Skip to content

Privacy Policy

Last updated: April 11, 2026

1. Introduction

Welcome to SurfacedBy ("we," "our," or "us"), operated by Ali K., an independent developer based in Taiwan. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our AI visibility monitoring platform at surfacedby.com (the "Service").

For any data protection inquiries, please contact privacy@surfacedby.com.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name and email address
  • Password (stored as a cryptographic hash, never in plain text)
  • Subscription plan and billing information (payment details are processed by our payment provider and are never stored on our servers)

2.2 Domain and Business Information

When you add a domain for monitoring, we collect:

  • Domain URL and website metadata (title, description, sitemap URL)
  • Brand name and brand variations you provide
  • Business category and detected niche
  • Competitor domains you specify or that are discovered during scans
  • Keywords and tracked prompts associated with your domain

2.3 AI Visibility Scan Data

When we run visibility scans, we collect and store:

  • AI platform responses from ChatGPT, Claude, Gemini, Perplexity, and Google AI Mode
  • Citation data (whether and where your domain is mentioned in AI responses)
  • Visibility scores, citation rates, and position metrics
  • Sentiment analysis of AI responses mentioning your brand
  • Cost tracking for API usage associated with your scans

2.4 Google Search Console Data

If you choose to connect Google Search Console, we collect:

  • An OAuth 2.0 refresh token (encrypted at rest using AES-128/Fernet symmetric encryption) to access your Search Console data on your behalf
  • Search analytics data: queries, page URLs, clicks, impressions, click-through rate, and average position
  • We request read-only access (webmasters.readonly scope) and cannot modify your Search Console data
  • You can disconnect Google Search Console at any time from your Settings page, which immediately revokes our access and deletes all synced data

2.5 Google Analytics 4 Data

If you choose to connect Google Analytics 4 (GA4), we collect:

  • An OAuth 2.0 refresh token (encrypted at rest using AES-128/Fernet symmetric encryption) to access your GA4 data on your behalf
  • Traffic data including sessions, pageviews, and referral sources
  • We request read-only access (analytics.readonly scope) and cannot modify your Google Analytics data
  • You can disconnect Google Analytics at any time from your Settings page, which immediately revokes our access and deletes all synced data

2.6 Free Audit Data

When you use our free audit tool without creating an account, we collect:

  • Domain URL and email address (for delivering results)
  • IP address (for rate limiting: one audit per IP per 72 hours)

2.7 Content Checker Data

When you use our public content checker tool, we collect:

  • The URL or text content you submit for analysis
  • IP address (for rate limiting to prevent abuse)

2.8 Trial Data

When you start a free trial, in addition to your account information, we collect:

  • IP address at the time of trial activation
  • A one-way hash of your email address (SHA-256)
  • These data points are used solely to detect and prevent trial abuse. The IP address and email hash are retained for 12 months after trial expiry, even if the trial account is deleted, to prevent repeat abuse

2.9 Automatically Collected Information

  • IP address, browser type, operating system, and device information
  • Pages visited, features used, and interaction patterns
  • Error logs and performance data (via Sentry error monitoring)
  • Masked session replays for debugging purposes (via Sentry Session Replay). All on-screen text is masked and no keystrokes are captured. Session replay data is retained for 90 days per Sentry's retention policy
  • Bot protection verification data (via Cloudflare Turnstile)

2.10 Newsletter and Contact Form

  • Newsletter subscriptions: email address, subscription source, and IP address at the time of signup (for abuse prevention)
  • Contact form submissions: name, email, subject, and message content

3. Lawful Basis for Processing (GDPR)

Under Article 6 of the EU General Data Protection Regulation (GDPR), we rely on the following lawful bases for processing your personal data:

Processing ActivityLawful BasisGDPR Article
Account creation, domain monitoring, AI visibility scansPerformance of a contract6(1)(b)
Transactional emails (scan results, alerts, account notices)Performance of a contract6(1)(b)
Marketing newsletterConsent6(1)(a)
Error monitoring and session replays (Sentry)Legitimate interest (service reliability)6(1)(f)
Free audit IP collection (rate limiting)Legitimate interest (abuse prevention)6(1)(f)
Content checker IP collection (rate limiting)Legitimate interest (abuse prevention)6(1)(f)
Trial abuse detection (IP address + email hash)Legitimate interest (fraud prevention)6(1)(f)
Newsletter signup IP collectionLegitimate interest (abuse prevention)6(1)(f)

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time by contacting privacy@surfacedby.com.

4. How We Use Your Information

  • Run AI visibility scans and generate analytics for your domains
  • Compute correlation insights between organic search and AI citation data
  • Send scan completion notifications, weekly digest emails, and visibility alerts
  • Process subscription payments and manage your account
  • Provide customer support and respond to inquiries
  • Monitor system performance and detect technical issues
  • Improve our scan algorithms and analytics accuracy
  • Detect and prevent fraud, abuse, and unauthorized trial usage
  • Send marketing communications (only with your explicit consent; you can unsubscribe at any time)

5. Google API Services Disclosure

SurfacedBy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google API data (from Google Search Console and Google Analytics 4) to provide and improve the SurfacedBy Service features you have explicitly connected. We do not use Google API data for advertising, and we do not allow humans to read your Google data unless necessary for security purposes, required by law, or with your explicit consent.

6. Third-Party Services

We use the following third-party services to operate SurfacedBy. Each service processes data as described:

  • Supabase: Database hosting and user authentication (stores your account data and scan results). Supabase is certified under the EU-US Data Privacy Framework.
  • Google Search Console API: Fetches your organic search data when you connect GSC (read-only OAuth 2.0 access)
  • Google Analytics 4 API: Fetches your traffic data, sessions, pageviews, and referral sources when you connect GA4 (read-only OAuth 2.0 access)
  • Public-data and AI APIs: To test how AI platforms reference your tracked domains, we send queries about your tracked domains, competitors, and brand-related keywords to third-party search and AI APIs. These services receive only the domain names, competitor domains, and search prompts we construct. They do not receive your account data, email address, IP address, or any other information that could identify you personally.
  • Polar.sh: Payment processing and subscription management (handles all payment card data; we never store card numbers). A Data Processing Agreement (DPA) is in place with Polar.
  • Amazon Web Services (SES): Email delivery for notifications and transactional emails
  • Cloudflare Turnstile: Bot protection for free audit and public forms
  • Sentry: Error monitoring, performance tracking, and masked session replays (receives error logs, stack traces, and anonymized replay data; personal data is scrubbed before transmission)

7. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

  • Service Providers: With the third-party services listed above, strictly to provide the Service functionality
  • Business Transfers: In connection with any merger, acquisition, or sale of assets, with prior notice to you
  • Legal Requirements: When required by law, regulation, or legal process, or to protect our rights, safety, or property
  • Shared Reports: If you generate a shared report link, the report data is accessible to anyone with that link until you revoke it

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data is transmitted over HTTPS/TLS encryption
  • Passwords are stored as cryptographic hashes (bcrypt)
  • OAuth tokens are encrypted at rest using AES-128 (Fernet symmetric encryption)
  • Database access is restricted and authenticated
  • Admin access is protected by email whitelist verification
  • Payment webhook signatures are verified using HMAC-SHA256

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

9. Data Retention

  • Account data: Retained for the lifetime of your account. Deleted upon account deletion request. Residual copies in encrypted backups are purged within 30 days of the deletion request.
  • Scan data: Retained for the lifetime of your account to provide historical trend analysis. Deleted alongside account data upon request.
  • Google Search Console data: Retained while GSC is connected. All synced data is deleted immediately when you disconnect GSC.
  • Google Analytics 4 data: Retained while GA4 is connected. All synced data is deleted immediately when you disconnect GA4.
  • Free audit data: Audit results are retained for 30 days. Rate-limiting records (IP + domain) expire after 72 hours.
  • Trial abuse detection data: IP address and email hash are retained for 12 months after trial expiry for abuse prevention, even if the account is deleted.
  • Sentry session replays: Retained for 90 days per Sentry's data retention policy, then automatically deleted.
  • Contact form and newsletter: Retained until you request removal or unsubscribe.

10. Your Rights (EEA/UK - GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data under the GDPR:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data via your Settings page
  • Erasure: Request deletion of your account and all associated data
  • Restriction: Request that we restrict processing of your data
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent for marketing communications at any time
  • Lodge a complaint: You have the right to lodge a complaint with your local supervisory authority if you believe your data has been processed unlawfully

To exercise any of these rights, contact us at privacy@surfacedby.com. We will respond within 30 days.

11. Your Rights (California - CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it
  • Right to Delete: You may request the deletion of your personal information, subject to certain legal exceptions
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Categories of personal information we collect:

  • Identifiers: Name, email address, IP address, account ID
  • Commercial information: Subscription plan, billing history, domain monitoring configuration
  • Internet or electronic network activity: Pages visited, features used, scan history, error logs
  • Geolocation data: IP-derived approximate location (city/region level)
  • Inferences: AI visibility scores, brand sentiment analysis, competitive positioning derived from scan data

To submit a verified request, email privacy@surfacedby.com from the email address associated with your account. We will verify your identity and respond within 45 days. You may also designate an authorized agent to submit a request on your behalf.

12. International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate. Our primary database is hosted in the US-West region via Supabase. We use the following mechanisms to ensure appropriate safeguards for international transfers:

  • EU-US Data Privacy Framework: Supabase is certified under the EU-US Data Privacy Framework (DPF), providing an adequacy-based transfer mechanism for data hosted in our primary database
  • Standard Contractual Clauses (SCCs): For other service providers not covered by an adequacy decision or the DPF, we rely on Standard Contractual Clauses approved by the European Commission as the transfer mechanism

13. Cookies

We use the following types of cookies:

  • Essential cookies: Required for authentication and core Service functionality (session tokens, CSRF protection)
  • Account-stored UI preferences: Dashboard UI state (collapsed sections, dismissed banners, filter selections, in-progress report drafts) is stored against your account on our servers so it travels with you across devices, not in your browser

We do not use third-party advertising or tracking cookies. You can configure your browser to reject cookies, but this may affect your ability to use the Service.

14. Children's Privacy

Our Service is intended for business users and is not directed to children under 16 (or under 13 in the United States per COPPA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will also notify you via email. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this privacy policy or wish to exercise your data rights, please contact us: