in detail.

3. Data We Collect

3.1 Information You Provide Directly

When you submit our contact form, we collect:

Name (required)
Email address (required)
Company name (optional)
Phone number (optional)
Service or product interest categories you select (optional)
Free-form message describing your needs (optional)

When you create an account on the PracSim platform, we collect:

Email address and password (the password is stored only as a salted bcrypt hash; we cannot recover or read it)
Display name (optional, can be set in your account preferences)
Multi-factor authentication (MFA) configuration if you enable it. MFA factor data (TOTP seeds and recovery codes) is stored by Supabase Auth and is encrypted at rest by that provider; PracSim's own application database records only whether MFA is enabled for the account.

When you make a purchase, we collect transaction records as detailed in Section 3.4.

When you activate a licensed PracSim product on a machine, we collect license-related data as detailed in Section 3.5.

When you use a PracSim hosted application, the content you create within it is stored in our managed database. All transit is over TLS; storage encryption is provided by our database provider (Supabase). For questions about how a specific hosted application handles your content, contact .

When you (or PracSim on your behalf) upload documents to your account, including receipts, signed agreements (such as MSAs or SOWs), deliverables, project files, and other files you attach to an engagement, those files are stored in Cloudflare R2 object storage. The files remain owned by you and are returned or deleted on request, subject to the legal-retention obligations described in Section 7.

3.2 Information Collected Automatically

Server logs and request metadata. Our hosting provider (Cloudflare) and database provider (Supabase) log standard request information including IP addresses, user-agent strings, request paths, response codes, and timestamps. This data is used for security, fraud prevention, debugging, and operational analytics. Cloudflare and Supabase retain this data per their respective privacy policies (linked in Section 5).
Aggregate site traffic counts. Cloudflare provides aggregate analytics (e.g., total page views per day, top URLs) without setting cookies or identifying individual visitors. We use these counts to understand site usage at a high level. No third-party analytics tools (Google Analytics, Meta Pixel, etc.) are used.
Anti-bot verification. When you submit our contact form or sign up for an account, Cloudflare Turnstile evaluates anti-bot signals (such as IP address and browser characteristics) to verify you are a real person. Turnstile does not set tracking cookies on your device and is processed by Cloudflare on our behalf as part of the infrastructure listed in Section 5. PracSim and Supabase Auth (for signup) receive only a pass/fail verdict.
Demo viewer session logs. When you launch an interactive FlexSim demo at /demos, our demo-server records a single log line per session containing: a daily-rotated hash of your IP address, the model name, start and end timestamps, total duration, and the reason the session ended (you closed the tab, the timeout expired, etc.). Raw IP addresses are not retained. Logs are kept for 30 days and used solely for capacity planning and abuse prevention.
Authentication session cookies. When you sign in to your account, we set an HTTP-only session cookie containing your authentication token. This cookie is essential for the login functionality and is not used for tracking or marketing.
Local-device preferences. Your theme (light/dark) and text-size preferences are stored in your browser's localStorage on your device only. They are not transmitted to our servers and we cannot read them.

3.3 Information from Third Parties

If a colleague invites you to join a PracSim Team, we receive your email address from them in order to deliver the invitation. If you accept, your account is created using that email address (if you don't already have one); if you decline, the email is retained briefly with the invitation record then deleted on expiry.

3.4 Purchase and Payment Information

When you purchase a digital product (a product license, etc.), we collect transaction records:

The product purchased, quantity, and price
Date and time of purchase
Stripe Checkout session identifier
Email address associated with the purchase
The account the purchase is attributed to (purchaser and owner; these may differ when a purchase is assigned to a colleague at checkout)
Tax-relevant metadata (billing country and applicable taxes, derived by Stripe from the information you entered at checkout and passed back to PracSim for invoicing and tax-reporting purposes)

Payment card details (card numbers, CVV codes, billing addresses) are handled entirely by Stripe and never reach PracSim's systems. Stripe acts as an independent data controller for the payment instrument; their privacy policy governs that data (linked in Section 5).

3.5 Licensing and Product Activation Data

When you purchase a license and activate it on a machine using our licensing runtime (bundled into every paid product installer), we and our licensing provider (Keygen) collect:

License key
Email address associated with the license
Machine fingerprint (a hashed identifier derived from your computer's hardware; used only to bind the license to that specific machine)
Machine name (as reported by your operating system)
Activation, deactivation, and check-in timestamps
Entitlement information (which products you are licensed to use)

The machine fingerprint is used solely to bind a license to a specific computer. We do not use it to identify you as a person, build a profile about you, or track your activity across services.

3.6 Communications With Us

If you email us, we retain the email and our reply for ordinary business correspondence purposes. If you submit a support ticket or feature request through our platform, we retain it for product-improvement and customer-support purposes.

3.7 What We Do Not Collect

We do not use Google Analytics, Meta Pixel, advertising trackers, marketing cookies, or any cross-site tracking.
We do not collect or store payment card numbers, bank account numbers, or financial credentials.
We do not collect biometric data, government identifiers, social security numbers, or sensitive demographic information.
We do not knowingly collect data from anyone under 16. See Section 11.
We do not buy, rent, or otherwise acquire personal data from data brokers.

4. How We Use Your Data and Legal Bases

We use your personal data only for the purposes listed below. Where the GDPR or another similar law applies, the table identifies the legal basis we rely on.

Purpose	Data used	Legal basis (GDPR Art. 6)
Respond to your business inquiry	Contact form data, email correspondence	Legitimate interest — Art. 6(1)(f)
Send you a confirmation that we received your inquiry	Email address, name	Legitimate interest — Art. 6(1)(f)
Spam, fraud, and abuse prevention	Turnstile signals, IP address, request metadata	Legitimate interest — Art. 6(1)(f)
Create and authenticate your user account	Email, password hash, MFA configuration	Contract performance — Art. 6(1)(b)
Fulfill product purchases and provide licensed access	Transaction records, license keys, machine fingerprints, entitlements	Contract performance — Art. 6(1)(b)
Send transactional emails (purchase confirmation, license issued, expiry reminders)	Email address, transaction context, product details	Contract performance — Art. 6(1)(b)
Maintain accounting records, file taxes, comply with regulators	Transaction records, business communications	Legal obligation — Art. 6(1)(c)
Operate, secure, and improve the platform	Server logs, request metadata, aggregate usage counts	Legitimate interest — Art. 6(1)(f)
Defend legal claims, respond to lawful requests	Whatever data is responsive to the claim or request	Legal obligation / legitimate interest — Art. 6(1)(c)/(f)

We do not engage in automated decision-making with legal or similarly significant effects. We do not use your data for advertising, profiling, or behavioral targeting.

5. Who We Share Your Data With

We share your personal data only with the service providers listed below, who act as data processors (or independent controllers, where noted) on our behalf. We do not sell, rent, or trade your personal information to any third party.

Subprocessor	Purpose	Data shared	Region(s)	Privacy policy
Cloudflare, Inc.	Web hosting, CDN, DNS, DDoS protection, aggregate site analytics, anti-bot verification (Turnstile) on the contact form and signup page, object storage (R2) for module installers, receipts, signed contracts, deliverables, and customer-uploaded documents	Request metadata, IP addresses, Turnstile signals (no tracking cookies), uploaded files	USA + global edge	Link
Supabase Inc.	Database, authentication, file storage	Account information, application data, server logs	USA	Link
Stripe, Inc.	Payment processing	Email, name, billing address, payment card details (Stripe handles directly), transaction metadata	USA	Link
Resend, Inc.	Transactional email delivery	Email address, recipient name, message content of transactional emails	USA	Link
Keygen Technology, Inc.	License management	License keys, machine fingerprints, machine names, activation records, entitlements, license-holder email	USA	Link

We may also disclose your data: (a) to professional advisors (lawyers, accountants, auditors) bound by confidentiality obligations; (b) to comply with a lawful subpoena, court order, or other legal process; (c) to protect the rights, property, or safety of PracSim, our users, or the public; or (d) in connection with a merger, acquisition, or sale of all or part of our business, in which case we will notify affected users by email before the transfer.

6. International Data Transfers

PracSim operates from the United States. If you are located outside the US, your personal data will be transferred to and processed in the US. We rely on legally recognized transfer mechanisms appropriate to each subprocessor and your jurisdiction, which may include:

EU/EEA, UK, Switzerland. Each subprocessor relies on one or more of the following, depending on its own certifications and contracts at the time of transfer: the EU-U.S. Data Privacy Framework (or the UK/Swiss extensions), Standard Contractual Clauses (SCCs) approved by the European Commission, or, where applicable, your explicit consent or contractual necessity. Specific subprocessor mechanisms are described in each provider's own privacy notice, linked in Section 5, and can change over time.
Other jurisdictions with cross-border transfer rules. We rely on transfer mechanisms permitted by the applicable jurisdiction (for example, your explicit consent obtained when you submitted data, contractual necessity, or applicable adequacy decisions).

Where Standard Contractual Clauses (SCCs) apply, they are incorporated through each subprocessor's published Data Processing Addendum (linked in Section 5). If you would like a summary or copies, contact us at . For PracSim's customer-facing data processing terms, see Section 14.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

Contact form submissions. Retained for as long as the inquiry remains relevant for business follow-up. You may request deletion at any time. Inquiries we have closed without further action are retained for up to 24 months for record-keeping then deleted.
Account data (email, password hash, profile). Retained for as long as your account is active. If you delete your account, the data is scheduled for deletion after a 30-day grace period during which you can restore the account; after the grace period, data is purged from active systems within 7 days. Backups follow our hosting and database providers' standard retention windows, which are typically 30 to 90 days, and data may persist in those backups during that window after deletion.
Transaction records. Retained for a minimum of seven (7) years to comply with US tax and accounting law (IRS recordkeeping requirements). Transaction records contain your email and the product purchased but no payment card details.
License and activation records. Retained for the duration of the license plus three (3) years for support and warranty purposes. Machine fingerprints can be unbound from a license at any time via the dashboard.
Server logs and request metadata. Retained per the relevant subprocessor's retention policy. Cloudflare typically retains logs for up to 30 days; Supabase auth logs are retained for security analysis purposes per their policy.
Email correspondence. Retained for as long as the business relationship is active and for a reasonable period afterward (typically 24 months) for ordinary business record-keeping.
Marketing emails. We do not currently send marketing emails. Transactional and operational emails (purchase confirmations, license-issued notifications, expiry reminders, security alerts, and other account-related messages) are not marketing; we send them as long as you hold an account or active license, and they are excluded from any future unsubscribe mechanism for marketing. If we begin sending marketing emails in the future, we will obtain consent and provide an unsubscribe link in every such message.

8. Cookies and Similar Technologies

We use the minimum cookies and local storage necessary to operate the website:

Session cookies (essential). Set when you log in to your account. HTTP-only, Secure, SameSite=Lax. Required for authentication. Deleted when you log out or when the cookie expires.
Preference storage (essential). Theme and text-size preferences are stored in your browser's localStorage on your device. Not transmitted to our servers.
Cloudflare bot-management cookies (essential, anti-abuse). Cloudflare may set cookies (e.g., __cf_bm) for bot detection. These do not track users across sites. The contact form and signup page also use Cloudflare Turnstile for anti-bot verification; Turnstile does not set tracking cookies on your device.

We do not use any other cookies. We do not use Google Analytics, Meta Pixel, or other marketing or advertising trackers. Our cookie footprint is intentionally minimal and limited to authentication and anti-abuse purposes. We do not currently display a cookie consent banner; if you are located in a jurisdiction (for example, parts of the EU/EEA under the ePrivacy Directive) where you believe consent is required for any cookie we use, contact us at and we will work with you to honor your preference.

9. Security

We protect your data through layered technical and organizational safeguards:

HTTPS/TLS 1.2+ encryption for all data transmitted to and from our website and APIs
Passwords stored only as salted bcrypt hashes; we cannot recover or read your password
Authentication via industry-standard JWT with short-lived access tokens and rotating refresh tokens
Optional multi-factor authentication (TOTP) for accounts that enable it
Database row-level security (RLS) policies that enforce per-row access controls on application data, scoping queries to the data each role is authorized to see
Service-role database access used only by audited admin endpoints; never exposed to browsers
Honeypot field, Cloudflare Turnstile anti-bot verification, and rate limiting on public submission endpoints to prevent automated abuse
Encrypted secrets storage at our hosting provider (Cloudflare Secrets); secrets are never committed to source control
Regular dependency updates and vulnerability monitoring

No system is impenetrable. If we become aware of a security incident affecting your personal data, we will notify the appropriate authorities and, where required by law, affected individuals, on the timelines required by applicable law. Under GDPR, for example, qualifying breaches are reported to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of our becoming aware; direct notification to affected individuals is required when the breach is likely to result in a high risk to their rights and freedoms. Comparable rules apply in other jurisdictions.

10. Your Rights

Subject to applicable law, you have rights regarding your personal data. To exercise any of these rights, email us at . We respond to verified requests within the timeframe required by your jurisdiction (typically 30–45 days). We may need to verify your identity before fulfilling certain requests.

10.1 Universal Rights

Regardless of jurisdiction, you may:

Access a copy of the personal data we hold about you
Correct inaccurate or incomplete personal data
Delete your account and associated personal data (subject to legal retention requirements for transaction records)
Object to processing where we rely on legitimate interests
Withdraw consent for any processing based on consent (note that withdrawal does not affect the lawfulness of processing before withdrawal)
Lodge a complaint with the data protection authority in your jurisdiction

10.2 No Sale of Personal Data; No "Sharing" for Targeted Advertising

We do not sell your personal data and we do not "share" your personal data for targeted advertising as those terms are defined under US state privacy laws (CCPA/CPRA, VCDPA, CTDPA, CPA, UCPA, and others). You do not need to opt out of sales or sharing because there are none.

10.3 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge you a different price, provide a different level of service, or retaliate against you for asserting your rights.

11. Jurisdiction-Specific Provisions

11.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, the GDPR (or UK-GDPR / Swiss FADP) applies to your data. PracSim is the data controller. The legal bases on which we process your data are listed in the table in Section 4.

You have the rights listed in Section 10.1, plus:

Right to data portability (receive a structured, commonly used, machine-readable copy of data you provided)
Right to restriction of processing while a complaint is being resolved
Right to not be subject to automated decision-making that produces legal effects (we do not use automated decision-making in this way)
Right to lodge a complaint with your local supervisory authority. EEA residents can identify their supervisory authority at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk. Swiss residents may contact the FDPIC at edoeb.admin.ch.

11.2 California, USA (CCPA / CPRA)

If you are a California resident, the CCPA (as amended by the CPRA) applies. In addition to the rights in Section 10.1, you have:

Right to know the categories of personal information we collect, the sources, the purposes, the categories of third parties we share it with, and the specific pieces of information we have collected about you
Right to delete personal information (subject to exceptions, including for transaction recordkeeping)
Right to correct inaccurate personal information
Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information
Right to limit the use of sensitive personal information. The categories of "sensitive personal information" under the CPRA include items such as government identifiers, precise geolocation, race or religious beliefs, genetic or biometric data, health, sexual orientation, and account log-in credentials. We do not collect any of these for inferential or profiling purposes. The only category that touches our systems at all is your account log-in (email + bcrypt-hashed password, and an optional MFA seed if you enable MFA), which we use solely to authenticate you. We do not use that data to infer characteristics about you and you have nothing further to limit on this front.
Right to non-discrimination for exercising any of these rights
You may designate an authorized agent to make a request on your behalf. We will require written proof of authorization and verification of your identity.
If we deny your request, you may appeal by replying to our denial; we will respond to appeals within 60 days.

Because we do not sell or share personal information for cross-context behavioral advertising in any case, a Global Privacy Control (GPC) signal has no different effect on our processing than the default. We treat every visitor as having opted out of sale and sharing, whether or not a GPC signal is present.

"Shine the Light" (Cal. Civ. Code §1798.83): if you are a California resident, you may request information about disclosures of personal information to third parties for direct marketing purposes. We do not make such disclosures.

11.3 Other US State Privacy Laws

Residents of Virginia (VCDPA), Connecticut (CTDPA), Colorado (CPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Jersey (NJDPA), Tennessee (TIPA), Indiana (INCDPA), and other state-level privacy laws have rights similar to those listed in Sections 10.1 and 11.2: access, correction, deletion, portability, and opt-out of sale/sharing/targeted advertising. We do not engage in sale, sharing, targeted advertising, or profiling that produces legal effects, so there is nothing for you to opt out of in those categories. To exercise any of these rights, email us at . If your state law provides an appeal mechanism for denied requests, you may appeal by replying to our denial.

11.4 Canada (PIPEDA + provincial laws)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (BC PIPA, Alberta PIPA, Quebec Law 25) apply. You have:

The right to access and correct your personal information
The right to withdraw consent (subject to legal or contractual restrictions)
The right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial commissioner
Quebec residents have additional rights under Law 25, including the right to portability and the right to be informed of automated decision-making (we do not use automated decision-making in this manner)

11.5 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies. In addition to the rights in Section 10.1, you have, under LGPD Article 18, the rights to:

Confirm the existence of processing activities
Access your data
Correct incomplete, inaccurate, or out-of-date data
Anonymize, block, or delete unnecessary or excessive data, or data that has been processed in non-compliance with the LGPD
Receive your data in portable form and request transfer to another service provider
Delete personal data processed with consent
Be informed of public and private entities with which we have shared your data
Be informed about the possibility of denying consent and the consequences of such denial
Revoke consent

You may file a complaint with the Brazilian National Data Protection Authority (ANPD).

11.6 Australia (APPs)

If you are an Australian resident, the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) apply. You have the right to access and correct your personal information and to lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au). We endeavor to handle complaints internally first; if you remain unsatisfied after 30 days, you may escalate to the OAIC.

11.7 New Zealand (Privacy Act 2020)

If you are a resident of New Zealand, the Privacy Act 2020 applies. You have rights of access and correction and may lodge a complaint with the Office of the Privacy Commissioner (privacy.org.nz).

11.8 South Africa (POPIA)

If you are a South African resident, the Protection of Personal Information Act (POPIA) applies. You have the right to access and correct your personal information, to object to processing, and to lodge a complaint with the Information Regulator (inforegulator.org.za).

11.9 Japan (APPI)

If you are a resident of Japan, the Act on the Protection of Personal Information (APPI) applies. You have the right to disclosure, correction, and deletion of your personal information and to lodge a complaint with the Personal Information Protection Commission (PPC).

11.10 Singapore (PDPA)

If you are a resident of Singapore, the Personal Data Protection Act 2012 applies. You have the right to access, correct, and withdraw consent for the processing of your personal data and to lodge a complaint with the Personal Data Protection Commission (PDPC).

11.11 India (DPDPA)

Under the Digital Personal Data Protection Act 2023 (DPDPA), residents of India have, subject to the rules and timelines notified by the Government of India, rights of access, correction, completion, erasure, and grievance redressal. You may nominate another individual to exercise rights on your behalf in the event of death or incapacity. You may file a grievance with us at or escalate to the Data Protection Board of India.

11.12 Other Jurisdictions

If you are located in a jurisdiction whose privacy law is not specifically named above, the universal rights in Section 10.1 still apply to your data. We will honor lawful requests under any applicable jurisdiction's privacy law to the extent feasible.

12. Children's Privacy

Our website and services are intended for adult business users. The minimum age for collecting personal information varies by jurisdiction: 13 in the United States under the Children's Online Privacy Protection Act (COPPA), 16 in the EEA under the GDPR (which permits member states to lower the threshold to 13), and similar thresholds elsewhere. We do not knowingly collect personal information from anyone below the applicable threshold for their jurisdiction. If you believe we have inadvertently collected information from a child, contact us at and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes — for example, adding a new subprocessor, changing the legal basis for processing, or expanding the categories of data we collect — will be communicated through a prominent notice on our website and, where you have an account with us, by email.

Your continued use of the website or services after a change becomes effective constitutes acceptance of the updated policy. If you do not agree to a change, you may close your account before the change takes effect.

14. Contact Us

For privacy questions, requests, or complaints:

Email:
Postal correspondence: Practical Simulation Solutions LLC is a Utah-registered limited liability company. Our registered business address is on file with the Utah Division of Corporations and is publicly retrievable through that office's corporate-entity registry. For direct postal contact with us, email and we will respond with the appropriate mailing address.

Data Processing Agreement (DPA). Customers in the EEA, the United Kingdom, or other jurisdictions that require a data processing agreement for B2B engagements may request one by emailing . For engagements governed by a PracSim Master Service Agreement, the data-protection terms in MSA Section 13 (Data and Security) apply; where additional terms are needed to satisfy your jurisdiction's data-processor requirements, we will work with you on a supplemental agreement on a case-by-case basis.

We endeavor to respond to all privacy inquiries within 30 days, or sooner where required by your jurisdiction.

This privacy policy was last updated on June 5, 2026.