SP
SurfacePoint

Privacy Policy

Version 2026-07-05.1 | Last updated July 5, 2026

This policy explains how SurfacePoint processes personal data for our B2B SaaS services in the EU, UK, and US.

1. Controller Identity and Contact

SurfacePoint is the controller for account and service administration data. Privacy contact: privacy@surfacepoint.ai.

2. Categories of Personal Data

3. Purposes and Legal Bases

4. Retention

We retain account and log data for as long as needed to provide the service, fulfill contractual obligations, and meet legal requirements. Contract and billing records are retained for statutory periods. Customer content is deleted or returned based on contract terms and deletion workflows.

Product brief lead records are retained for up to 12 months unless a longer period is required by law or needed to handle a request, dispute, or security matter.

Consent-aware attribution snapshots in browser storage are retained for up to 90 days by default, unless deleted earlier through browser controls or updated consent preferences.

5. Security Measures

Security controls include encryption at rest and in transit, role-based access, principle-of-least-privilege administration, activity logging, backups, and restore testing.

6. International Transfers

Primary hosting is in Azure EU regions. Where data transfers occur outside the EEA/UK, we use lawful transfer safeguards such as Standard Contractual Clauses and equivalent contractual commitments.

7. Data Subject Rights

Where applicable, individuals may request access, correction, deletion, restriction, objection, and portability. Requests can be submitted to privacy@surfacepoint.ai. We may verify identity before responding.

If you opted into marketing communication, you can withdraw consent at any time by contacting us at privacy@surfacepoint.ai or by using the unsubscribe option provided in marketing emails.

You can change optional analytics/marketing preferences at any time from the Cookie preferences link in the public website footer.

7A. Public Website Analytics and Authenticated App Use

SurfacePoint is designed to keep optional Google Analytics/Google Tag Manager tracking on public marketing and conversion pages only. By default, optional analytics are disabled for authenticated users and are not loaded inside the logged-in application workspace.

We use public website analytics only after consent, unless a strictly necessary or legally permitted signal is involved. We do not use Google Analytics to inspect customer inspection content, uploaded files, internal model data, defect records, account passwords, payment card numbers, or private workspace activity.

If we later decide to add analytics inside the authenticated app, we must update this policy, the cookie notice, and consent controls before enabling it.

7B. California Privacy Choices

SurfacePoint does not sell personal information for money. Some analytics, advertising, or attribution tools may be considered a "sale" or "sharing" under California privacy law when they are used for cross-context behavioral advertising or similar measurement.

You can opt out at /privacy/choices/. We also treat a browser Global Privacy Control signal as a request to opt out of sale or sharing in that browser.

If you opt out, optional analytics and marketing sharing should remain disabled in that browser. If you provide your email address on the choices page, we also add it to our marketing suppression list.

7C. EU/UK and Consent-Based Tracking

For EU/UK visitors, optional analytics and marketing storage are off unless you give consent. You can later reject optional tracking from Cookie preferences or the privacy choices page.

8. Subprocessors and Disclosures

We use trusted subprocessors for hosting, storage, billing, and communications. Current subprocessors are listed at /subprocessors/. We may disclose personal data if required by law or to protect rights and security.

9. Incident and Breach Notification

We maintain incident response procedures. If a personal data breach affecting customer data occurs, we notify the affected customer without undue delay and provide available details required for customer compliance.

10. Complaints

You may contact us at privacy@surfacepoint.ai. Individuals in the EU/UK may also lodge a complaint with their local supervisory authority.