Account
Privacy & Your Data
Export your data, delete your account, manage cookie preferences, and exercise your GDPR rights.
Your Data, Your Controls
ReachSurge is GDPR and UK GDPR compliant (Data (Use and Access) Act 2025). You can self-serve everything below from Settings → Privacy & Data, and most of it doesn't require contacting us.
Download your data (Article 15 + Article 20)
Settings → Privacy & Data → Download. Choose JSON (recommended — preserves all field types and nesting) or CSV.
Your export includes:
- Profile information
- Every website, generated page, citation, and backlink record
- Syndication post history
- Analytics events (most recent 10,000)
- Email delivery log
- Audit log entries you're the actor for
- API keys metadata (names, scopes, prefixes — never the raw hash, for security)
- Team memberships
- Your subscription history
- Stripe customer data and invoice history (fetched live at export time)
- Consent records — exactly which version of the Terms + Privacy Policy you agreed to at signup, plus any commitment-tier consents
One click, machine-readable, portable. No human review required.
Delete your account (Article 17)
Settings → Privacy & Data → Delete Account. Type DELETE MY ACCOUNT to confirm — we require the literal phrase to prevent accidental clicks.
When you confirm:
- A 30-day grace window starts. You can cancel the deletion request from the same page during that window — zero penalty.
- Your Stripe subscription is set to cancel at the next billing period, so you're not charged again.
- On day 30, the deletion runs: we purge your rows from every user-owned table, transfer any team-shared knowledge bases to the team owner (so team content survives), delete your Stripe customer record where possible, and delete the auth identity so nobody can log in.
Retention exceptions (these are required by law and disclosed in the privacy policy §7):
- Audit logs — 7 years for security/compliance legal obligations.
- Stripe payment records — up to 7 years for PCI-DSS and tax compliance. Stripe retains these even after we issue the customer-delete request.
Cookie preferences
On your first visit you'll see a banner with three buttons at equal visual weight: Accept all, Reject all, Customize. All three are equally prominent — no dark patterns.
Two categories:
- Essential — always on, can't be disabled (authentication cookies, saved UI preferences, billing session). These are strictly necessary for the service to function.
- Analytics & Product — opt-in. Covers our own pageview tracking and product telemetry. No third-party ad networks. Off by default unless you click Accept all or enable it in Customize.
Your choice is stored with a timestamp so we can demonstrate consent on request. Closing the banner with the × counts as Reject all per EDPB guidance — we don't interpret "no choice" as consent.
Your GDPR Rights (Summary)
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Settings → Privacy & Data → Download |
| Rectification (Art. 16) | Edit your profile, websites, and email preferences directly from Settings. For anything you can't self-serve, email privacy@reachsurge.ai. |
| Erasure (Art. 17) | Settings → Privacy & Data → Delete Account |
| Restriction (Art. 18) | Email privacy@reachsurge.ai — rare in practice, handled case-by-case |
| Portability (Art. 20) | Download is machine-readable JSON/CSV |
| Objection (Art. 21) | Email privacy@reachsurge.ai to object to processing carried out under legitimate interest |
| Withdraw consent (Art. 7(3)) | Settings → Notifications for marketing emails. Unsubscribe links in every marketing email work with one click. |
Complaint authority
You can lodge a complaint with a supervisory authority at any time — you don't have to contact us first.
- UK — Information Commissioner's Office (ico.org.uk)
- EU — Your country's Data Protection Authority (find yours at edpb.europa.eu)
We'd prefer the chance to resolve things first, but it's your right and we support you exercising it.
Where your data lives
- Primary database — Supabase, London, UK (eu-west-2). No cross-border transfer for EU/UK customers' core records.
- US processors — Stripe, OpenAI, Anthropic, Google, Sentry, Perplexity, and Resend operate from the US. Transfers are covered by the EU-US Data Privacy Framework (DPF) where the vendor is certified (Stripe, OpenAI, Anthropic, Google, Sentry, Perplexity, Resend). xAI (Grok) is not DPF-certified and is covered by Standard Contractual Clauses instead.
See the privacy policy §5 and §6 for the full processor list and transfer mechanisms.
FAQ
Does deleting my account remove my public-facing pages? No. Content you published to your own site or a connected CMS stays where it is — it's your content on your infrastructure. We only remove our records of your account.
Can I export my data without losing my account? Yes. Download is a read-only export. Account deletion is a separate, explicit action.
How quickly can I get a full export? It's generated on demand — typically within a few seconds of clicking Download.
What if I change my mind after requesting deletion? Cancel it within 30 days from Settings → Privacy & Data. The request is fully reversible during that window — your subscription is also re-activated.
Does ReachSurge use my content to train AI models? No. Our AI providers (OpenAI, Anthropic, Google, xAI, Perplexity) are contractually bound not to train on API inputs. See the processor matrix in the privacy policy for details.