Privacy Policy

This Privacy Policy (“Policy”) explains how Surf Platforms Inc., a corporation organized under the laws of the State of Delaware with its principal place of business in San Jose, California (“Surf,” “Company,” “we,” “us,” or “our”), collects, uses, discloses, retains, and protects information in connection with the Surf and Surf Social applications, websites, application programming interfaces, and related services (collectively, the “Platform”).

This Policy is incorporated by reference into our Terms of Service and End User License Agreement. Capitalized terms not defined here have the meanings given in those documents. By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

If you are located in California, the European Economic Area (“EEA”), the United Kingdom, or another jurisdiction with specific privacy rights, please see the region-specific sections below, which supplement this Policy and control in the event of any conflict for residents of those regions.

Information you provide to us. This includes the information you submit when you create an account (such as your name or display name, username, email address, and date of birth or age confirmation), the content you create, post, upload, or send (“User Content”), your profile information and settings, the messages and communications you exchange on the Platform, and the information you provide when you contact support, respond to surveys, or report a problem.

Subscription and payment information. If you purchase a paid subscription, our third-party payment processors collect and process your payment details. We do not store full payment card numbers. We retain limited billing records (such as transaction identifiers, plan, amount, and renewal dates) as required to operate subscriptions and to meet tax, accounting, and legal obligations.

Information we collect automatically. When you use the Platform, we and our service providers may collect limited technical information, including device and app identifiers, device type and operating system, app version, language and regional settings, IP address, general (city- or region-level) location derived from IP address, crash and diagnostic logs, and information about how you interact with features. We use this information to operate, secure, debug, and improve the Platform.

Information from other sources. If you choose to sign in through, or connect, a third-party service, we may receive limited information from that service consistent with your settings there. We may also receive information from service providers that help us prevent fraud and abuse.

We do not require, and we ask you not to submit, special categories of sensitive personal information except where you voluntarily include it in User Content. We do not use sensitive personal information to infer characteristics about you for advertising.

We use the information described above to: (a) provide, maintain, and operate the Platform and your account; (b) process subscriptions, billing, and renewals; (c) personalize your experience and operate the feed and discovery features according to the controls you set; (d) communicate with you about your account, transactions, security, and changes to our terms or policies; (e) provide customer support and respond to your requests; (f) maintain the safety, security, and integrity of the Platform, including detecting, investigating, and preventing fraud, abuse, spam, and violations of our terms; (g) develop, test, and improve features and the overall service; (h) comply with legal obligations and enforce our agreements; and (i) for other purposes disclosed to you at the time of collection or to which you consent.

Legal bases (EEA/UK). Where the GDPR or UK GDPR applies, we rely on the following legal bases: performance of our contract with you (to provide the Platform and your account); our legitimate interests (to secure and improve the Platform, prevent abuse, and operate our business), balanced against your rights; compliance with legal obligations; and your consent where required (for example, for certain optional features or communications), which you may withdraw at any time.

We do not use your private content (such as private messages) to train artificial-intelligence models without your consent.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not operate an advertising network and we do not disclose your information to advertisers or data brokers.

Service providers. We share information with vendors who process it on our behalf and under contract to provide the Platform — for example, cloud hosting and storage, payment processing, customer-support tooling, security and anti-abuse services, and communications delivery. These providers are permitted to use the information only to perform services for us.

Other users. Information you choose to make public — such as your profile, posts, and interactions — is visible to others according to your settings. Content you share with specific people may be re-shared by those recipients.

Legal and safety. We may disclose information if we believe in good faith that it is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Surf, our users, or the public, including reporting suspected illegal activity to appropriate authorities. We are committed to scrutinizing legal requests and, where appropriate and lawful, notifying affected users.

Business transfers. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to this Policy or a successor policy that provides comparable protection.

With your direction or consent. We share information at your direction or with your consent, including when you connect a third-party service.

Our websites use cookies and similar technologies that are strictly necessary to provide the site, remember your preferences, and keep it secure. Where required by law, we obtain consent before using any non-essential cookies or similar technologies, and we provide controls to manage them.

We aim to keep analytics first-party and to minimize the use of third-party tracking technologies. We do not use cookies or pixels to build advertising profiles or to track you across unrelated websites or apps. Where a feature relies on a service provider, that provider acts on our behalf and is not permitted to use the data for its own advertising.

You can control cookies through your browser settings and, where offered, through our cookie-preference controls. Disabling certain cookies may affect how the site functions.

Certain features of the Platform (branded “Surf Vision”) are designed to perform processing locally on your device and to minimize the data transmitted to our servers. For example, on-device models may detect the position of a face to reframe a video, separate a subject from its background, screen images for unsafe content, or generate captions and search suggestions. Where a feature operates on-device, the inputs and intermediate results of that processing are intended to remain on your device except as needed to deliver a result you request.

We do not guarantee the accuracy, reliability, or completeness of any automated or AI-assisted output, including content classification, search results, ranking, recommendations, or captions. You should not rely on such output as professional advice.

Biometric information. Surf Vision detects that a face is present in order to frame or apply effects to media; it is not designed to recognize or identify who you are, and we do not create, store, or use a biometric template, faceprint, or voiceprint to identify you. If any feature ever collects or uses biometric identifiers or biometric information as defined by applicable law (such as the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, or the Washington biometric privacy law), we will first provide a specific notice, obtain any consent required by law, and publish a retention and destruction schedule for that data before the feature is made available to you.

We retain personal information for as long as your account is active or as needed to provide the Platform, and thereafter only as necessary to comply with our legal obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements.

When you delete your account, we delete or de-identify your personal information within thirty (30) days, except for: (a) information we are required to retain by law (for example, certain billing and tax records); (b) limited information necessary to prevent fraud, abuse, or ban evasion, or to protect safety; (c) content that you shared with others who retain their own copies; and (d) residual copies in routine backups, which are overwritten on a rolling basis.

Where we are legally required to preserve specific information (for example, in response to a valid legal process or to comply with the TAKE IT DOWN Act or child-safety reporting laws), we retain that information for the period required.

Account information. You can review and update most of your account information directly in your settings. You can adjust your feed and personalization controls at any time.

Communications. You can opt out of non-essential email by following the unsubscribe instructions in those messages or adjusting your notification settings. We may still send you transactional and service messages (for example, security alerts and billing notices).

Access and portability. You can request a copy of your account data, and where available you can export it directly from your settings, in a portable format.

Deletion. You can delete your account at any time through your account settings, subject to the retention exceptions described above.

Opt-out preference signals. We honor the Global Privacy Control (“GPC”) and similar recognized browser signals as a valid request to opt out of any “sale” or “sharing” of personal information for the browser or device from which the signal is sent, to the extent required by law.

This section applies to California residents and supplements the rest of this Policy. In the preceding twelve (12) months, we have collected the categories of personal information described in Section 2 (identifiers; customer records; commercial information such as subscription history; internet or other electronic network activity; approximate geolocation; and the contents of communications and User Content you create). We collect this information for the business and commercial purposes described in Section 3, from the sources described in Section 2, and disclose it to the categories of recipients described in Section 4.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”). We have not done so in the preceding twelve (12) months, including with respect to consumers we know to be under sixteen (16) years of age.

Subject to certain exceptions, California residents have the right to: (a) know and access the specific pieces and categories of personal information we have collected; (b) delete personal information we have collected; (c) correct inaccurate personal information; (d) opt out of the sale or sharing of personal information (which we do not do); and (e) limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes that require an opt-out). We will not discriminate or retaliate against you for exercising any of these rights.

You may submit a request as described in Section 13 (“How to Exercise Your Rights”). You may use an authorized agent to submit a request on your behalf, subject to verification. We will verify your request using the information associated with your account.

This section applies if you are in the European Economic Area, the United Kingdom, or Switzerland. Surf Platforms Inc. is the controller of your personal data for the purposes described in this Policy.

Subject to the conditions in applicable law, you have the right to: access your personal data; rectify inaccurate data; erase your data; restrict or object to processing (including processing based on legitimate interests); data portability; and withdraw consent at any time where processing is based on consent, without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.

International transfers. We are based in the United States, and your data will be processed in the United States and in other countries where we or our service providers operate. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), or another lawful transfer mechanism.

EU/UK representative and Data Protection Officer. If and when we offer the Platform to users in the EEA or UK, we will appoint and identify any legally required EU/UK representative and Data Protection Officer here, and we will comply with applicable obligations under the GDPR and the EU Digital Services Act. Until then, contact us at privacy@surfplatforms.com.

Depending on your state of residence (for example, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws), you may have rights to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in targeted advertising or sell personal data. You may exercise applicable rights as described in Section 13, and, where required, you may appeal a decision by contacting us at privacy@surfplatforms.com.

The Platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe a child under 13 has provided us with personal information, please contact us at privacy@surfplatforms.com and we will take steps to delete it.

Where we have actual knowledge that a user is under 13, we will delete the account and associated personal information. For users we know to be minors, we apply additional protections consistent with applicable law and do not use their information for targeted advertising (which we do not do for any user).

You can exercise many choices directly in your account settings. To submit a privacy request (access, correction, deletion, portability, or to ask a question), contact us at privacy@surfplatforms.com, or use the in-product privacy controls where available.

We will verify your identity before fulfilling a request, generally using information associated with your account, and we will respond within the timeframes required by applicable law. There is no charge to exercise your rights, except that we may charge a reasonable fee or decline a request that is manifestly unfounded, excessive, or repetitive, as permitted by law. If we decline a request, we will explain why, to the extent the law requires.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, and alteration. These include encryption of data in transit and, where appropriate, at rest; access controls and least-privilege practices; and logging and monitoring. Conversations you mark as end-to-end encrypted are encrypted on your device, and their content is not readable by our servers.

No method of transmission or storage is completely secure, and security depends in part on factors outside our control, including your own devices, networks, and credentials and the systems of third parties. Accordingly, while we work hard to protect your information, we cannot and do not guarantee absolute security, and our security measures are described as a description of our practices and not as a warranty or guarantee.

In the event of a data breach affecting your personal information, we will investigate, take steps to mitigate and remediate, and notify affected users and applicable regulators where and within the timeframes required by applicable law (for example, U.S. state breach-notification laws and, where applicable, the 72-hour notification requirement under the GDPR). Notification of a breach is not by itself an acknowledgment of fault or liability.

You play an important role in security. Keep your credentials confidential, use a strong and unique password, enable available security features, and notify us immediately at security@surfplatforms.com if you believe your account or data is no longer secure. We also welcome good-faith vulnerability reports at security@surfplatforms.com.

The Platform may link to or integrate with third-party websites, services, or content that we do not control. This Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party service you use. We are not responsible for the privacy practices of third parties.

We may update this Policy from time to time. When we make material changes, we will provide notice through the Platform, by email, or by other means reasonably calculated to reach you, and we will update the “Last updated” date below. Changes are effective when posted unless otherwise stated. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy, except where additional consent is required by law.

If you have questions, concerns, or requests regarding this Policy or your personal information, contact us at:

Surf Platforms Inc. — Attn: Privacy — privacy@surfplatforms.com — San Jose, California, United States.