Privacy Policy
This policy explains how SurfacePoint processes personal data for our B2B SaaS services in the EU, UK, and US.
1. Controller Identity and Contact
SurfacePoint is the controller for account and service administration data. Privacy contact: privacy@surfacepoint.ai.
2. Categories of Personal Data
- Account data: name, email, phone, role, login credentials and preferences.
- Operational data: organization identifiers, inspection records, file metadata, and support requests.
- Future restricted-data interest data: information you choose to submit about possible export-controlled, defense-related, or other restricted-data needs. Do not include controlled technical data in those submissions.
- Product brief lead data: work email, consent choices and timestamps, and related request metadata (IP address and browser user-agent) when you request a product brief.
- Public website analytics and attribution data (only with consent): public page/event interactions, funnel step events, campaign parameters (UTM fields), and click IDs such as gclid/fbclid/li_fat_id/msclkid.
- Technical data: IP address, device/browser metadata, authentication logs, and security events.
3. Purposes and Legal Bases
- Service delivery and account management: contract necessity.
- Delivering requested product brief downloads and transactional follow-up messages: steps requested by the data subject and legitimate interests.
- Optional marketing follow-up after product brief download: consent (you can withdraw at any time).
- Optional public website funnel analytics and campaign measurement: consent.
- Security, abuse prevention, and product reliability: legitimate interests.
- Evaluating future restricted-data support requests and related sales/product planning: legitimate interests and steps requested by your organization.
- Compliance, tax, and legal obligations: legal obligation.
4. Retention
We retain account and log data for as long as needed to provide the service, fulfill contractual obligations, and meet legal requirements. Contract and billing records are retained for statutory periods. Customer content is deleted or returned based on contract terms and deletion workflows.
Product brief lead records are retained for up to 12 months unless a longer period is required by law or needed to handle a request, dispute, or security matter.
Consent-aware attribution snapshots in browser storage are retained for up to 90 days by default, unless deleted earlier through browser controls or updated consent preferences.
5. Security Measures
Security controls include encryption at rest and in transit, role-based access, principle-of-least-privilege administration, activity logging, backups, and restore testing.
6. International Transfers
Primary hosting is in Azure EU regions. Where data transfers occur outside the EEA/UK, we use lawful transfer safeguards such as Standard Contractual Clauses and equivalent contractual commitments.
7. Data Subject Rights
Where applicable, individuals may request access, correction, deletion, restriction, objection, and portability. Requests can be submitted to privacy@surfacepoint.ai. We may verify identity before responding.
If you opted into marketing communication, you can withdraw consent at any time by contacting us at privacy@surfacepoint.ai or by using the unsubscribe option provided in marketing emails.
You can change optional analytics/marketing preferences at any time from the Cookie preferences link in the public website footer.
7A. Public Website Analytics and Authenticated App Use
SurfacePoint is designed to keep optional Google Analytics/Google Tag Manager tracking on public marketing and conversion pages only. By default, optional analytics are disabled for authenticated users and are not loaded inside the logged-in application workspace.
We use public website analytics only after consent, unless a strictly necessary or legally permitted signal is involved. We do not use Google Analytics to inspect customer inspection content, uploaded files, internal model data, defect records, account passwords, payment card numbers, or private workspace activity.
If we later decide to add analytics inside the authenticated app, we must update this policy, the cookie notice, and consent controls before enabling it.
7B. California Privacy Choices
SurfacePoint does not sell personal information for money. Some analytics, advertising, or attribution tools may be considered a "sale" or "sharing" under California privacy law when they are used for cross-context behavioral advertising or similar measurement.
You can opt out at /privacy/choices/. We also treat a browser Global Privacy Control signal as a request to opt out of sale or sharing in that browser.
If you opt out, optional analytics and marketing sharing should remain disabled in that browser. If you provide your email address on the choices page, we also add it to our marketing suppression list.
7C. EU/UK and Consent-Based Tracking
For EU/UK visitors, optional analytics and marketing storage are off unless you give consent. You can later reject optional tracking from Cookie preferences or the privacy choices page.
8. Subprocessors and Disclosures
We use trusted subprocessors for hosting, storage, billing, and communications. Current subprocessors are listed at /subprocessors/. We may disclose personal data if required by law or to protect rights and security.
9. Incident and Breach Notification
We maintain incident response procedures. If a personal data breach affecting customer data occurs, we notify the affected customer without undue delay and provide available details required for customer compliance.
10. Complaints
You may contact us at privacy@surfacepoint.ai. Individuals in the EU/UK may also lodge a complaint with their local supervisory authority.