Surfaced ("we", "us", "our") is a product of EXPX, registered in the Netherlands. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection law.
Last updated: 11 May 2026
EXPX is the data controller for the personal data processed through getsurfaced.ai. For questions about this policy or your data, contact us at privacy@getsurfaced.ai.
When you sign up, we collect:
When you use our platform, we collect:
When you submit a contact inquiry, we collect:
Payments are processed by Stripe. We do not store credit card numbers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
When you upload documents (PDF, DOCX, Markdown, CSV, JSON, TXT) or sync website pages to your workspace knowledge base, we process the content as follows:
You remain the data controller for content you upload. If you upload documents containing personal data of third parties, you are responsible for the legal basis for that upload under GDPR Art. 6.
We process your data under the following GDPR legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the service (account, scans, content) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Analytics cookies (GA4, PostHog) | Consent (Art. 6(1)(a)) |
| Marketing cookies (Google Ads, LinkedIn) | Consent (Art. 6(1)(a)) |
| Responding to contact inquiries | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
We share data with the following processors, all under appropriate safeguards:
| Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Primary database, authentication, file storage | EU (Frankfurt) |
| Vercel | Hosting, edge functions, web analytics, AI Gateway | Global CDN (US entity, SCCs) |
| Upstash | Background job queue (QStash), Redis caching | EU (Frankfurt) |
| Trigger.dev | Long-running background job orchestration | US (SCCs) |
| Stripe | Payment processing | US (SCCs + DPF) |
| Resend | Transactional email delivery | US (SCCs + DPF) |
LLM calls route through Vercel AI Gateway, which forwards prompts to the underlying model provider. For workspaces in the EU we route Claude and Gemini via the providers' EU datacenters where available. None of the providers below train their models on data we send via the API; this is contractually guaranteed in the API/Enterprise agreement of each.
| Processor | Models | Location |
|---|---|---|
| OpenAI | GPT family, embeddings | US (DPA, no training) |
| Anthropic | Claude family | US / EU (via AWS Bedrock for EU workspaces) |
| Google Cloud (Vertex AI) | Gemini family | EU (Frankfurt) when EU workspace, otherwise US |
| xAI | Grok family + web search | US (DPA) |
| Perplexity | Sonar (web-grounded search) | US (DPA) |
| Microsoft Azure (OpenAI) | GPT family (opt-in regional) | EU / APAC |
| OpenRouter | Legacy LLM router (being phased out) | US (DPA in place) |
| Processor | Purpose | Location |
|---|---|---|
| PostHog | Product analytics, session insights | EU (Frankfurt) |
| Google (GA4, Ads, GTM) | Analytics, advertising | US (DPF certified) |
| Advertising conversion tracking | US (SCCs) |
For US-based processors, we rely on EU-US Data Privacy Framework (DPF) certification and/or Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Chapter V.
As an EU/EEA data subject, you have the right to:
To exercise any of these rights, email privacy@getsurfaced.ai. We will respond within 30 days.
When you first visit our site, a cookie consent banner appears with three options:
You can change your preferences at any time via the "Cookie Settings" link in the website footer. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
We use Google Consent Mode v2 to ensure that analytics and advertising tags respect your choices in real time.
We protect your data through:
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware of the breach, in line with GDPR Art. 33, and inform affected users without undue delay as required by Art. 34.
If you process personal data of third parties through Surfaced (for example, the authors or readers of content you upload), you act as the data controller and we act as a data processor on your behalf within the meaning of GDPR Art. 28.
We offer a standard Data Processing Agreement (DPA) covering the relationship, including the list of sub-processors in section 5, security measures, breach notification, and the SCCs for any international transfers. To request a countersigned copy, email privacy@getsurfaced.ai.
We notify customers of material changes to our sub-processor list at least 30 days before they take effect, giving you time to object.
Surfaced is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
We may update this policy from time to time. Material changes will be communicated via email or a notice on our platform. The "Last updated" date at the top reflects the most recent revision.
Questions? Contact us at privacy@getsurfaced.ai or visit our contact page.