Privacy Policy

Surface ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

This policy applies to all Surface services. Please note that different roles have different data implications:

• Users/Creators: People who create accounts and build profile pages
• Visitors: People who view Creator profile pages
• Leads: People who submit their information through Creator forms

By using Surface, you consent to the data practices described in this policy.

Account Information:

• Email address
• Name
• Profile picture (optional)
• Password (stored as a secure hash, never in plain text)

Profile/Creator Data:

• Handle (@username)
• Display name and bio
• Avatar images
• Social links and URLs
• Links and content you add to your page
• Page settings and preferences

Analytics Data:

• Page views and link clicks
• Device type (mobile, desktop, tablet)
• Browser type
• Referrer URLs
• Country (derived from IP address, IP not stored long-term)
• UTM parameters

Lead Capture Data (on behalf of Creators):

• Email addresses
• Names (if collected)
• Submission timestamps
• Confirmation/opt-in status

Payment Information:

• Billing details (processed securely by Stripe)
• We do not store full credit card numbers
• Subscription status and billing history

Technical Data:

• IP addresses (for rate limiting and security, not stored long-term)
• Session identifiers
• Device identifiers

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data based on the following legal grounds under GDPR Article 6:

Legitimate Interest Assessment:

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:

• Operating, maintaining, and improving our platform and services
• Understanding how users interact with our Service to enhance user experience
• Detecting and preventing fraud, abuse, and security incidents
• Enforcing our Terms of Service and protecting our rights

You have the right to object to processing based on legitimate interests. See Section 9 for how to exercise this right.

To Provide the Service:

• Create and manage your account
• Host and display your profile pages
• Process lead submissions
• Display analytics dashboards
• Process subscription payments

To Improve the Service:

• Analyze usage patterns to identify improvements
• Debug issues and fix bugs
• Develop new features

To Communicate:

• Send service announcements and updates
• Notify you of security alerts
• Send marketing communications (with your consent; you can opt out)

For Security:

• Detect and prevent fraud and abuse
• Rate limit suspicious activity
• Protect against attacks

For Legal Compliance:

• Respond to legal requests and court orders
• Enforce our Terms of Service
• Protect our rights and the rights of others

Service Providers:

We share information with trusted third-party service providers who assist us in operating our platform:

We May Disclose Information:

• With your consent
• To comply with legal obligations (subpoenas, court orders)
• To protect our rights, safety, or property
• In connection with a business transfer (merger, acquisition, sale)

We Do NOT:

• Sell your personal information to third parties
• Share your data for third-party advertising purposes
• Provide your data to data brokers

What This Means for Leads:

• The Creator who collected your information controls how it is used
• For data access, correction, or deletion requests, contact the Creator directly
• Creators are responsible for GDPR, CCPA, and other privacy law compliance

Surface's Processing:

• We store lead data securely on behalf of Creators
• We provide Creators access to export and manage their leads
• We implement spam protection (rate limiting, honeypot fields)
• We maintain submission logs for spam protection (deleted after 1 hour)
• We honor Creator requests to delete lead data
• We support double opt-in for GDPR compliance

Essential Cookies:

• Authentication session cookies
• Security tokens
• User preferences

Analytics:

• First-party page view tracking
• First-party click tracking
• We do not use third-party advertising cookies

Local Storage:

• User interface preferences
• Draft content (before saving)

Your Choices:

You can manage cookie preferences through our cookie banner or your browser settings. Disabling certain cookies may affect the functionality of the Service.

After Account Deletion:

• Your profile is immediately unpublished
• Data is deleted within 30 days
• Some data may be retained for legal compliance
• Aggregate, anonymized analytics may be retained

GDPR Rights (EU Users):

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a portable format
• Object: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent, withdraw it at any time
• Lodge a Complaint: File a complaint with your local data protection authority

EU Supervisory Authorities:

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU data protection authorities can be found at edpb.europa.eu.

CCPA Rights (California Residents):

• Know: What personal information we collect
• Delete: Request deletion of your information
• Opt-Out: Of the sale of personal information (we do not sell)
• Non-Discrimination: For exercising your rights

How to Exercise Your Rights:

• Use your account settings for most requests
• Email privacy@surface.page for assistance
• We will respond within 30 days (GDPR) or 45 days (CCPA)
• We may need to verify your identity before processing requests

Surface is based in the United States, and your data may be processed in the US or other countries where our service providers operate.

For data transferred from the EU/EEA, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with our vendors

By using Surface, you consent to the transfer of your data to the United States and other jurisdictions.

We implement security measures to protect your data:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Regular security audits and assessments
• Access controls and authentication requirements
• Rate limiting and abuse prevention

While we strive to protect your information, no system is 100% secure. You are also responsible for protecting your account credentials and notifying us of any suspected unauthorized access.

Surface is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we discover that we have collected data from a minor, we will delete it promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@surface.page.

Surface may contain links to third-party websites and integrate with third-party services (such as Stripe for payments). These third parties have their own privacy policies that govern their collection and use of your information.

Surface is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you use.

Surface does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you (as defined in GDPR Article 22).

Automated Processing We Do Use:

• Spam detection: Automated systems analyze lead capture submissions to identify and block spam. This does not produce legal effects on individuals.
• Rate limiting: Automated systems may temporarily restrict access to prevent abuse. These restrictions are temporary and can be appealed.
• Analytics aggregation: Automated processing of anonymized data for service improvement. This does not affect individual rights.

If you believe an automated system has made an error affecting your account, please contact us at support@surface.page for human review.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service at least 30 days before the changes take effect.

Your continued use of Surface after any changes constitutes acceptance of the updated policy. Previous versions of this policy are available upon request.

If you have questions about this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@surface.page
• General support: support@surface.page