Privacy Policy

1. Introduction

Surfeed ("we", "us", "our") operates the Surfeed platform at surfeed.io. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service. We are committed to protecting your privacy and handling your data in compliance with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data We Collect

Account Data

• Name, email address, and hashed password (for email registration)
• Google profile information (name, email, avatar) if you sign in with Google

X (Twitter) Data

• X user ID and profile information (display name, handle)
• OAuth access tokens and refresh tokens (encrypted at rest)
• Tweet content and engagement metrics for tweets published through Surfeed

Content Data

• Discovered content items (GitHub repositories, RSS articles)
• AI-generated tweets and their metadata
• Feed configurations and brand voice settings

Usage Data

• AI generation counts and feature usage
• Post counts and scheduling activity
• Feed run history and results

Payment Data

• Payments are processed by Stripe. We store your Stripe customer ID and subscription ID.
• We do not store credit card numbers, CVVs, or full payment details.

Analytics Data

• Page views, device information, and browsing behavior via Google Analytics (only with your cookie consent).

Log Data

• IP addresses, browser type, and access times (standard server logs).

3. How We Use Your Data

We use the data we collect to:

• Provide the core Service: discover content, generate tweets with AI, and publish to X
• Process payments and manage subscriptions via Stripe
• Send transactional emails (password resets, email verification, payment notifications)
• Improve the Service through aggregated analytics
• Enforce our Terms of Service and prevent abuse
• Respond to support requests

4. AI Processing

• Content text and brand voice configuration are sent to Anthropic's Claude API for analysis and tweet generation.
• Anthropic's data processing and privacy terms apply to data sent to their API.
• We do not use your content to train AI models.
• AI-generated outputs are stored in your account and are subject to this Privacy Policy.

5. Third-Party Services & Data Sharing

We share data with the following third-party services solely to provide the Service:

We do not sell your personal data to third parties.

6. Data Retention

• Account data: Retained until account deletion, plus 30 days for final processing.
• Tweet content: Retained until deleted by you or upon account deletion.
• Analytics data: 12 months on a rolling basis.
• Server logs: 90 days.
• AI usage records: Retained for billing and abuse prevention purposes.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to access — Request a copy of the personal data we hold about you.
• Right to rectification — Update or correct your personal data via your profile settings.
• Right to erasure — Request deletion of your account and associated data.
• Right to data portability — Request your data in a machine-readable format.
• Right to restrict processing — Request limitation of how we process your data.
• Right to object — Object to processing of your data for certain purposes.

To exercise any of these rights, contact us at privacy@surfeed.io. We will respond within 30 days.

8. Your Rights (CCPA)

If you are a California resident, you have the right to:

• Right to know — Request disclosure of the personal information we collect and how it is used.
• Right to delete — Request deletion of your personal information.
• Right to opt-out of sale — We do not sell personal information.
• Right to non-discrimination — We will not discriminate against you for exercising your rights.

9. Cookies

Surfeed uses the following types of cookies:

• Essential cookies — NextAuth session cookies required for authentication. These are functional and do not require consent.
• Analytics cookies — Google Analytics cookies for site usage tracking. These are only set with your explicit consent via the cookie banner.
• OAuth cookies — Temporary cookies used during the X OAuth connection flow. These are functional and expire after the flow completes.

You can manage your cookie preferences at any time through the cookie consent banner at the bottom of the page.

10. Data Security

We take data security seriously and implement the following measures:

• All data is transmitted over HTTPS (encryption in transit).
• Passwords are hashed using bcrypt before storage.
• X API access tokens are encrypted at rest.
• Payment processing is handled entirely by Stripe (PCI DSS compliant).
• Database access is restricted and monitored.

11. Children's Privacy

Surfeed is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will take steps to delete that information promptly.

12. International Data Transfers

Your data may be processed in the European Union and the United States, depending on the third-party services involved (e.g., Stripe, Anthropic, X). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

• Privacy inquiries: privacy@surfeed.io
• General support: support@surfeed.io