Privacy Policy

1. Introduction

Sure Scale Private Limited (UEN 202407567D), a company registered in Singapore and trading as Data Surfer ("Data Surfer", "we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Data Surfer platform, including any associated websites, applications, and services (collectively, the "Platform").

We encourage you to read this Privacy Policy carefully to understand our practices regarding your information. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Platform.

2. Information We Collect

We collect several types of information from and about users of our Platform, including:

2.1 Information You Provide

• Account Information: When you register for an account, we collect your name, email address, and payment information (stored securely by Stripe).
• Leads Data: Information about your business leads that you upload to the Platform, such as company names, website URLs, and contact details.
• Search Terms: Keywords, industry types, locations, and other search criteria you provide when using our lead finder feature to discover potential leads.
• Communications: Records of your interactions with us, including customer support inquiries, feedback, and survey responses.

2.2 Information We Collect Through Automated Technologies

• Usage Data: Information about how you use our Platform, including pages visited, features used, and actions taken.
• Technical Data: Internet protocol (IP) address, browser type and version (user agent), time zone setting, operating system and platform, and other technology on the devices you use to access the Platform. We also record IP addresses and user agents at login for security purposes (such as account lockout after failed attempts).
• Cookies and Similar Technologies: We use cookies and similar tracking technologies to track activity on our Platform and hold certain information. For more information, please see our Cookie Policy.

2.3 Information Collected by Our AI System

Our AI system processes information from the websites of the leads you provide or discover through our platform. It collects publicly available business information from company websites, business directories, and search engines that you direct it to analyze. The system does not access private information or data behind login screens (except where you have explicitly connected an email or CRM account).

Additionally, we access databases of millions of business contacts and company profiles to provide contact information including emails, phone numbers, and social media profiles for key decision makers at target companies. This contact data is sourced from publicly available business directories, professional networks, and other legitimate business information providers.

When you use our lead finder feature, we utilize third-party search APIs to find potential leads based on your search criteria. The search results are processed by our AI to create structured lead data that includes business names, addresses, phone numbers, websites, and other publicly available information.

Our Industry Insights feature monitors publicly available content from the web, Reddit, and X (formerly Twitter) to identify competitor activity, industry trends, and engagement opportunities related to topics and competitors you configure. We only collect publicly available posts and content -- we do not access private messages, private communities, or non-public content on these platforms.

To generate AI-powered content (such as outreach email drafts, LinkedIn comment suggestions, call preparation materials, and insight summaries), we send relevant data to third-party AI model providers including Anthropic Claude (via AWS Bedrock), Google Gemini (via Google Cloud Vertex AI), OpenAI GPT (via Microsoft Azure), xAI Grok, Google Deep Research, and Azure Document Intelligence for document processing. The specific providers used may change over time. Our agreements with these providers restrict them from using your data for their own model training. Data sent to AI model providers is encrypted in transit and processed only for the purpose of generating the requested output.

2.4 Information from Google Account Access

If you choose to connect your Google account to Data Surfer, we request access to certain Google services to enable specific features. You can grant or deny these permissions, and you can revoke access at any time through your Google Account settings at myaccount.google.com/permissions.

Google data we access and why:

• Gmail (Send): We request permission to send emails on your behalf. Emails are only sent after you explicitly review and approve the subject line and message content. We do not send emails automatically without your approval.
• Gmail (Read): We request permission to read your emails to provide lead nurturing recommendations. This allows our system to analyze your email conversations with prospects and suggest optimal follow-up timing, messaging, and engagement strategies.
• Google Drive (Read): We request read-only access to your Google Drive to retrieve attachments referenced in your emails, such as Google Meet transcripts generated by Gemini. This helps provide context for lead nurturing recommendations based on your meeting notes and call summaries.
• Basic Profile Information: When you sign in with Google, we receive your email address and name to create and manage your Data Surfer account.

How we protect your Google data:

• We do not sell, share, or transfer your Google user data to third parties, except as necessary to provide and improve our services, or as required by law.
• We do not use your Google user data for advertising purposes.
• We do not use your Google user data to enrich or populate our own databases. Our contact and company databases are built exclusively from publicly available sources. Data from your connected Google account is used solely to provide features to you and is never incorporated into our data products.
• Your Google data is processed only to provide the features you have enabled and is protected using encryption in transit and at rest.
• We retain Google user data only for as long as necessary to provide our services. When you disconnect your Google account or delete your Data Surfer account, your Google data is removed from our active systems within a reasonable period.
• Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

2.5 Information from Microsoft Account Access

If you choose to connect your Microsoft account to Data Surfer, we request access to Microsoft Outlook via the Microsoft Graph API to enable email synchronization and engagement tracking features. You can grant or deny these permissions, and you can revoke access at any time through your Microsoft account settings.

Microsoft data we access and why:

• Outlook (Send): We request permission to send emails on your behalf. Emails are only sent after you explicitly review and approve the content.
• Outlook (Read/Sync): We request permission to read and sync your emails to match conversations with leads, track engagement, and provide nurturing recommendations. We only sync emails matching your leads and contacts, not your entire mailbox.
• Teams Meetings (optional): If you grant access, we may read Teams meeting details and transcripts to provide context for lead nurturing recommendations based on your meeting notes.
• OneDrive (optional): If you grant access, we may read files from your OneDrive to retrieve attachments and documents referenced in your email communications.
• Basic Profile Information: When you sign in with Microsoft, we receive your email address and name to manage your Data Surfer account.

How we protect your Microsoft data:

• We do not sell, share, or transfer your Microsoft user data to third parties, except as necessary to provide and improve our services, or as required by law.
• We do not use your Microsoft user data for advertising purposes.
• We do not use your Microsoft user data to enrich or populate our own databases. Our contact and company databases are built exclusively from publicly available sources. Data from your connected Microsoft account is used solely to provide features to you and is never incorporated into our data products.
• Your Microsoft data is protected using encryption in transit and at rest.
• We retain Microsoft user data only for as long as necessary to provide our services. When you disconnect your Microsoft account or delete your Data Surfer account, your Microsoft data is removed from our active systems within a reasonable period.

2.6 Information Collected via the Public API

If you access the Platform through our public REST API, we collect:

• API key identifiers and request metadata (timestamps, endpoints accessed, response codes)
• Data you submit through API requests (such as company names, URLs, and search criteria)
• IP addresses and request headers for security and rate-limiting purposes

API usage data is subject to the same protections and retention policies as data collected through the web interface.

2.7 Information Collected via the Chrome Extension

If you install and use our Chrome browser extension, we collect:

• LinkedIn profile and company page information you view while the extension is active, for the purpose of matching with your existing leads
• Actions you take through the extension (such as following profiles or posting comments)

The Chrome extension does not collect data from websites other than LinkedIn. It communicates with the Platform using your authenticated session and does not store data locally beyond your session.

2.8 Information Collected via MCP Integration

If you access the Platform through a Model Context Protocol (MCP) compatible AI assistant, we collect the same data as API access (requests made, data submitted, and actions taken). Additionally, data from the Platform may be transmitted to the AI assistant provider to display in the conversation interface. We do not control how the AI assistant provider processes this data; please refer to their privacy policy.

3. How We Use Your Information

We use the information we collect for various purposes, including to:

• Provide, maintain, and improve our Platform
• Process transactions and manage your account
• Find and generate leads based on your search criteria
• Generate AI-powered outreach recommendations, email drafts, call preparation materials, and industry insights
• Monitor publicly available web content, Reddit, and X for industry signals, competitor activity, and engagement opportunities based on topics you configure
• Synchronize and analyze email communications to match conversations with leads and provide engagement recommendations
• Execute automated workflows and scheduled actions you configure
• Respond to your inquiries and provide customer support
• Personalize your experience on our Platform
• Send administrative information, such as updates, security alerts, and support messages
• Send marketing communications (with your consent where required by law)
• Analyze usage patterns to improve our Platform
• Protect against fraudulent, unauthorized, or illegal activity
• Enforce our Terms and Conditions
• Comply with legal obligations

We may create aggregated, de-identified, or anonymized data from the information we collect. We may use this anonymized data for any purpose permitted by law, including to analyze and improve our Platform, promote our business, and improve our own proprietary models. You may opt out of service improvement data usage by contacting us at privacy@data-surfer.com.

Important: Data obtained from your connected accounts (such as Gmail, Outlook, or CRM systems like Pipedrive) is never used to enrich, populate, or update our own contact or company databases. Our databases are built exclusively from publicly available information sources. Data from your connected accounts is processed solely to provide Platform features to you and is kept strictly separate from our data products.

4. Disclosure of Your Information

We may disclose your information in the following circumstances:

4.1 Service Providers

We may share your information with third-party service providers who perform services on our behalf, including:

• Cloud Infrastructure: Google Cloud Platform (hosting, storage), Amazon Web Services (AI processing)
• Payment Processing: Stripe
• Email Delivery: Amazon SES (transactional), Brevo (marketing)
• Data Enrichment: Third-party contact discovery and verification services
• Web Research: Eddie.surf (our affiliated web research service) and third-party search APIs

These service providers are contractually obligated to use your information only for the purposes of providing services to us and in accordance with this Privacy Policy.

4.2 AI Model Providers

To provide AI-powered features, we share relevant data with third-party AI model providers (including Anthropic via AWS, Google, Microsoft, and xAI). Data shared with these providers is limited to what is necessary to generate the requested output, is encrypted in transit, and is subject to agreements that restrict these providers from using your data for their own model training or purposes unrelated to providing the service.

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your information, as well as any choices you may have regarding your information.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.5 Protection of Rights

We may disclose your information to enforce our Terms and Conditions, protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.

4.6 With Your Consent

We may share your information with third parties when you consent to such sharing.

5. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized or unlawful processing, accidental loss, destruction, or damage. Our security measures include encryption at rest and in transit, strict access controls, rate limiting, and periodic security reviews.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

6. Data Retention

We retain your information for as long as needed to provide you with our services and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Specifically, we retain your lead data for as long as you maintain an active account with us. This includes both leads you manually upload and those discovered through our lead finder feature. You can delete your lead lists at any time through your dashboard, and the data will be removed from our active systems within a reasonable period. If you close your account, your data will be deleted in accordance with our data retention schedule, subject to any legal obligations requiring longer retention.

We also retain your search terms and criteria used in the lead finder feature for as long as you maintain the associated lead lists. These search settings are permanently deleted when you delete the related lead list or close your account.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information, including:

7.1 Access and Portability

You may request access to your personal information and obtain a copy of the personal information we hold about you in a structured, commonly used, and machine-readable format.

7.2 Correction

You may request that we correct inaccurate or incomplete personal information that we hold about you.

7.3 Erasure

You may request that we delete your personal information in certain circumstances, such as when the information is no longer necessary for the purposes for which it was collected.

7.4 Restriction

You may request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the information.

7.5 Objection

You may object to the processing of your personal information in certain circumstances, such as when we process your information for direct marketing purposes.

7.6 Withdraw Consent

If we rely on your consent to process your personal information, you have the right to withdraw your consent at any time.

7.7 Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal information infringes applicable law.

7.8 Automated Decision-Making

The Platform uses automated processing to generate lead scores, relationship health assessments, re-engagement recommendations, and contact confidence ratings. These are provided as suggestions to assist your sales activities and do not produce legal effects or similarly significant effects on individuals. You can request human review of any automated assessment by contacting us.

To exercise any of these rights, please contact us at legal@data-surfer.com or our Data Protection Officer at nick@data-surfer.com. We will respond to your request within 30 days (or such shorter period as required by applicable law). We may extend this period by up to 60 days for complex requests, and will inform you of any extension.

7.9 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, our legal basis for collecting and using your personal information depends on the type of information and the context in which we collect it:

• Contract Performance (Art. 6(1)(b)): Processing your account data, providing Platform features, managing subscriptions, and executing actions you request
• Legitimate Interest (Art. 6(1)(f)): Processing publicly available business information to provide our lead research and intelligence services, security logging, fraud prevention, and Platform improvement
• Consent (Art. 6(1)(a)): Accessing your Connected Accounts (Gmail, Outlook, Pipedrive), sending marketing communications, and analytics cookies
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax reporting and fraud prevention

7.10 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You may request information about the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions
• Right to Correct: You may request correction of inaccurate personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights
• Sale/Sharing of Personal Information: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes

To exercise your California privacy rights, contact us at legal@data-surfer.com. We will verify your identity before processing your request.

8. International Transfers

Our operations are based in Singapore, and we transfer, store, and process your information in countries other than your country of residence. In particular, our cloud infrastructure and AI model providers operate primarily in the United States. Your data may also be processed in other countries where our sub-processors operate.

When we transfer your information to other countries, we will protect it as described in this Privacy Policy and in accordance with applicable law. We use appropriate safeguards, such as standard contractual clauses approved by the European Commission, to ensure that your information receives an adequate level of protection when transferred outside of the European Economic Area, the United Kingdom, or Singapore.

9. Children's Privacy

Our Platform is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and you believe that your child has provided us with personal information, please contact us at legal@data-surfer.com, and we will take steps to delete the information.

10. Changes to Our Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy. If we make material changes to this Privacy Policy, we will notify you by email or through a notice on our Platform before the changes take effect.

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Platform after we post changes to this Privacy Policy means that you accept and agree to the changes.

11. Contact Us

If you have any questions about this Privacy Policy, please contact us at: