Legal
Last updated: 10 June 2026
Controller & Contact: This Privacy Policy is issued by Surfais Ltd (“Surfais”, “we”, “us” or “our”), a company registered in England and Wales (company number 17195527) with its registered office at Suite RA01, 195-197 Wood Street, London, E17 3NU, United Kingdom. For any privacy questions, you can reach us at hello+privacy@surfais.com. We value your privacy and strive to use data only as needed to provide and improve our services, in compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. Where we offer our services to individuals in the European Economic Area, the EU GDPR also applies.
Scope: This policy explains how we process personal data in different scenarios: when you visit our website, sign up for an account, use our product, receive communications from us, make payments, or when your data is used in our internal operations. For each scenario we describe what data is used, for what purpose, on what legal basis (under Article 6 UK GDPR), who our service providers (“processors”) are, any international transfers, and your rights.
In brief: Our website informs you about Surfais. We use analytics tools to understand how the site is used, and we minimise personal data in the process. Cookies and similar technologies for analytics or advertising are only used with your consent.
Purpose: To load the website for you and ensure its security and performance. With your permission, we also collect analytics data (e.g. page views, clicks) to understand site usage and improve content.
Data & Cookies: When you visit, we (or our analytics tools) may collect information such as your IP address, browser type and version, device identifiers, and referring site. Essential cookies are only used to make the site function and do not require consent. Analytics and advertising cookies are set only if you opt in via our cookie consent banner. You can adjust your cookie preferences at any time. Declining analytics cookies will not affect basic use of the site.
Legal Basis: Processing of basic connection data to deliver the website is based on our legitimate interest (Art. 6(1)(f) UK GDPR) in providing a secure and functional website you requested. Analytics and advertising cookies rely on your consent (Art. 6(1)(a) UK GDPR), obtained via the cookie banner, and on the Privacy and Electronic Communications Regulations (PECR).
Processors: We use Google Analytics 4 (Google Ireland Ltd.) to understand how visitors use our site, configured with IP truncation and without collecting directly identifying information. We use Google Tag Manager to manage website scripts. Our website is hosted by Webflow, Inc. (USA), and our web application is hosted by Vercel, Inc. (USA). Some processors may transfer data to third countries (see section 7 below).
In brief: When you register for a Surfais account, we collect the information we need to create and manage your account — typically your email address, name, and organisation name. Authentication and account storage are handled by Supabase.
Purpose: To create your user account, authenticate you, and set up your organisation’s workspace in our application.
Data Collected: For registration you provide an email address (verified via confirmation email or login link), and your name and/or organisation name. We generate an internal user ID for your account. During sign-up and login we also receive technical data such as your IP address and device/browser information, used to deliver login verification and secure your account.
Legal Basis: Contract (Art. 6(1)(b) UK GDPR) — we need this data to provide you the service you are requesting.
Processors: We use Supabase, Inc. for user authentication and as our primary database, where your account data is stored. Supabase hosts our data on cloud infrastructure (AWS).
Storage: We retain your registration data for as long as you are an active user. After account deletion, data may persist for a short time in backups and logs, and we retain what is required to comply with legal obligations.
In brief: Once you have an account and use the Surfais application, we process your data to deliver the service’s functionality, to monitor and improve the product, and to support you.
Purpose: (A) Providing the core features of our service — monitoring and analysing how brands appear in AI-generated responses; (B) Product analytics and improvement; (C) Customer support; (D) Security and maintenance.
Data Collected: When you use the app, we process the information you actively provide or generate. This includes the content you configure (e.g. brand names, prompts, competitor names, target countries, project settings) and the results we generate for you (AI platform responses, brand mentions, sentiment, source citations, scores, reports). We also collect usage data — actions taken in the app, feature usage frequency, and error logs. Usage analytics are tied to a user ID or aggregated; we avoid using names or contact details in analytics.
AI Platform Queries: A core function of Surfais is sending the prompts you configure to third-party AI platforms (currently OpenAI (ChatGPT), Anthropic (Claude), Google (Gemini and AI Overviews via SerpAPI), and Perplexity) and analysing the responses. You should not include personal data in your prompts. These providers act as independent services whose terms and privacy policies also apply to the processing they carry out.
Google Search Console Integration: If you choose to connect your Google Search Console account, we access your Search Console data via Google’s API solely to provide the integration features you request. Surfais’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, and we do not sell it. You can disconnect the integration at any time, which revokes our access.
Legal Basis: Most processing is necessary for performing our contract with you (Art. 6(1)(b) UK GDPR). Analytics, improvement, and security are also based on our legitimate interest (Art. 6(1)(f) UK GDPR).
Processors: We rely on trusted service providers to operate our product:
We have data processing agreements in place with our processors, requiring them to keep your data confidential and secure and to process it only on our instructions.
Storage: Data you create in the product remains stored until you delete it or request deletion of your account. If you delete something, we remove it from our live database, though it may remain briefly in backups before being fully purged.
In brief: If you are a user, we send you essential service emails. If you subscribe to marketing communications, we send those only with your consent and you can unsubscribe at any time. If you contact us, we use the information you provide to respond to you.
Data Collected: Transactional emails (account invitations, report deliveries, security alerts, payment receipts); marketing emails (your email address and record of consent, with an unsubscribe link in every message); support and enquiries (the information you include); and email engagement (whether emails were delivered, opened, or clicked).
Legal Basis: Transactional and service emails: contract (Art. 6(1)(b) UK GDPR). Marketing emails: consent (Art. 6(1)(a) UK GDPR) or the soft opt-in under PECR with a clear opt-out. Support communications: contract and our legitimate interest (Art. 6(1)(f)).
Processors: We use Resend, Inc. (USA) to send transactional and product emails. Our business email is handled by our email provider (see section 6).
Storage: We keep your contact information for as long as you are subscribed or as needed to fulfil the purpose. Billing emails are retained with our financial records. Support correspondence is retained for a reasonable period.
In brief: If you choose a paid plan, we process the necessary billing information. We do not process or store your card details ourselves — we use Stripe as our payment processor.
Purpose: To charge you for the service, manage billing, and maintain transaction records as required by accounting and tax law.
Data Collected: Your payment details (card number, expiry, CVC, billing name and address) are collected directly by Stripe via secure forms — we do not see or store your full card number. Stripe provides us with a payment token, card brand, expiry, and last four digits. We store billing contact information, transaction details (amount, date, invoice ID), and your VAT number where applicable.
Legal Basis: Contract (Art. 6(1)(b) UK GDPR) for processing payments; legal obligation (Art. 6(1)(c) UK GDPR) for retaining billing records — UK tax law generally requires retention for at least 6 years.
Processors: Stripe (Stripe Payments UK Ltd. / Stripe, Inc.) processes payments, subscriptions, invoices, and may send receipt emails on our behalf. See section 7 regarding transfers to Stripe’s US infrastructure.
Storage: Stripe stores payment card data; we store only tokens and references. Financial records are retained for at least the minimum period required by law (generally 6 years in the UK).
In brief: We also process personal data internally for administrative purposes — for example, team communications about supporting you, or records of contracts you sign with us.
Purpose: Internal communications about service delivery, record-keeping, document collaboration, and running the business; processing job applications where relevant.
Data Collected: Personal data that arises in internal communications and files: email correspondence, documents or spreadsheets referencing customer accounts and statuses, contracts and agreements containing contact names and signatures, internal support notes, and — for job applicants — application documents, qualifications, and interview notes.
Legal Basis: Contract (Art. 6(1)(b) UK GDPR) or our legitimate interests (Art. 6(1)(f) UK GDPR) in running our business effectively.
Processors (Internal Tools): We use Google Workspace (Google Ireland Ltd.) for business email, calendar, documents, and file storage, and Slack (Salesforce, Inc.) for internal communications and operational alerts.
Storage: Personal data in internal systems is kept only as long as needed. Contracts are retained for their duration plus the period required by law (generally 6 years in the UK). Unsuccessful job applications are retained for up to 6 months unless the applicant consents to longer retention.
Some of our processors (e.g. Supabase, Railway, Vercel, Stripe, Resend, Sentry, PostHog, Google, and the AI platform providers) may process data in the United States or other countries outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place: the UK Extension to the EU-US Data Privacy Framework (for certified US providers), the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with supplementary measures where appropriate. We only transfer data internationally where necessary and with appropriate protection.
Just send us an email at hello+privacy@surfais.com with any privacy-related request and we will take care of it. Under the UK GDPR you have the right to: access your personal data; rectify inaccurate data; erase your data; restrict processing; object to processing based on legitimate interests; data portability; and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority (ico.org.uk, helpline 0303 123 1113). We would appreciate the chance to address your concerns first, but you may contact the ICO at any time.
We will not charge you for exercising these rights (except in exceptional cases of manifestly unfounded or excessive requests, where the law allows a reasonable fee or refusal). We will respond as soon as possible, and at the latest within one month, as required by law.
Data Security: We use appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS) and at rest, secure credential management, row-level access controls in our database, regular software updates, and restricting access to personal data to personnel who need it.
Other Recipients: We do not share your data with anyone outside our company except our processors, and where we are legally required to do so.
Automated Decisions: We do not use personal data for automated decision-making, including profiling, that produces legal or similarly significant effects on you (Article 22 UK GDPR). The analytics our service produces relate to brands and content, not to individuals.
Children’s Data: Our services are directed at businesses and are not intended for children under 18. We do not knowingly collect personal data from children. If we learn that we have inadvertently obtained personal information from a child, we will delete it.
Changes to this Policy: We may update this Privacy Policy from time to time to reflect changes in our services or legal requirements. If we make significant changes, we will notify you by email or by a prominent notice in our app or on our website. The “Last Updated” date at the top indicates the latest revision.
Contact Us: If you have any questions or concerns about this Privacy Policy or how Surfais handles your data, please contact us at hello+privacy@surfais.com.