Privacy Policy

1. Information We Collect

a. Account Information

• Name and email address (provided during registration)
• Company name and job title
• Password (stored in hashed form; we never store plaintext passwords)
• OAuth identity token if you sign in via Google, Microsoft, Apple, GitHub, or other supported SSO provider

b. Customer Data

• Documents, configurations, agent inputs, and run outputs you submit to or generate through the Service
• Data extracted or derived from your submissions as part of providing the Service

c. Payment Information

• Billing details such as name, billing address, and payment card information are collected and processed by Stripe, Inc., our third-party payment processor. We do not store full payment card numbers. Stripe's use of your payment information is governed by Stripe's Privacy Policy.

d. Usage Data

• Log data such as your IP address, browser type, pages visited, and actions taken within the Service
• Device information (device type, operating system)
• Feature usage patterns to help us improve the Service

e. Communications

• Emails or messages you send to us (e.g., support requests, feedback)

2. How We Use Your Information

• To provide and operate the Service — process submissions, run agents, manage your account
• To process payments — via Stripe
• To improve the Service — analyze aggregated, de-identified usage patterns
• To communicate with you — send transactional emails (receipts, password resets), product updates, and Service announcements
• To ensure security — detect fraud, abuse, and unauthorized access
• To comply with legal obligations — respond to lawful requests from public authorities

We do not use your Customer Data to train AI models or for any purpose other than providing the Service to you.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract performance — processing necessary to fulfill our subscription agreement with you
• Legitimate interests — improving the Service, ensuring security, preventing fraud
• Legal obligation — complying with applicable laws
• Consent — for optional communications (you may withdraw consent at any time)

4. Third-Party Sharing and Sub-Processors

We do not sell, rent, or trade your personal data or Customer Data. We share information only with the following sub-processors:

• Anthropic, PBC — Claude API, document processing and agent inference
• Stripe, Inc. — payment processing
• Supabase, Inc. — managed Postgres, authentication, object storage
• Vercel Inc. — application hosting and edge runtime
• Cloudflare, Inc. — object storage (R2) and CDN
• Resend, Inc. — transactional email delivery
• Google LLC — optional SSO sign-in (Google OAuth)
• Microsoft Corporation — optional SSO sign-in (Microsoft OAuth)
• GitHub, Inc. — optional SSO sign-in (GitHub OAuth)

We may also disclose your information if required by law, court order, or to protect the rights, property, or safety of the Company, our customers, or others.

5. Data Retention

• Customer Data: Stored for as long as your account is active, and for up to 30 days after account termination, after which it is permanently deleted.
• Account information: Retained for the duration of your subscription and for up to 90 days after cancellation to allow for account recovery, then deleted or anonymized.
• Payment records: Retained as required by applicable tax and accounting laws (typically 7 years).
• Usage logs: Retained for up to 12 months for security and service improvement purposes.

6. Your Rights (GDPR — EEA Residents)

If you are located in the EEA, you have the following rights regarding your personal data:

• Right of access, rectification, erasure, data portability, restriction of processing, objection, and withdrawal of consent

To exercise any of these rights, contact us at info@surfturf.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. Your Rights (CCPA — California Residents)

California residents have the right to know, delete, opt out of sale (we do not sell personal information), and non- discrimination. To submit a CCPA request, contact us at info@surfturf.ai.

8. Cookies and Tracking

We use essential cookies required for authentication and to keep you logged in (session cookies). You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using parts of the Service.

9. Data Security

• Encryption in transit (TLS/HTTPS)
• Encryption at rest for stored documents
• Access controls limiting data access to authorized personnel only
• OAuth 2.0 / OIDC for SSO sign-in
• HMAC-signed webhooks for inter-service traffic

No method of transmission over the Internet is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

10. International Data Transfers

We operate in the United States. If you access the Service from the EEA, your personal data will be transferred to and processed in the U.S. We rely on appropriate transfer mechanisms (including Standard Contractual Clauses where required) to ensure adequate protection of your data in cross-border transfers. To request a copy of applicable transfer safeguards, contact us at info@surfturf.ai.

11. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) or by posting a prominent notice on the Service, at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at info@surfturf.ai.