Privacy Policy

Last updated: 2026-04-03

Surfeo ("we", "our", "us") operates the Surfeo platform (https://surfeo.ai), a SaaS service that helps businesses measure and improve their visibility in AI-generated responses. This policy explains how we collect, use, and protect your personal data.

By signing up or using our service, you agree to the practices described in this policy. If you have questions, contact us at hello@surfeo.ai.

1. Data controller

The data controller for your data is Surfeo, based in Spain. You can contact us at hello@surfeo.ai for any privacy-related inquiries.

2. Data we collect

We collect the following types of data:

Account data

Email (required for registration)
Password (stored hashed, never in plain text)
Name (optional)

Business data

Your website URL
Business name
Sector or industry
City or location
Competitors (names and URLs)

Usage data

Visibility audit results
Scores (GeoScore)
Content generated within the platform

Payment data

Handled entirely by Stripe
We do not store card numbers on our servers
We store the Stripe customer ID and plan type

Analytics data

Pages visited and features used (anonymized)
Device type and browser
Country of origin (no exact IP address)

3. Legal basis for processing

We process your data based on the following GDPR legal bases:

Contract performance (Art. 6.1.b)

To manage your account, run audits, process payments, and provide the contracted service.

Legitimate interest (Art. 6.1.f)

For essential security and performance analytics, fraud prevention, and service improvement.

Consent (Art. 6.1.a)

For non-essential cookies (analytics, marketing), commercial communications, and affiliate tracking.

4. Service providers and data processors

We share data with the following providers, all of which have GDPR-compliant data processing agreements:

Provider	Purpose	Data processed	Location
Supabase	Authentication and database	User accounts, workspace data, audit results	EU / US
Stripe	Payment processing	Credit card and billing data for subscriptions	US
Google Analytics 4	Web analytics	Anonymized browsing data (consent-based)	US
Vercel	Hosting and analytics	Hosts the application; optional performance analytics	US
Rewardful	Affiliate program	Tracking cookies for affiliate referrals	US
Resend	Transactional email	Email address for sending audit reports and notifications	US
OpenAI, Google, Perplexity, Anthropic	AI providers	Business URLs and query prompts (no personal user data is sent)	US
Inngest	Background processing	Orchestrates audit workflows (workspace identifiers)	US

For transfers outside the EEA, we ensure adequate safeguards are in place (EU Standard Contractual Clauses or adequacy decisions).

5. Cookies

We use the following types of cookies:

Essential

No consent required

Cookies	Purpose
Supabase session	Keep you logged in
NEXT_LOCALE	Remember your language preference

Analytics

Consent required

Cookies	Purpose
Google Analytics (_ga, _ga_*)	Measure anonymized site usage

Marketing

Consent required

Cookies	Purpose
Rewardful	Affiliate referral tracking

Functional

Consent required

Cookies	Purpose
Vercel Analytics / Speed Insights	Measure performance and loading speed

You can manage your cookie preferences at any time through the cookie banner or your browser settings.

6. Data retention

We retain your data for the following periods:

Data type	Retention period
Account data	Until you delete your account
Audit data	Until you delete your account
Analytics data	14 months (GA4 default setting)
Payment records	5 years (legal tax requirement)

When you delete your account, we erase all your personal and business data within 30 days. Payment records are retained as required by law.

7. Your rights

Under the GDPR, you have the following rights:

Access

Request a copy of all data we hold about you.

Rectification

Correct inaccurate or incomplete data.

Erasure

Request deletion of your personal data ("right to be forgotten").

Portability

Receive your data in a structured, machine-readable format.

Objection

Object to the processing of your data in certain circumstances.

Withdraw consent

Withdraw your consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, send an email to hello@surfeo.ai. We will respond within 30 days.

If you believe your rights have not been respected, you can file a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.

8. Security

We implement technical and organizational measures to protect your data, including:

Encryption in transit (HTTPS/TLS) and at rest
Secure authentication with session tokens
Role-based access policies (Row Level Security)
Passwords hashed with secure algorithms (bcrypt)
Periodic security reviews

9. Children

Surfeo is not intended for users under 16 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a minor, we will delete it immediately.

10. Changes to this policy

We may update this privacy policy from time to time. We will post any changes on this page and indicate the date of the last update. For significant changes, we will notify you by email.

11. Contact

If you have questions about this privacy policy or how we handle your data, contact us:

Email: hello@surfeo.ai

Website: https://surfeo.ai

Data protection authority: AEPD (Spanish Data Protection Agency) — www.aepd.es