Effective Date: April 13, 2026 · Last Updated: April 13, 2026 · Version: 2.0
This Privacy Policy describes how Surf Rank Pte. Ltd. ("SurfRank", "we", "us", or "our") collects, uses, stores, and shares information about you when you use our website at surfrank.ai and our AI Search Intelligence Platform (collectively, the "Services").
SurfRank is an AI Search Intelligence Platform that monitors how your brand appears across 12+ AI engines including ChatGPT, Gemini, Perplexity, Claude, Grok, DeepSeek, Meta AI, Copilot, Mistral, Qwen, and more. To deliver this service, we collect and process certain personal and business data as described below.
We are committed to protecting your privacy and handling your data with transparency, security, and respect — in compliance with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
Surf Rank Pte. Ltd.
UEN: 202613085N
10 Marina Boulevard, #39-01
Marina Bay Financial Centre
Singapore 018983
SurfRank operates as both a data controller (for data we collect about our users) and a data processor (when processing brand data on behalf of our customers). This distinction is important for understanding your rights and our obligations.
SurfRank has designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws.
Data Protection Officer
Chris Milliken
Surf Rank Pte. Ltd.
Email: [email protected]
Address: 10 Marina Boulevard, #39-01, Marina Bay Financial Centre, Singapore 018983
For all privacy-related requests, complaints, or questions, please contact our DPO directly at [email protected]. We will respond to all requests within 30 days.
We collect only the data necessary to provide and improve our Services.
For users in the European Economic Area (EEA), we process your personal data under the following lawful bases as required by Article 6 of the GDPR:
| Processing Activity | Lawful Basis |
|---|---|
| Creating and managing your account | Contract — necessary to perform our agreement with you |
| Providing the AI visibility platform and reports | Contract — necessary to deliver the Services you have paid for |
| Processing payments | Contract — necessary to fulfil our billing obligations |
| Sending transactional emails (receipts, alerts) | Contract — necessary to fulfil our agreement |
| Sending marketing communications | Consent — you can withdraw at any time |
| Improving our platform and features | Legitimate Interest — to develop and improve our Services |
| Fraud detection and security monitoring | Legitimate Interest — to protect our platform and users |
| Compliance with legal obligations | Legal Obligation — where required by applicable law |
| Analytics and usage monitoring | Legitimate Interest — to understand how our platform is used |
If you wish to object to processing based on Legitimate Interest, please contact [email protected].
We use the information we collect to:
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects without human review.
We do not sell, rent, or trade your personal information to any third party.
We may share your information only in the following limited circumstances:
We share data with carefully selected third-party vendors who help us operate our platform. These providers are contractually bound to process your data only on our instructions and in accordance with this policy. See Section 7 for our full sub-processor list.
When performing AI visibility scans, we send brand-related queries to AI engines (ChatGPT, Gemini, Perplexity, Claude, etc.). These queries contain only the brand keywords, prompts, and domain information you have configured — they do not include your personal information such as name, email, or billing details.
If you connect your Google Analytics account, we access your analytics data solely to display AI-referred traffic insights within your SurfRank dashboard. We do not store, share, or process this data beyond what is necessary to provide this feature.
We may disclose your information when required by applicable law, regulation, legal process, court order, or governmental authority. We will notify you of such requests unless prohibited by law.
In the event of a merger, acquisition, sale of assets, or financing, your information may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
We will share your information with third parties only when you have given us clear, explicit permission to do so.
We may disclose information to protect the rights, property, or safety of SurfRank, our users, or the public, where required or permitted by law.
We use the following categories of third-party sub-processors to deliver our Services:
| Category | Purpose | Examples |
|---|---|---|
| Cloud Infrastructure | Platform hosting, data storage, and computing | Google Cloud, Cloudflare, Hetzner |
| Payment Processing | Secure billing and subscription management | Stripe |
| Email Delivery | Transactional and marketing emails | Resend |
| Analytics | Platform usage monitoring and improvement | Internal analytics |
| Customer Support | Help desk and support ticketing | Intercom / Zendesk |
| AI Engine APIs | Running brand visibility queries | OpenAI, Google, Anthropic, etc. |
| Error Monitoring | Platform reliability and bug detection | Sentry |
All sub-processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures. We conduct regular reviews of our sub-processors to ensure ongoing compliance.
A full and up-to-date list of sub-processors is available upon request at [email protected].
We implement comprehensive technical and organisational security measures to protect your personal data:
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay, in accordance with our obligations under GDPR and PDPA.
While we implement industry-leading security measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continuously work to improve our protections.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 2 years after deletion |
| Billing and transaction records | 7 years (legal/tax obligation) |
| AI visibility reports and scan data | Duration of account + 90 days after deletion |
| Usage and log data | 12 months on a rolling basis |
| Support correspondence | 3 years from last interaction |
| Marketing consent records | Until consent is withdrawn + 3 years |
| Google Analytics data | Not stored — accessed in real time only |
When you request account deletion, we will delete or irreversibly anonymise your personal data within 30 days, except where retention is required by applicable law.
Depending on your location, you have the following rights regarding your personal data. We will respond to all requests within 30 days.
All of the above, plus:
All of the above, plus:
To exercise any of your rights, please contact us at [email protected]. We may need to verify your identity before processing your request.
SurfRank is headquartered in Singapore. Your data may be transferred to and processed in countries outside of Singapore, including countries in the European Economic Area, the United States, and other jurisdictions where our sub-processors operate.
We ensure that any international transfer of personal data is subject to appropriate safeguards:
By using our Services, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your own. We are committed to ensuring your data receives an equivalent level of protection regardless of where it is processed.
A copy of our Standard Contractual Clauses is available upon request at [email protected].
SurfRank's core function involves querying AI engines on behalf of our users. Here is how this works and what data is involved:
Each AI engine you activate in your project is governed by that engine's own terms of service and privacy policy. By using SurfRank, you acknowledge that brand-related queries will be sent to your selected AI engines. We do not control how those engines process the queries we send.
Our Services are intended for business use and are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete such information. If you believe we may have collected data from a child, please contact [email protected] immediately.
This section applies to California residents and supplements the rights described in Section 10.
Email: [email protected]
Subject line: "CCPA Privacy Request"
We will respond within 45 days. Complex requests may require an additional 45 days with prior notice.
California residents may designate an authorised agent to make requests on their behalf. We will require written verification of the agent's authority before processing such requests.
SurfRank complies fully with the Personal Data Protection Act 2012 (PDPA) of Singapore and its associated regulations and guidelines issued by the Personal Data Protection Commission (PDPC).
We comply with Singapore's Do Not Call Registry. We will not send marketing messages to Singapore telephone numbers registered on the DNC Registry without your explicit consent.
For PDPA-related queries or complaints, contact our DPO at [email protected] or write to us at our registered Singapore address above. You may also contact the PDPC directly at pdpc.gov.sg.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
We encourage you to review this Privacy Policy periodically. If you disagree with any changes, you may close your account by contacting us at [email protected].
Previous versions of this Privacy Policy are available upon request.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Protection Officer
Surf Rank Pte. Ltd.
Email: [email protected]
Website: surfrank.ai/privacy
Address: 10 Marina Boulevard, #39-01, Marina Bay Financial Centre, Singapore 018983
Response time: We aim to respond to all privacy requests within 30 days. Complex requests may require additional time, in which case we will inform you of the expected timeline.
