Privacy Policy 

Privacy Policy

Last Updated: 2026-04-22

Effective Date: 2026-04-22

1. About this Policy

This Privacy Policy describes how SCmple Solutions LLC (“SCmple”, “we”, “us”) collects, uses, and shares personal data when you:

  • visit scmple.com or any SCmple marketing property;
  • or create or use a SCmple user account on the SCmple supply-chain-management platform (the “Platform”).

Controller / Processor scope. For personal data collected through our website and for SCmple user accounts themselves, SCmple acts as the Data Controller under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR“) and the UK GDPR. 

For business and operational data that our customers upload into the Platform in the course of 
using the Services, SCmple acts as a Data Processor on behalf of the customer (who is the 
Controller). That relationship is governed by a separate Data Processing Addendum (DPA), 
which we make available to all B2B customers. This Privacy Policy does not govern the 
processing of customer-uploaded operational data — please refer to the applicable DPA instead. 

2. Who We Are

SCmple Solutions LLC 12 Moorland Boulevard, Monroe Township, New Jersey 08831, United States

For all privacy and data-protection matters, contact us at [email protected]

3. Personal Data We Collect

We collect only the personal data we need to provide, secure, and support our Platform and 
website. We do not collect demographic data such as age, gender, household income, political 
affiliation, race, or religion. 

3.1 Account Identity Data

When you register or are provisioned with a SCmple account: 

  • Email address
  • First and last name
  • Profile picture (optional)
  • User preferences (date format, time zone)

3.2 Authentication & Security Data

Created and used to keep your account and the Platform secure: 

  • Password, stored only as a bcrypt hash (we never store plaintext passwords) 
  • Two-factor authentication (TOTP) secret, where you enable 2FA 
  • Login-activity records: IP address, user-agent string, approximate geographic location 
    inferred from IP (country, region, city), sign-in timestamps, and success/failure status 
  • Session identifiers
  • Account-lockout and password-reset tokens, used transiently 

3.3 Audit-Log Data

For changes made within the Platform, we record the identity of the user who made the change, 
so that Controllers (our customers) can meet their own accountability obligations. 

3.4 Website Data

When you visit scmple.com, our hosting provider’s standard server logs briefly record the 
requesting IP address, user-agent, referrer, and request path. We use strictly-necessary functional 
cookies to serve the site. See Section 14 (Cookies) for details. 

4. Legal Bases for Processing

We rely on the following legal bases under Article 6(1) GDPR: 

Processing activityLegal basis
Creating and maintaining your SCmple user account; delivering the Services you have signed up forArticle 6(1)(b) — performance of a contract
Security logging, fraud prevention, platform integrity, and technical availabilityArticle 6(1)(f) — our legitimate interest in running a secure, reliable service
Retaining records where required by tax, accounting, or other applicable lawArticle 6(1)(c) — legal obligation
Sending marketing communications (only where you have opted in, e.g., newsletter signup)

Article 6(1)(a) — consent, which you may withdraw at any time

We do not rely on processing of Article 9 GDPR special-category personal data, and the Platform is not designed to collect it.

5. How We Use Your Personal Data

We use your personal data to: 

  • Provide, operate, and maintain your SCmple account and the Platform; 
  • Authenticate you, enforce access controls, and protect your account and our Services 
    from unauthorised access, fraud, and abuse; 
  • Respond to your support requests and communicate with you about your account, 
    service-affecting incidents, and material changes to our Services or this Policy; 
  • Meet our legal and regulatory obligations; and 
  • With your consent, send you marketing communications you can unsubscribe from at any 
    time. 
We do not sell your personal data, and we do not rent or lease it to third parties for their own 
marketing purposes. 

6. How We Share Your Personal Data

We share personal data only in the following circumstances: 
 
  • With trusted sub-processors who help us run the Services, under written contracts that 
    require them to meet our data-protection standards. The categories of sub-processors we 
    engage are: cloud infrastructure and database hosting; object storage; address geocoding; 
    transactional email delivery; application error and performance monitoring; and 
    embedded analytics (only where a customer enables it). We disclose the complete, current 
    list of named sub-processors — including legal entity, service provided, and processing 
    location — to B2B customers in Annex III of our DPA and keep it updated. 
  • With identity providers you choose to configure (e.g., Okta, Microsoft Entra ID) when 
    your organisation enables SAML single sign-on. Those identity providers are your own 
    organisation’s sub-processors, not ours. 
  • With professional advisers, auditors, or regulators where disclosure is required to 
    meet a legal, regulatory, or professional obligation. 
  • With successors in the event of a merger, acquisition, or sale of all or part of our business — and only subject to equivalent data-protection obligations.
 
We do not share personal data with third parties for their own marketing. 

7. International Data Transfers

SCmple is headquartered in the United States. Most processing of personal data takes place in 
the United States (via our cloud-hosting providers) and in the European Union (our application 
error and performance monitoring runs in the Netherlands). 
Where we transfer personal data of individuals in the European Economic Area, the United 
Kingdom, or Switzerland to a country that is not covered by an adequacy decision, we rely on 
the 2021 European Commission Standard Contractual Clauses (Implementing Decision (EU) 
2021/914) to provide appropriate safeguards, supplemented — where the exporter is in the UK 
— by the UK Information Commissioner’s International Data Transfer Addendum. 
Consistent with the Schrems II judgment of the Court of Justice of the European Union (Case C-
311/18, 16 July 2020) and the European Data Protection Board’s Recommendations 01/2020, we 
apply supplementary technical measures to protect personal data in transit and at rest, including: 
 
  • TLS 1.2 or higher for all traffic between you and the Platform; 
  • AES-256 encryption at rest in our managed database and object storage; 
  • Field-level encryption of sensitive integration credentials; 
  • Strict key management under SCmple’s and our infrastructure providers’ control. 
We do not rely on the EU-US Privacy Shield, which was invalidated by the Court of Justice in 
Schrems II. 
You may request a copy of the safeguards in place for a specific transfer by contacting us at 
[email protected]. 

8. Data Retention

We retain personal data only as long as we need it for the purposes set out in this Policy. 

  • Account identity and authentication data are retained for the life of your SCmple 
    account. When your account or your organisation’s SCmple tenant is deleted, we remove 
    the associated personal data from our production systems within 30 days, and from our 
    rolling backup cycle within a further 35 days. 
  • Login-activity and audit-log records are retained for up to 24 months, or longer where 
    we are required to do so by law or where records are needed to investigate an ongoing 
    security incident. 
  • Website server logs are retained for up to 90 days.
  • Records we are required to keep by law (for example, tax and accounting records) are retained for the period prescribed by the applicable law.
For personal data that our customers upload into the Platform, retention is governed by the 
applicable customer DPA. 

9. Security of Your Personal Data

We maintain a documented information-security programme and apply technical and 
organisational measures appropriate to the risk, including: 
  • Passwords stored only as bcrypt hashes; mandatory two-factor authentication by default; 
    a password policy aligned with NIST SP 800-63B (length-based strength, breached-
    password reuse blocking, no arbitrary periodic rotation); 
  • TLS 1.2+ in transit, AES-256 at rest, CSRF protection, HSTS; 
  • Role-based access control, tenant isolation at the application layer, and strict separation 
    between development, staging, and production environments; 
  • Continuous database backups with point-in-time recovery, application audit logging, and 
    filtered error monitoring; 
  • Hosting exclusively with SOC 2 Type II and ISO 27001 certified infrastructure providers; 
  • Annual review of security policies; peer code review and static analysis on application changes. 
A more detailed set of Technical and Organisational Measures is set out in Annex II of our DPA 
and available to B2B customers under NDA. 
No security programme can guarantee absolute security, but we actively monitor and improve 
ours. 

10. Your Data-Protection Rights

Subject to the conditions set out in Chapter III of the GDPR (and equivalent provisions of the 
UK GDPR), you have the right to: 
  • Access the personal data we hold about you; 
  • Rectify personal data that is inaccurate or incomplete; 
  • Erase personal data (“right to be forgotten”), where one of the grounds under Article 17 
    applies; 
  • Restrict processing in defined circumstances (Article 18); 
  • Data portability, i.e., receive your personal data in a structured, commonly-used, 
    machine-readable format (Article 20); 
  • Object to processing based on our legitimate interests (Article 21); 
  • Withdraw consent at any time, where processing is based on your consent (Article 7(3)). 
To exercise any of these rights, contact [email protected]. We respond within one month of 
receiving a verifiable request, as required by Article 12(3) GDPR. That period may be extended 
by up to two further months where the request is complex or where we receive a large number of 
requests; we will tell you within one month if we need more time and why. 
Where you are a user of a customer’s SCmple tenant, your organisation (as Controller) is the first 
point of contact for these requests. We will forward any request received directly to your 
organisation and assist as required by our DPA with that customer. 

 

11. Right to Lodge a Complaint with a Supervisory Authority

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right under Article 77 GDPR to lodge a complaint with a data-protection supervisory authority. You may do so in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

We encourage you to contact us at [email protected] first, so that we have an opportunity to resolve the matter directly.

12. Personal Data Breach Notification

We maintain incident-response and breach-notification procedures aligned with Articles 33 and 34 GDPR.

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, SCmple will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will also notify affected data subjects without undue delay, in clear and plain language, and describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information.

For personal data that our customers upload into the Platform, our notification runs through the Controller under the applicable DPA, as described in Section 10 of that DPA.

13. Children

The SCmple Platform is a business-to-business supply-chain product that is not directed to, and not intended for use by, children under the age of 16. We do not knowingly collect personal data from children. If you believe we may have collected personal data from a child, please contact [email protected] and we will take steps to delete it.

14. Cookies and Similar Technologies

SCmple uses cookies and similar technologies only to the extent needed to provide our website and Platform:

  • Strictly-necessary cookies — required for sign-in, session management, and CSRF protection. These cannot be disabled without breaking core functionality.
  • Functional cookies — to remember your preferences (e.g., date format, time zone).

We do not set advertising or behavioural-tracking cookies on the Platform itself. Marketing analytics on the scmple.com website, if any, are listed in the cookie notice surfaced on that site. Most browsers allow you to control cookies through their settings. Disabling strictly-necessary cookies will prevent you from signing in.

15. Automated Decision-Making and Profiling

We do not use your personal data to make decisions that produce legal or similarly significant effects about you by solely automated means, within the meaning of Article 22 GDPR.

16. Changes to This Policy

We may update this Policy from time to time. When we do, we will update the “Last Updated” date at the top of this page and, where the changes are material, we will notify you through the Platform, by email, or through a prominent notice on scmple.com before the changes take effect. We preserve superseded versions internally and can provide a prior version on written request.

17. Contact Us

For any question about this Policy, to exercise any of the rights described above, or to request information about our sub-processors or transfer safeguards, contact us at:

SCmple Solutions LLC — Attn: Privacy
12 Moorland Boulevard, Monroe Township, New Jersey 08831, United States
Email: [email protected]

End of Privacy Policy.

Request a Demo

Sales & Operations Planning

SCmple is an S&OP platform that helps pharma companies mitigate the risks of inventory obsolescence and shortages. We do this by balancing demand variations with production plans based on the constrained capacity. In addition, SCmple optimizes the S&OP process for alignment between strategic business and supply plans so that everyone can be on the same page. SCmple provides real-time visibility into the S&OP KPIs that will help you make better decisions about planning and sourcing the critical ingredients with long-lead-times at any given time. In addition, SCmple provides an accurate view of the inventory on-hand, open purchase orders so you can plan more efficiently. With the demand planning capabilities, you can analyze the forecast accuracy and improve the forecast quality, while the supply planning feature can assist you in evaluating the future production plans, projected inventories, months of supply and provide reliable rolling forecasts to your suppliers.

Key Benefits:
  • Gain actionable insight into your supply chain
  • Reduce risk with accurate forecasts
  • Get visibility into critical KPIs
  • Maintain current inventory levels
  • Improve forecast accuracy and quality
  • Plan for future production, target inventories, and months of supply