PRIVACY POLICY
DEFINITIONS 2
LEGAL BASIS 3
CONSENT 3
PERSONAL INFORMATION COLLECTED 4
Information Automatically Collected 4
Cookies 4
Information Collected Regarding our Customers 5
Information Collected for our Customers 5
Rights 5
Use of Information Collected 6
ADDITIONAL INFORMATION 7
Legal 7
Data Retention 7
Location of Data 8
Security 8
Modifications to This Privacy Policy 9
Contact Us 9
Appendix A - Information Collected 10
Customer Data 10
Client-User Data 12
Appendix B 14
Third Party Vendors 14
Web Push Notifications 18
Browsers that are used for Web Push Notifications: 18
At 329Design Inc. (“329Design”), we understand the responsibility that comes along with providing a healthcare management technology and the importance of privacy protections. This Privacy Policy helps explain the privacy features of our content, products or services listed on simpleset.net (the “Website”), through our applications (the “Apps”), Software or via other delivery methods to you (the Website, Apps, Software and such content, products, services and features are collectively referred to herein as the “Product” or “Products”, which may be updated from time-to-time at the sole discretion of 329Design). The Privacy Policy describes how we help healthcare professionals manage and protect the privacy of Personal Data through the Products and describes how we collect, use, disclose and protect Personal Data when you interact or use our Products.
329Design has international customers and, as such, must comply with different legislations around the globe through a continuous process of privacy review. All Personal Data is treated with the highest level of security to comply with Data Protection Laws.
We are a Canadian company and thus comply with the overarching Canadian Privacy law PIPEDA. In some instances, Provincial healthcare privacy legislations are also applicable. We comply in these instances.
DEFINITIONS
The following terms shall have the definitions contained below.
329Design Inc.: The corporation name under which the Software has been developed.
Software: a web-based software by the name SimpleSet as developed by 329Design.
Customer: An individual or organization with a trial, student or paid subscription account to one of 329Design’s solutions.
Client-User: The recipient of an exercise program, educational material or outcome measure created by a Customer.
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
Data Protection Laws: means all laws and regulations applicable to the Processing of Customer Personal Data, including, as applicable: (i) the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder ("CCPA"), (iIi) the General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR" or "GDPR"), (iv) the Swiss Federal Act on Data Protection ("FADP"), (v) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR") and the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
Personal Data: Information about an identified or identifiable natural person or which otherwise constitutes "personal data", "personal information", "personally identifiable information" or similar terms as defined in Data Protection Laws.
Processor: A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
Processing: And inflections thereof refer to any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
LEGAL BASIS
The legal basis for data collected is founded in consent as well as the legitimate use of Personal Data for the operation of 329Design’s Products. We operate with the general principle of Personal Data collection on an “as necessary” basis. Personal Data collected may be used for day to day operations necessary to provide the Products, understanding and improving our services, direct marketing relating to our services, communicating with our Customers and Client-Users, and protecting our legal rights and interests. At no time do our Personal Data collection practices override your fundamental rights and freedoms.
CONSENT
When Customers agree to our Terms of Service (“TOS”) and provide us with Personal Data, we assume the Customer consents to our collecting Personal Data and usage as outlined in this Privacy Policy.
329Design collects Personal Data of Client-Users under the direction of its Customers as detailed in this Privacy Policy. Such Personal Data is voluntary, and not a requirement for the operation of our Products, and is at the discretion of the Customer. 329Design has no direct relationship with Client-Users whose Personal Data may be collected. It is the responsibility of the Customer to ensure they obtain consent and legal right for the use of all Personal Data. Customers are responsible for complying with laws and regulations governing the use of Client-User Data. Should Customers decide to provide Personal Data regarding Client-Users, as outlined in this Privacy Policy, 329Design assumes that consent has been obtained from the Client-User (or from parent or legal guardian if the Client-User is a minor) by the Customer.
If you are a Client-User, we act as the Processor of your Personal Data on behalf of our Customer (typically your healthcare practitioner providing services as a regulated healthcare practitioner). The Customer is considered the Controller of your Personal Data. Client-User Data and will be governed by the Customers practices, policies, and obligations pertaining to the: collection; use; access; length of storage and; where applicable, deletion of Client-User Data.
If you have questions regarding our Customer’s legal basis and consent for collection and use of your Personal Data, please contact your healthcare practitioner directly. Please refer below to “Information collected for our Customers” for more information on how Personal Data is processed by 329Design.
329Design stores Client-User Data in its secure Personal Data centers and provides availability of such Personal Data to its Customers through its Products. 329Design has no control over the collection of this Personal Data and is considered a Processor. 329Design will only access Client-User Data under the direction of the Customer(s), to rectify technical problems, or if required by law.
Individuals can withdraw consent at any time by contacting us.
PERSONAL INFORMATION COLLECTED
Some Personal Data is automatically collected when anyone visits our website, as is typically for most websites including User-Agent and IP address as well as what pages you visit on our website.
Some Personal Data is automatically collected when the Customer and Client-User uses our Products, including the following: Device information (only if using the App version), Log in date, Usage information, and User agent. Please see Appendix A regarding a breakdown of what Personal Data is collected, a description of why it is collected, and any third party processors.
If you have cookies enabled and use our Website, we send one or more “cookies” to your computer or other devices. Cookies are alphanumeric identifiers stored on your computer through your web browser and are used by most websites to help personalize your web experience. Some cookies may facilitate additional site features for enhanced performance and functionality such as remembering preferences, analyzing usage for site optimization, and providing custom content.
We use both session cookies and persistent cookies. A session cookie expires when you logout of SimpleSet. A persistent cookie remains on your computer for an extended period of time. Currently we use persistent cookies to optimize and enhance the experience on our site and reach potential customers.
Visitors can remove persistent and session cookies or reject them on our website by following directions provided in your Internet browser’s “help” file. To learn more about cookies and how to manage them, please visit: https://www.cookiesandyou.com/.
We collect Personal Data about our Customers when they choose to provide such information directly to us with their consent. In most cases 329Design is the Controller of such Personal Data. See Appendix A for a list of Customer Data and purposes for collection necessary to provide our service.
As detailed above, 329Design collects information of Client-Users under the direction of its Customers for the purposes of exercise prescription. This includes, but is not limited to, information such as names, email address, birth year, exercise program(s) of Client-Users, as well as any other information Customers decide to enter (Text Data, Image Data, Video File Data). A detailed list of such data is provided in Appendix A.
Individuals have certain rights with respect to their Personal Data. These rights are outlined below.
Customers can exercise their rights by contacting 329Design. Client-Users who seek to exercise any of these rights should contact the Customer they interact with directly. If the Client-User requests 329Design to remove Personal Data, 329Design will respond within 30 days.
Access: you are entitled to access your Personal Data. Upon request, 329Design will inform individuals of the existence, use and disclosure of his or her personal information. 329Design will give access to that information, including a listing of the third-party organizations with whom the information has been shared. This listing can be found in the Appendix A of this Privacy Policy.
Rectification: upon request, with limited exceptions, 329Design will correct or make note of any inaccurate Personal Data concerning you and have incomplete Personal Data completed. Notification will be made to appropriate parties on rectification of Personal Data.
Erasure “Right to be Forgotten”: Customers and Client-Users have the right to request, and if applicable and appropriate, 329Design to permanently delete your Personal Data. Our Personal Data retention is detailed in this Privacy Policy under Data Retention. Notification will be made to appropriate parties on erasure of Personal Data.
Data Portability: Customers and Client-Users have the right to receive the Personal Data concerning him or her, which he or she has provided to 329Design, and have the right to transmit this Personal Data to another organization. Personal Data can be exported in PDF format by the user at any time.
Objection and Restriction: Under certain circumstances, Customers or Client-Users are entitled to object to, and restrict the use of, Personal Data.
Withdraw consent: Customers and Client-Users have the right to withdraw consent to use of their Personal Data at any time. 329Design will communicate the implications of this withdrawal of consent should this be requested.
Complaints: Customers or Client-Users have the right to lodge a complaint with a supervisory authority. The Office of the Information and Privacy Commissioner of Saskatchewan is: https://oipc.sk.ca/ . The Office of the Privacy Commissioner of Canada is: http://www.priv.gc.ca/
Complaints from Customers in the EU and UK: Customers in the EU may also make enquiries to our through our representative in the EU and UK through their enquiry page here here:
Contact information for our Representative in the EU:
Contact information for our Representative in the UK:
329Design will never sell or rent personal information to a third party. We will not use or share your information other than as described in this Privacy Policy unless it is under written direction from the individual or organization.
329Design will only use personal information to operate, improve and understand our services. We may use personal information to: provide support and assistance for the services; communicate with you about the services; respond to Customer and Client-User inquiries; create and manage Customer and Client-User profiles; fulfill Customer and Client-User requests; resolve disputes; contact Customers about service announcements, updates our offers; complete a sale/transaction; process orders.
329Design shares information with third party service providers and agents who work on our behalf and provide us with services related to the purposes described in this Privacy Policy and our TOS. These third party service providers will have limited access to Customer’s Data, but only so much to do their job. A list of uses of Personal Data and third party service providers is detailed below in appendices A and B .
ADDITIONAL INFORMATION
There are some instances where it may be necessary to disclose information collected. 329Design reserves the right to disclose information to comply with our legal obligations and applicable laws; protect against, deter, investigate fraudulent, illegal or harmful actions; resolve disputes; protect our rights.
329Design will retain your Personal Data as part of the service provided as long as you are a Customer of 329Design. A Customer ceases to be a Customer on the date of expiry of their account and/or last paid invoice. Personal Data will be securely removed from 329Design servers 12 months after this date. Customers will be able to export their Personal Data during this time. Customers can request 329Design to continue to store their Personal Data at their specified subscription cost.
Acting as a subcontractor, and at times a business associate, 329Design is not directly responsible for health and medical records retention requirements as set forth by each applicable territory and/or jurisdiction. Personal Data retention requirements vary depending on your individual jurisdiction. Please review the legislation or guidelines of your jurisdiction. Customers are responsible for complying with the specific laws, regulations and obligations of their jurisdiction pertaining to the retention of Client-User data.
329Design may retain your Personal Data to the extent necessary to comply with our legal obligations.
Customers can update their information, terminate their account or remove their personal information at any time by contacting us.
329Design Servers are located in Canada. All Client-User Data is stored in Canada.
329Design views the security of all personal information as a priority. We use appropriate safeguards to keep your Personal Data private and confidential. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Personal Data that we create, receive, maintain, or transmit on behalf of a Customer. Such safeguards include:
However, no computer system, method of transmission, or method of electronic storage can ever be fully protected from every possible threat. Therefore, while 329Design takes measures to ensure the security of online transmission and storage of all Personal Data offline to the best standards and practices of the industry, we cannot guarantee its absolute security. We will let you know promptly if a breach occurs that may have compromised the security of your information.
We regularly review and update our Privacy Policy. As such, this Privacy Policy may be amended or modified by 329Design at any time and without prior notice. Active Customers will be notified by email if there is a change in the Privacy Policy.
This Privacy Policy was last updated and goes into effect on September 12, 2025.
Contact Us
If you have any questions regarding this Privacy Policy, or wish to engage your user rights as described in this Privacy Policy you can contact 329Design at:
email: support@simpleset.net
phone: 1-855-773-8776
postal mail: 329Design Inc.
1 - 2217 Hanselman Court
Saskatoon, SK S7L 6A8
Appendix A - Information Collected
Field Name | Description | 3rd Party Processors |
First & Lastname | Needed to create an account | Pipedrive, Chargebee |
Username | Chargebee | |
Email Address | Pipedrive, Chargebee | |
Company Name | As needed if services are purchased | Pipedrive, Chargebee |
Phone Number | ||
Fax Number | ||
Address | ||
Billing Address | Pipedrive, Chargebee | |
Billing Information | Chargebee Worldline | |
Password | Non-reversibly encrypted | AWS |
User-Agent & IP address | Website statistics | Cloudflare Google Analytics AWS |
Usage Information | Date account was created Number of login (s) Login Date Number of Exercise programs Number of times exercises, images and videos are viewed Number of Prints Number of times client accesses program Date and time exercise program is sent Search phrases | AWS |
Custom Exercise Images | Image (s) the Customer chooses to upload. | AWS |
Custom Exercise Videos | Video (s) the Customer chooses to upload. | AWS |
File Uploads (ie .pdf, .docx, etc) | File (s) the Customer chooses to upload | AWS |
All information collected regarding Client-Users is optional and is under the direction and discretion of the Customer. Inclusion of Client-User Data by the Customer is not a requirement for the operation of 329Design.
Field Name | Description | 3rd Party Processors |
User-Agent & IP Address | Website statistics Web push | AWS Endpoints* |
First & Last Name | Can be de-identified. | AWS |
Email Address | Optional. | |
Client-User Portal Key | Used for additional security to confirm identity during login to Client-User portal to access exercise program(s). | |
Client Portal Username | Chosen by the Client-User for login to client portal to access exercise program(s) | |
Language | Language preferred by the Client-User | |
Exercise Program (s) | Exercise programs or ‘Sets’ created by the Customer for use of the Client-User. Typical this includes exercise: stock and or custom images, stock and or custom videos, instructions/ educational content, and parameters. May also include any additional text the customer chooses to include as part of the exercise program. | |
Text Data | Any text data the customer chooses to include as part of an exercise program | |
Custom image and/or Video Data | Image (s) or Video (s) the Customer chooses to upload of the Client-User. | |
Client Notes | Free text notes, exercise progress (ie sets and repetitions, weight and time), emoji scale of rate of perceived challenge of an exercise | |
Real Time Chat | Real time text communication between therapist and their client | |
Client Feedback | Client-Users can enter how they feel on a visual emoji scale | |
Outcome Measures | Any outcome measures the Customer chooses to assign and have completed by the Client-User | |
File Data | Files the Customer chooses to upload. | |
Password | Stored as a salted hash | |
Usage Information | Number of Exercise program (s). Login Date & Time. Number of Prints. Number of times exercise program (s) are accessed. | |
* See Web Push Notification Section in Appendix B for complete list of web push endpoints
Appendix B
Third Party Vendors for 329Design do not process unencrypted electronic personal health information. Electronic Health Information is only processed to the extent that AWS and Microsoft Azure store and transmit encrypted Data as outlined below.
Third-Party name | Usage | Privacy & Compliance Links | DPA | BAA |
Amazon Web Services (AWS) | AWS is responsible for the operation, management, and control of the components from the host operating system and virtualization as well as physical security of the physical infrastructure including: servers, network, and Data center. 329Design owns and controls access to this infrastructure as well as encrypted Data stored on this infrastructure. | https://aws.amazon.com/blogs/security/aws-gdpr-Data-processing-addendum/ https://aws.amazon.com/compliance/hipaa-compliance/ | Yes | Yes |
Workspace: Google offers collaboration & productivity applications under it’s Workspaces brand of software. 329Design uses Google Workspaces to host our email. All @simpleset.ca & @simpleset.net emails are handled by Google Workspace Analytics: 329Design uses Google Analytics on our website to track the customary information, such as screen resolution, browser, etc. Analytics is used in the application to help us understand how the application is used to assist in development. Ads: We use Google ads to market our product. We do not use ads to market other products to you. Tag Manager: We use Google Tag Manager to communicate with Google Ads for retargeting of advertising material to market our product. No practitioner or Client-User electronic personal health information is processed by Google Ads orTag Manager | https://privacy.google.com/businesses/compliance/#?modal_active=none https://safety.google/intl/en/privacy/ads-and-Data/ | Yes | Yes | |
Worldline | Worldline is a service that provides online payment processing for businesses. 329Design uses Worldline for processing payments | https://worldline.com/sv-se/compliancy/cookie-notice | Yes | N/A1 |
Chargebee | Chargebee is a subscription management platform. 329Design uses Chargebee to manage Customer accounts and invoices for 329Design services. Customer information shared with Chargebee is detailed in Appendix A. No Client-User Data is shared with Chargebee. | https://www.chargebee.com/security/ | Yes | N/A1 |
Cloudflare | 329Design uses Cloudflare for DNS and content distribution. | Yes | N/A1 | |
Tremendous | Used for distributing gift cards in our user referral program | Yes | N/A1 | |
HelpScout | HelpScout is customer service software. 329Design uses HelpScout to help manage customer service requests sent through email A beacon is used within the application for access to our knowledge base, live chat or email. | Yes | Yes | |
Pipedrive | Pipedrive Is our CRM for management of Accounts through the Sales Process. | Yes | N/A1 | |
Calendly | Used for booking sales or support calls | Yes | N/A1 |
1- Does not process Client-User Data
329Design’s SimpleSet application utilizes web push notifications when updates are made to exercise programs by a Customer. No personal identifying information is shared, nor specific information about the changes made to the exercise program. The data pushed is: IP address and User-Agent, that there has been an update to the exercise program, with a redirect link back to the SimpleSet application Client-user portal login webpage.
Endpoints |
android.googleapis.com |
fcm.googleapis.com |
updates.push.services.mozilla.com |
updates-autopush.stage.mozaws.net |
updates-autopush.dev.mozaws.net |
*.notify.windows.com |
*.push.apple.com |