KeptSimple

Privacy Policy

KeptSimple — Training Management System

Last Updated: March 6, 2026

1. Introduction

Kept Simple ApS ("we," "us," "our," or the "Company") is a Danish company (CVR-nr. 46 31 59 01) that provides a Training Management System ("Platform") to organizations that offer classes and manage student registrations ("Organizations" or "Schools"). This Privacy Policy describes how we collect, use, disclose, and protect the personal data of individuals who interact with our Platform and website at keptsimple.net and all its subdomains (collectively, the "Services").

This Privacy Policy applies to all users of the Services, including Organization administrators, instructors, and students who register for or enroll in classes through the Platform.

Because we are established in the European Union (Denmark), we are subject to the EU General Data Protection Regulation (GDPR) with respect to all personal data we process. Because many of our Organizations and their students are located in the United States, we also comply with applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other state privacy laws as applicable.

2. Key Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, mailing addresses, and payment information.
  • Data Controller: The entity that determines the purposes and means of processing personal data. Depending on the context, either KeptSimple or a School may be the data controller.
  • Data Processor: The entity that processes personal data on behalf of a data controller. When Schools use our Platform to manage student data, KeptSimple acts as a data processor on behalf of the School.
  • Data Subject: The individual whose personal data is being processed (e.g., a student, administrator, or website visitor).

3. Data Controller and Processor Roles

Our Platform involves a multi-party data relationship:

KeptSimple as Data Controller: We are the data controller for personal data we collect directly, such as information provided by School administrators during account setup, data collected through our website, and data necessary for billing and platform operations.

KeptSimple as Data Processor: When Schools use the Platform to collect and manage student enrollment data, class registrations, payment information, and educational records, KeptSimple acts as a data processor on behalf of the School. In these cases, the School is the data controller and determines the purposes of processing.

Schools as Data Controllers: Schools are responsible for their own compliance with applicable privacy laws regarding the student data they collect through the Platform. Schools determine what student data to collect, the purposes for collection, and the legal basis for processing.

4. Personal Data We Collect

4.1 Information You Provide Directly

School Administrator and Instructor Data:

  • Full name, email address, and phone number
  • Business address and school affiliation
  • Account credentials (email and password, with passwords stored using one-way hashing)
  • Billing and payment information (processed via Stripe)
  • Account branding and customization preferences
  • Communication preferences and email template customizations

Student Data (collected by Schools through the Platform):

  • Full name, email address, and phone number
  • Mailing address
  • Course enrollment and registration details
  • Payment and transaction records (processed via Stripe and Klarna)
  • Course completion records and certificates
  • Professional license numbers, where required by the School for regulatory reporting (encrypted at rest)
  • Terms acceptance records, including IP address, user agent, and electronic signature

4.2 Partial Social Security Number

The Platform may collect the last four digits of a student's Social Security Number solely when required by state licensing authorities (such as the North Carolina Real Estate Commission) for regulatory compliance reporting. This partial identifier is:

  • Collected only at the direction of the School in its capacity as data controller
  • Encrypted at rest using application-level encryption
  • Used exclusively for regulatory compliance reporting (e.g., NCREC roster submissions)
  • Never used for identity verification, marketing, or any other purpose

We do not collect or store full Social Security Numbers.

4.3 Information Collected Automatically

When you access or use our Services, we automatically collect:

  • IP address, browser type, device information, and user agent
  • Pages visited, features used, and time spent on the Platform
  • Referring website addresses
  • Session identifiers and hashed visitor identifiers for analytics purposes
  • Login metadata including login count, last login timestamp, and IP address
  • Marketing attribution data (UTM parameters such as utm_source, utm_medium, utm_campaign) when present in registration URLs
  • Cookies and similar tracking technologies (see Section 10)

4.4 Information from Third Parties

We may receive information from third-party service providers, including:

  • Payment processing confirmations and transaction details from Stripe and Klarna
  • Email delivery status, open, and click tracking data from Postmark (our email service provider)
  • CAPTCHA verification results from Cloudflare Turnstile, which processes browser fingerprint data and IP addresses to distinguish humans from bots on public forms

4.5 Regulatory Data

For Schools operating in North Carolina, the Platform may import licensee roster data from the North Carolina Real Estate Commission (NCREC) via secure file transfer. This data is used solely to support Schools' regulatory compliance reporting and is processed on behalf of the School as data controller.

5. Legal Bases for Processing (GDPR)

Under the GDPR, we process personal data based on one or more of the following legal bases:

  • Contractual Necessity: Processing necessary to perform our contract with Schools (e.g., providing the Platform, processing payments, generating certificates).
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Platform, ensuring security, preventing fraud, and conducting analytics, where those interests are not overridden by the data subject's rights.
  • Legal Obligation: Processing necessary to comply with applicable laws, such as tax reporting requirements or regulatory compliance (e.g., NCREC reporting).
  • Consent: Where required by law, we obtain consent before processing personal data for specific purposes, such as sending marketing communications. You may withdraw consent at any time.

6. How We Use Personal Data

We use personal data for the following purposes:

  • Providing and maintaining the Platform, including class scheduling, enrollment management, and payment processing
  • Creating and managing School and user accounts
  • Processing payments and managing billing, including installment payment plans via Stripe and Klarna
  • Generating course completion certificates with QR-code-based verification
  • Sending transactional communications related to enrollments, payments, and account activity via Postmark
  • Providing customer support and responding to inquiries
  • Improving the Platform, including analyzing usage patterns, page views, and fixing technical issues (including via error monitoring)
  • Ensuring the security and integrity of the Platform, including CAPTCHA verification on public forms
  • Complying with legal obligations, including regulatory reporting to state licensing authorities
  • Recording terms acceptance with associated metadata for compliance documentation
  • Logging administrative and system activity for security auditing purposes

7. How We Share Personal Data

We do not sell personal data. We share personal data only in the following circumstances:

Service Providers:

We share personal data with the following third-party service providers who assist in delivering our Services:

  • Stripe — payment processing, billing, and Stripe Connect split payments
  • Klarna (via Stripe) — installment payment processing (Register Now Pay Later)
  • DigitalOcean — cloud hosting and infrastructure
  • Laravel Forge — server management and deployment
  • Postmark — transactional email delivery, including open and click tracking via webhooks
  • Cloudflare — Turnstile CAPTCHA on public-facing forms (processes browser fingerprint and IP data)
  • Sentry — error monitoring and application performance, which may capture user context (email, account ID, request data) in error reports

These providers are contractually obligated to process personal data only as instructed and to maintain appropriate security measures.

Schools:

Student data collected through the Platform is accessible to the School that the student enrolled with. Schools may use this data in accordance with their own privacy policies.

LMS Integrations:

Schools may optionally enable integrations with third-party Learning Management Systems (such as Thinkific or TalentLMS). When enabled, student data including names, email addresses, and enrollment information may be transmitted to these external platforms. These integrations are configured and activated by the School in its capacity as data controller. Students should review the privacy policies of the applicable LMS provider.

State Licensing Authorities:

Student enrollment and completion data, including the last four digits of SSN where applicable, may be transmitted to state licensing authorities (such as the NCREC) as required for regulatory compliance. This data is shared at the direction of the School.

Legal Requirements:

We may disclose personal data when required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, safety, or property, or the rights, safety, or property of others.

Business Transfers:

In the event of a merger, acquisition, reorganization, or sale of assets, personal data may be transferred to the successor entity. We will provide notice of any such change in ownership or control.

8. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, including:

  • Active account data: Retained for the duration of the Organization's subscription plus thirty (30) days after account termination to allow for data export.
  • Student enrollment and completion records: Retained in accordance with applicable regulatory requirements (e.g., NCREC record-keeping requirements) and the Organization's data retention instructions.
  • Payment and transaction records: Retained as required by applicable tax and financial reporting laws.
  • Activity logs and audit trails: Retained for up to twenty-four (24) months for security and compliance purposes.
  • Page view and analytics data: Retained in anonymized or aggregated form for up to twenty-four (24) months.
  • Marketing consent records: Retained for as long as consent is valid, plus twelve (12) months after withdrawal for compliance documentation.

When personal data is no longer needed, we securely delete or anonymize it.

9. Your Privacy Rights

9.1 Rights Under the GDPR (All Users)

Because KeptSimple is established in the EU, the following rights apply to all data subjects whose data we process as a data controller:

  • Right of Access: You may request a copy of the personal data we hold about you.
  • Right to Rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements and regulatory record-keeping obligations. In some cases, we may anonymize data rather than delete it to preserve the integrity of financial and compliance records.
  • Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances.
  • Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: You may object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact us at privacy@keptsimple.net. We will respond within 30 days. If you are a student whose data is processed by a School through our Platform, you should first contact the School directly, as they are the data controller for your enrollment data. The School may then coordinate with us to fulfill your request.

9.2 Rights Under U.S. State Privacy Laws

Depending on your state of residence, you may have additional rights under laws such as the CCPA/CPRA (California), CPA (Colorado), CTDPA (Connecticut), VCDPA (Virginia), and similar state laws. These may include:

  • The right to know what personal information we collect, use, and disclose
  • The right to delete personal information
  • The right to opt out of the sale or sharing of personal information (note: we do not sell personal data)
  • The right to non-discrimination for exercising your privacy rights
  • The right to correct inaccurate personal information

We do not sell personal information as defined under the CCPA/CPRA. We do not use personal information for cross-context behavioral advertising.

9.3 Exercising Your Rights

To submit a privacy request, contact us at privacy@keptsimple.net. We may need to verify your identity before processing your request. We will not charge a fee for processing reasonable requests.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services. The types of cookies we use include:

Strictly Necessary Cookies: Required for the Platform to function, including session management, authentication, CSRF protection, and security. These cannot be disabled.

Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences and settings.

We do not use cookies for targeted advertising. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

Email Tracking: Our transactional emails sent via Postmark may include tracking pixels and tracked links that record when an email is opened and which links are clicked. This data is used to monitor email deliverability and improve communications.

Page View Analytics: We collect page view data including hashed visitor identifiers, session identifiers, IP addresses, user agents, and referrer URLs. This data is used to understand how users interact with the Platform and to improve performance and usability.

11. International Data Transfers

KeptSimple is established in Denmark (EU) and our Platform infrastructure is hosted in the United States. This means personal data may be transferred between the EU and the US.

For transfers of personal data from the EU/EEA to the United States, we rely on:

  • The EU-U.S. Data Privacy Framework (DPF), where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other legally recognized transfer mechanisms as appropriate

We ensure that any international transfer of personal data is subject to appropriate safeguards as required by the GDPR.

12. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Application-level encryption at rest for selected sensitive fields, including partial Social Security Numbers, professional license numbers, and third-party API credentials
  • Multi-factor authentication enforced for super-administrator access and available for School administrator accounts
  • One-way password hashing for all administrator credentials
  • Passwordless authentication for students via secure email-based login links
  • Regular security assessments and monitoring
  • Session management controls including automatic session expiration
  • Administrative activity logging and audit trails via structured event logging
  • Secure payment processing through PCI-DSS compliant providers (Stripe, Klarna)
  • CAPTCHA protection on public-facing forms via Cloudflare Turnstile

While we strive to protect personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining industry-appropriate safeguards.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

GDPR Requirements: We will notify the Danish Data Protection Authority (Datatilsynet) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to individuals, we will also notify affected data subjects without undue delay.

U.S. State Requirements: We will comply with applicable state data breach notification laws, which may require notification to affected individuals, state attorneys general, or other regulatory authorities within specified timeframes.

School Notification: Where KeptSimple acts as a data processor, we will promptly notify the affected School(s) of any breach involving their students' personal data so they can fulfill their own notification obligations.

14. Children's Privacy

The Platform is designed for use by adults aged 18 and older. We do not knowingly collect personal data from children under the age of 16 (the GDPR threshold) or under the age of 13 (the COPPA threshold). If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly. If you believe a child has provided personal data through our Services, please contact us at privacy@keptsimple.net.

15. Third-Party Links and Services

Our Services may contain links to third-party websites or services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

Key third-party services integrated with or used by the Platform include:

  • Stripe and Klarna — payment processing
  • Postmark — email delivery
  • Cloudflare — CAPTCHA and security services
  • Sentry — error monitoring
  • Thinkific and TalentLMS — optional LMS integrations when enabled by Schools

16. Data Processing Agreements

Schools that use our Platform to process student personal data may request a Data Processing Agreement (DPA) that outlines the terms and conditions of data processing, including the scope, purposes, and duration of processing, as well as the rights and obligations of both parties under the GDPR. To request a DPA, contact us at privacy@keptsimple.net.

17. EU Data Act Compliance

As a SaaS provider established in the EU, KeptSimple complies with the EU Data Act (Regulation (EU) 2023/2854) with respect to data portability and switching rights. Schools may:

  • Terminate their subscription with thirty (30) days' prior written notice, consistent with the Terms of Use (the EU Data Act permits notice periods of up to sixty (60) days)
  • Request export of all their data in a structured, commonly used, and machine-readable format
  • Complete data transition within thirty (30) days of providing termination notice

We do not impose technical or contractual barriers to switching providers and will provide reasonable assistance during any transition period.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable laws. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Provide notice through the Platform or via email to active account holders
  • Where required by law, obtain your consent to the updated terms

We encourage you to review this Privacy Policy periodically.

19. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Kept Simple ApS

Tulstrup Have 1

3400 Hillerød, Denmark

CVR-nr. 46 31 59 01

Privacy Requests: privacy@keptsimple.net

General Inquiries: info@keptsimple.net

EU Supervisory Authority: If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at www.datatilsynet.dk.

20. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Denmark and applicable EU regulations, including the GDPR. For disputes relating to data processing of U.S.-based users, the applicable provisions of U.S. federal and state privacy laws will also apply as relevant.