Your data, your rights

Privacy Policy

Surfaced ("we", "us", "our") is a product of EXPX, registered in the Netherlands. We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch data protection law.

Last updated: 28 March 2026

1. Data Controller

EXPX is the data controller for the personal data processed through getsurfaced.ai. For questions about this policy or your data, contact us at privacy@getsurfaced.ai.

2. What Data We Collect

2.1 Account Data

When you sign up, we collect:

Email address (used for authentication via magic link)
Workspace and organization information you create

2.2 Usage Data

When you use our platform, we collect:

Pages visited, features used, and actions taken within the application
AI visibility scan results and generated content metadata
Browser type, device type, and approximate location (country/region level)

2.3 Contact Form Data

When you submit a contact inquiry, we collect:

Name, email, company name, company size
Inquiry type and message content

2.4 Payment Data

Payments are processed by Stripe. We do not store credit card numbers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

3. Legal Basis for Processing

We process your data under the following GDPR legal bases:

Purpose	Legal Basis
Providing the service (account, scans, content)	Contract performance (Art. 6(1)(b))
Processing payments	Contract performance (Art. 6(1)(b))
Analytics cookies (GA4, PostHog)	Consent (Art. 6(1)(a))
Marketing cookies (Google Ads, LinkedIn)	Consent (Art. 6(1)(a))
Responding to contact inquiries	Legitimate interest (Art. 6(1)(f))
Security, fraud prevention	Legitimate interest (Art. 6(1)(f))

4. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our platform and measure its performance. You can manage your preferences via our cookie consent banner, accessible at any time via the "Cookie Settings" link in the footer.

4.1 Necessary Cookies

These are always active and required for the platform to function.

Cookie	Provider	Purpose	Duration
sb-*-auth-token	Supabase	Authentication session	Session
cookie_consent	Surfaced	Stores your cookie preferences	1 year
sidebar_state	Surfaced	Sidebar open/closed preference	7 days
theme	Surfaced	Light/dark mode preference	1 year

4.2 Analytics Cookies

Only set after you grant analytics consent. Used to understand how visitors interact with our site and improve the experience.

Cookie / Technology	Provider	Purpose	Duration
_ga, _ga_*	Google Analytics 4	Page views, user journeys, event tracking	2 years
ph_*	PostHog	Product analytics, feature usage	1 year
Vercel Analytics	Vercel	Web vitals, page performance	Session

4.3 Marketing Cookies

Only set after you grant marketing consent. Used to measure ad campaign effectiveness and build remarketing audiences.

Cookie / Technology	Provider	Purpose	Duration
_gcl_au, _gcl_aw	Google Ads	Conversion tracking, remarketing	90 days
li_fat_id, li_sugr	LinkedIn	Conversion tracking via Insight Tag	90 days

5. Third-Party Data Processors

We share data with the following processors, all under appropriate safeguards:

Processor	Purpose	Location
Supabase (AWS)	Database, authentication	EU (Frankfurt)
Vercel	Hosting, edge functions, analytics	Global CDN (US entity, SCCs)
Stripe	Payment processing	US (SCCs + DPF)
Google (GA4, Ads, GTM)	Analytics, advertising	US (DPF certified)
PostHog	Product analytics	EU (Frankfurt)
LinkedIn	Advertising conversion tracking	US (SCCs)
Upstash	Background job queue, caching	EU (Frankfurt)
OpenAI / OpenRouter	AI content generation	US (DPA in place)

For US-based processors, we rely on EU-US Data Privacy Framework (DPF) certification and/or Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Chapter V.

6. Data Retention

Account data: retained while your account is active. Deleted within 30 days of account deletion request.
Analytics data: retained for up to 26 months (GA4 default), 12 months (PostHog).
Contact form data: retained for up to 12 months after last interaction.
Payment records: retained as required by Dutch tax law (7 years).
Cookie consent preferences: stored for 1 year in your browser.

7. Your Rights Under GDPR

As an EU/EEA data subject, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — limit how we process your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — revoke previously given consent at any time (e.g., via Cookie Settings in the footer)

To exercise any of these rights, email privacy@getsurfaced.ai. We will respond within 30 days.

9. Data Security

We protect your data through:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Row Level Security (RLS) policies on all database tables
Passwordless authentication (magic links only, no stored passwords)
Role-based access control within workspaces
Regular security reviews and dependency updates

10. Children's Privacy

Surfaced is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

11. Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our platform. The "Last updated" date at the top reflects the most recent revision.

Questions? Contact us at privacy@getsurfaced.ai or visit our contact page.

Your data, your rights

Privacy Policy

Last updated: 28 March 2026

1. Data Controller

EXPX is the data controller for the personal data processed through getsurfaced.ai. For questions about this policy or your data, contact us at privacy@getsurfaced.ai.

2. What Data We Collect

2.1 Account Data

When you sign up, we collect:

Email address (used for authentication via magic link)
Workspace and organization information you create

2.2 Usage Data

When you use our platform, we collect:

Pages visited, features used, and actions taken within the application
AI visibility scan results and generated content metadata
Browser type, device type, and approximate location (country/region level)

2.3 Contact Form Data

When you submit a contact inquiry, we collect:

Name, email, company name, company size
Inquiry type and message content

2.4 Payment Data

Payments are processed by Stripe. We do not store credit card numbers. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

3. Legal Basis for Processing

We process your data under the following GDPR legal bases:

Purpose	Legal Basis
Providing the service (account, scans, content)	Contract performance (Art. 6(1)(b))
Processing payments	Contract performance (Art. 6(1)(b))
Analytics cookies (GA4, PostHog)	Consent (Art. 6(1)(a))
Marketing cookies (Google Ads, LinkedIn)	Consent (Art. 6(1)(a))
Responding to contact inquiries	Legitimate interest (Art. 6(1)(f))
Security, fraud prevention	Legitimate interest (Art. 6(1)(f))

4. Cookies and Tracking Technologies

4.1 Necessary Cookies

These are always active and required for the platform to function.

Cookie	Provider	Purpose	Duration
sb-*-auth-token	Supabase	Authentication session	Session
cookie_consent	Surfaced	Stores your cookie preferences	1 year
sidebar_state	Surfaced	Sidebar open/closed preference	7 days
theme	Surfaced	Light/dark mode preference	1 year

4.2 Analytics Cookies

Only set after you grant analytics consent. Used to understand how visitors interact with our site and improve the experience.

Cookie / Technology	Provider	Purpose	Duration
_ga, _ga_*	Google Analytics 4	Page views, user journeys, event tracking	2 years
ph_*	PostHog	Product analytics, feature usage	1 year
Vercel Analytics	Vercel	Web vitals, page performance	Session

4.3 Marketing Cookies

Only set after you grant marketing consent. Used to measure ad campaign effectiveness and build remarketing audiences.

Cookie / Technology	Provider	Purpose	Duration
_gcl_au, _gcl_aw	Google Ads	Conversion tracking, remarketing	90 days
li_fat_id, li_sugr	LinkedIn	Conversion tracking via Insight Tag	90 days

5. Third-Party Data Processors

We share data with the following processors, all under appropriate safeguards:

Processor	Purpose	Location
Supabase (AWS)	Database, authentication	EU (Frankfurt)
Vercel	Hosting, edge functions, analytics	Global CDN (US entity, SCCs)
Stripe	Payment processing	US (SCCs + DPF)
Google (GA4, Ads, GTM)	Analytics, advertising	US (DPF certified)
PostHog	Product analytics	EU (Frankfurt)
LinkedIn	Advertising conversion tracking	US (SCCs)
Upstash	Background job queue, caching	EU (Frankfurt)
OpenAI / OpenRouter	AI content generation	US (DPA in place)

For US-based processors, we rely on EU-US Data Privacy Framework (DPF) certification and/or Standard Contractual Clauses (SCCs) as the legal transfer mechanism under GDPR Chapter V.

6. Data Retention

Account data: retained while your account is active. Deleted within 30 days of account deletion request.
Analytics data: retained for up to 26 months (GA4 default), 12 months (PostHog).
Contact form data: retained for up to 12 months after last interaction.
Payment records: retained as required by Dutch tax law (7 years).
Cookie consent preferences: stored for 1 year in your browser.

7. Your Rights Under GDPR

As an EU/EEA data subject, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — limit how we process your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — revoke previously given consent at any time (e.g., via Cookie Settings in the footer)

To exercise any of these rights, email privacy@getsurfaced.ai. We will respond within 30 days.

9. Data Security

We protect your data through:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Row Level Security (RLS) policies on all database tables
Passwordless authentication (magic links only, no stored passwords)
Role-based access control within workspaces
Regular security reviews and dependency updates

10. Children's Privacy

11. Supervisory Authority

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice on our platform. The "Last updated" date at the top reflects the most recent revision.

Questions? Contact us at privacy@getsurfaced.ai or visit our contact page.

Privacy Policy

1. Data Controller

2. What Data We Collect

2.1 Account Data

2.2 Usage Data

2.3 Contact Form Data

2.4 Payment Data

3. Legal Basis for Processing

4. Cookies and Tracking Technologies

4.1 Necessary Cookies

4.2 Analytics Cookies

4.3 Marketing Cookies

5. Third-Party Data Processors

6. Data Retention

7. Your Rights Under GDPR

8. Consent Management

9. Data Security

10. Children's Privacy

11. Supervisory Authority

12. Changes to This Policy

Privacy Policy

1. Data Controller

2. What Data We Collect

2.1 Account Data

2.2 Usage Data

2.3 Contact Form Data

2.4 Payment Data

3. Legal Basis for Processing

4. Cookies and Tracking Technologies

4.1 Necessary Cookies

4.2 Analytics Cookies

4.3 Marketing Cookies

5. Third-Party Data Processors

6. Data Retention

7. Your Rights Under GDPR

8. Consent Management

9. Data Security

10. Children's Privacy

11. Supervisory Authority

12. Changes to This Policy