Privacy Policy
Effective date: 1 April 2026
This Privacy Policy explains how Surfaceable ("we", "us", "our"), a product of Growth Mode agency (growthmode.agency), collects, uses, and protects your personal data when you use surfaceable.io. We are committed to handling your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions, please contact us at hello@surfaceable.io.
1. Who We Are
Surfaceable is operated by Growth Mode, a UK-based agency. For the purposes of data protection law, Growth Mode acts as the data controller for personal data collected through surfaceable.io.
Contact: hello@surfaceable.io
2. What Data We Collect
Account and Identity Data
- Email address (collected at sign-up and used for account authentication)
- Name, if provided during registration
Usage Data
- Pages visited, features used, and actions taken within the platform
- Browser type, device type, IP address, and referring URLs
- Session timestamps and audit log entries
Payment Data
- Billing plan and subscription status
- Payment method details are handled directly by Stripe and are not stored on our servers. We receive only limited non-sensitive information such as the last four digits of a card, card type, and billing postcode.
Website Data You Submit
- Domain names and URLs you submit for SEO audits or AI visibility tracking
- Crawl results, keyword data, and reports generated in your account
3. How We Use Your Data
We use your personal data for the following purposes:
- Account management: To create and manage your Surfaceable account and authenticate your sessions
- Service delivery: To run SEO audits, AI visibility tracking, and generate reports based on the sites you submit
- Billing: To manage your subscription, process payments via Stripe, and send billing-related communications
- Product communications: To send transactional emails such as welcome messages, password resets, and usage alerts
- Product improvement: To analyse how users interact with the platform so we can improve features and fix issues
- Legal compliance: To meet our obligations under applicable law
Our lawful bases under UK GDPR are:
- Contract performance — processing necessary to deliver the service you signed up for
- Legitimate interests — for product analytics and security purposes
- Legal obligation — where required by law
4. Data Storage and Security
Your data is stored in a Supabase PostgreSQL database hosted on servers located in EU West (Ireland). We take reasonable technical and organisational measures to protect your data, including encrypted connections (TLS), access controls, and regular security reviews.
We retain account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law (for example, financial records, which may be retained for up to 7 years).
5. Third-Party Services
We share data with the following third parties only to the extent necessary to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Subscription billing and payment processing | USA (Standard Contractual Clauses apply) |
| Supabase | Database hosting and authentication | EU West (Ireland) |
| Vercel | Application hosting and deployment | USA/Edge (Standard Contractual Clauses apply) |
| OpenRouter | AI model routing for AI visibility analysis features | USA (Standard Contractual Clauses apply) |
We do not sell your personal data to third parties. We do not use your data for advertising purposes.
Where third parties are based outside the UK or EEA, transfers are protected by appropriate safeguards, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).
6. Cookies
We use a minimal cookie policy. Surfaceable sets only the following cookies:
- Authentication session cookie — a secure, HTTP-only cookie used to keep you logged in during your session. This cookie is strictly necessary for the platform to function and does not require your consent under PECR.
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
7. Your Rights Under UK GDPR
As a data subject, you have the following rights:
- Right of access — you can request a copy of the personal data we hold about you
- Right to rectification — you can ask us to correct inaccurate data
- Right to erasure — you can request deletion of your account and associated personal data
- Right to data portability — you can request your data in a structured, machine-readable format
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances
- Right to object — you can object to processing based on legitimate interests
To exercise any of these rights, please email hello@surfaceable.io. We will respond within one calendar month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you by email or via an in-app notice.
9. Contact
For any privacy-related queries or requests:
Email: hello@surfaceable.io Website: surfaceable.io Operated by: Growth Mode — growthmode.agency