Privacy Policy
Surfaced ("we", "us", "our") is a product of EXPX, registered in the Netherlands. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection law.
Last updated: 11 May 2026
1. Data Controller
EXPX is the data controller for the personal data processed through getsurfaced.ai. For questions about this policy or your data, contact us at privacy@getsurfaced.ai.
2. What Data We Collect
2.1 Account Data
When you sign up, we collect:
- Email address (used for authentication via magic link)
- Workspace and organization information you create
2.2 Usage Data
When you use our platform, we collect:
- Pages visited, features used, and actions taken within the application
- AI visibility scan results and generated content metadata
- Browser type, device type, and approximate location (country/region level)
2.3 Contact Form Data
When you submit a contact inquiry, we collect:
- Name, email, company name, company size
- Inquiry type and message content
2.4 Payment Data
Payments are processed by Stripe. We do not store credit card numbers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
2.5 Knowledge Base Content
When you upload documents (PDF, DOCX, Markdown, CSV, JSON, TXT) or sync website pages to your workspace knowledge base, we process the content as follows:
- Text is extracted from the file on our servers. The original binary file is not retained.
- Extracted text and its vector embeddings are stored in our primary database (EU, Frankfurt), encrypted at rest and gated by row-level security so that only members of your workspace can access them.
- Content is used solely to power retrieval and generation features inside your workspace. It is not used to train any AI model operated by us or our LLM sub-processors (see section 5).
- You can delete any document at any time; the deletion cascades to its embeddings within seconds.
You remain the data controller for content you upload. If you upload documents containing personal data of third parties, you are responsible for the legal basis for that upload under GDPR Art. 6.
3. Legal Basis for Processing
We process your data under the following GDPR legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the service (account, scans, content) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Analytics cookies (GA4, PostHog) | Consent (Art. 6(1)(a)) |
| Marketing cookies (Google Ads, LinkedIn) | Consent (Art. 6(1)(a)) |
| Responding to contact inquiries | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
5. Third-Party Data Processors
We share data with the following processors, all under appropriate safeguards:
5.1 Infrastructure and Platform
| Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Primary database, authentication, file storage | EU (Frankfurt) |
| Vercel | Hosting, edge functions, web analytics, AI Gateway | Global CDN (US entity, SCCs) |
| Upstash | Background job queue (QStash), Redis caching | EU (Frankfurt) |
| Trigger.dev | Long-running background job orchestration | US (SCCs) |
| Stripe | Payment processing | US (SCCs + DPF) |
| Resend | Transactional email delivery | US (SCCs + DPF) |
5.2 LLM and AI Sub-processors
LLM calls route through Vercel AI Gateway, which forwards prompts to the underlying model provider. For workspaces in the EU we route Claude and Gemini via the providers' EU datacenters where available. None of the providers below train their models on data we send via the API; this is contractually guaranteed in the API/Enterprise agreement of each.
| Processor | Models | Location |
|---|---|---|
| OpenAI | GPT family, embeddings | US (DPA, no training) |
| Anthropic | Claude family | US / EU (via AWS Bedrock for EU workspaces) |
| Google Cloud (Vertex AI) | Gemini family | EU (Frankfurt) when EU workspace, otherwise US |
| xAI | Grok family + web search | US (DPA) |
| Perplexity | Sonar (web-grounded search) | US (DPA) |
| Microsoft Azure (OpenAI) | GPT family (opt-in regional) | EU / APAC |
| OpenRouter | Legacy LLM router (being phased out) | US (DPA in place) |
5.3 Analytics and Marketing
| Processor | Purpose | Location |
|---|---|---|
| PostHog | Product analytics, session insights | EU (Frankfurt) |
| Google (GA4, Ads, GTM) | Analytics, advertising | US (DPF certified) |
| Advertising conversion tracking | US (SCCs) |
For US-based processors, we rely on EU-US Data Privacy Framework (DPF) certification and/or Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Chapter V.
6. Data Retention
- Account data: retained while your account is active. Deleted within 30 days of account deletion request.
- Analytics data: retained for up to 26 months (GA4 default), 12 months (PostHog).
- Contact form data: retained for up to 12 months after last interaction.
- Knowledge base content: retained for the lifetime of the workspace it belongs to. Individual documents and their embeddings are deleted on demand and purged from backups within 30 days.
- Payment records: retained as required by Dutch tax law (7 years).
- Cookie consent preferences: stored for 1 year in your browser.
7. Your Rights Under GDPR
As an EU/EEA data subject, you have the right to:
- Access— request a copy of the personal data we hold about you
- Rectification— correct inaccurate or incomplete data
- Erasure— request deletion of your data ("right to be forgotten")
- Restriction— limit how we process your data
- Portability— receive your data in a structured, machine-readable format
- Object— object to processing based on legitimate interest
- Withdraw consent— revoke previously given consent at any time (e.g., via Cookie Settings in the footer)
To exercise any of these rights, email privacy@getsurfaced.ai. We will respond within 30 days.
8. Consent Management
When you first visit our site, a cookie consent banner appears with three options:
- Accept all— enables analytics and marketing cookies
- Customize— choose which categories to enable
- Reject all— only necessary cookies remain active
You can change your preferences at any time via the "Cookie Settings" link in the website footer. Withdrawing consent does not affect the lawfulness of processing before withdrawal.
We use Google Consent Mode v2 to ensure that analytics and advertising tags respect your choices in real time.
9. Data Security
We protect your data through:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Row Level Security (RLS) policies on all database tables
- Passwordless authentication (magic links only, no stored passwords)
- Role-based access control within workspaces
- Regular security reviews and dependency updates
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours of becoming aware of the breach, in line with GDPR Art. 33, and inform affected users without undue delay as required by Art. 34.
10. Data Processing Agreement
If you process personal data of third parties through Surfaced (for example, the authors or readers of content you upload), you act as the data controller and we act as a data processor on your behalf within the meaning of GDPR Art. 28.
We offer a standard Data Processing Agreement (DPA) covering the relationship, including the list of sub-processors in section 5, security measures, breach notification, and the SCCs for any international transfers. To request a countersigned copy, email privacy@getsurfaced.ai.
We notify customers of material changes to our sub-processor list at least 30 days before they take effect, giving you time to object.
11. Children's Privacy
Surfaced is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
12. Supervisory Authority
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or a notice on our platform. The "Last updated" date at the top reflects the most recent revision.
Questions? Contact us at privacy@getsurfaced.ai or visit our contact page.