Get started
LEGAL

Privacy Policy

Last updated May 6, 2026.

⚠ Placeholder — do not ship as-is. This page is a structural template only. Replace each section with counsel-reviewed copy before going live.

1. Information we collect

Account details you provide on sign-up: name, email, workspace name, and the WooCommerce / Shopify domain you connect.

Catalog data pulled from your store via the API key you generate: product titles, descriptions, schema, images, and variants. We do NOT pull customer or order PII for catalog auditing.

AI-attributed order metadata pushed to us by the plugin: a hashed customer email (SHA-256), order total, currency, and the AI source name. Raw email is never stored.

Usage telemetry: which dashboard pages you visit, which fixes you generate, and aggregate timing data so we can debug slow flows.

2. How we use it

Operating the service: running audits, generating fixes, scoring products, and rendering reports inside your workspace.

Improving the product: anonymised aggregate stats inform what we build next. We never train external LLMs on your catalog.

Sending essential email: account verification, billing receipts, weekly digest (opt-out via settings), and incident notices.

3. Where data lives

Postgres (Supabase, EU region) for primary storage. Daily encrypted backups, 7-day retention.

Upstash Redis (EU region) for short-lived rate-limit + LLM-response caches. Cache TTL ≤ 7 days.

OpenRouter (US) is the LLM gateway used for audit generation. Your catalog content is sent to the LLM in transit; OpenRouter does not retain it for model training per their data-processing agreement.

4. Sharing

We don't sell your data. Period.

Sub-processors are limited to: Stripe (payments), Resend (transactional email), Vercel (hosting), Supabase (database), Upstash (cache), OpenRouter (LLM gateway). Each has its own privacy + DPA.

5. Your rights

Access, export, correct, or delete your data at any time. Use the Danger Zone in workspace settings to wipe everything, or email hello@surfacly.com for assisted requests.

EU / UK residents: GDPR rights apply. We respond to verified requests within 30 days.

6. Cookies

We use a single first-party session cookie for authentication. No advertising or third-party tracking cookies are set.

7. Changes

Material changes will be announced by email at least 14 days before they take effect.

8. Contact

Questions or requests: privacy@surfacly.com.