Skip to main content

Privacy Policy

Version 2026-04-24 · Applies to EU GDPR, UK GDPR (as amended by the Data (Use and Access) Act 2025), and PECR.

1. Who We Are (Data Controller)

ReachSurge is the controller of personal data collected through our service.

Registered address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.

Privacy contact: privacy@reachsurge.ai

Data Protection Officer: We have assessed that a formal DPO is not required under GDPR Article 37 given our scale and the nature of our processing. We reassess this annually. Please route all privacy enquiries to the contact above.

2. Information We Collect

Required for service: email, account name, at least one website URL, payment method (processed by Stripe — we never store card details).

Optional: profile details you choose to add (company, phone), marketing preferences.

Usage data: pages you generate, features you use, aggregate analytics from your tracked websites.

Website data: when you add a website, we crawl publicly accessible pages for GEO optimization, respecting your robots.txt.

Tracking script: our lightweight tracker collects pageview path (query strings stripped), referrer hostname, traffic source, device type. No personally identifiable visitor data is collected.

What you must provide: If you do not provide the required fields above, we cannot create or maintain your account. Optional fields do not affect access.

3. Why We Use Your Data (Lawful Basis under GDPR Article 6)

  • Contract (Art. 6(1)(b)) — Creating your account, providing the service, generating and optimizing content, tracking AI citations on your behalf, billing, and required transactional notifications.
  • Consent (Art. 6(1)(a)) — Marketing emails and non-essential analytics cookies. You can withdraw consent at any time from Settings → Notifications or by clicking unsubscribe in any marketing email.
  • Legitimate Interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, error logging (Sentry), aggregate product analytics, and enforcing our terms. You can object to processing under this basis at any time.
  • Legal obligation (Art. 6(1)(c)) — Retaining payment records and audit logs required by tax and financial-services regulations.

4. AI Processing and Transparency (EU AI Act Article 50)

We use AI systems from OpenAI, Anthropic, Google, xAI, and Perplexity to generate website content, draft syndication posts and outreach emails, and verify citations across AI search engines. Content produced by these systems is labelled where published to inform the public, in line with the EU AI Act Article 50 transparency obligations (effective 2 August 2026).

We do not carry out fully automated decision-making with legal or similarly significant effect on you (GDPR Article 22). AI-generated content is reviewed before publication, and account actions (suspensions, plan changes) involve human oversight.

5. Third-Party Processors

  • Supabase — Database, auth, storage. Primary data centre in London, UK (eu-west-2). SOC 2 Type II.
  • Stripe — Payment processing. PCI DSS Level 1. EU–US Data Privacy Framework certified.
  • OpenAI — AI content generation and citation verification. EU–US Data Privacy Framework certified.
  • Anthropic Claude — AI content generation and citation verification. EU–US Data Privacy Framework certified.
  • Google (Gemini) — AI content generation and citation verification. EU–US Data Privacy Framework certified.
  • xAI (Grok) — Citation verification. Transfers secured via Standard Contractual Clauses.
  • Perplexity — Citation verification via Sonar API. EU–US Data Privacy Framework certified.
  • Resend — Transactional email delivery. EU–US Data Privacy Framework certified.
  • Sentry — Error monitoring with PII scrubbing. EU–US Data Privacy Framework certified.

6. International Transfers

Your primary data sits in London (UK) on Supabase. Where we transfer data to processors located in the United States, we rely on the EU–US Data Privacy Framework adequacy decision (July 2023) for DPF-certified vendors, or on the European Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46 for vendors that are not DPF-certified. Copies of the SCCs in place are available on request.

7. How Long We Keep Data

  • Account data — for as long as your account is active; deleted within 30 days of a confirmed deletion request.
  • Raw analytics events — 90 days; aggregated daily traffic statistics are retained indefinitely for trend analysis.
  • Email delivery logs — 90 days.
  • Session records — 30 days of idle time before deletion.
  • Audit logs — 7 years (legal obligation under Art. 6(1)(c)).
  • Stripe payment records — Stripe may retain invoices and billing records for up to 7 years under PCI DSS and tax law, which overrides GDPR erasure under Article 17(3)(b). This applies even after you delete your ReachSurge account.

8. Data Storage and Security (Art. 32)

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+, HSTS enforced). We implement row-level security on the database, API key hashing (SHA-256), webhook HMAC-SHA256 signatures, optional MFA for users and mandatory MFA for admins, session timeouts, Content-Security-Policy headers, and PII scrubbing in error monitoring. Staff access to production data is role-gated and audited.

9. Your Rights

  • Access (Art. 15) — Download your data in JSON or CSV from Settings → Privacy & Data.
  • Rectification (Art. 16) — Edit your profile and websites directly from Settings, or email us for anything you can't self-serve.
  • Erasure (Art. 17) — Request account deletion from Settings → Privacy & Data. Processed within 30 days.
  • Restriction (Art. 18) — Email privacy@reachsurge.ai to ask us to temporarily suspend processing while we investigate a concern.
  • Portability (Art. 20) — Your export is machine-readable (JSON / CSV).
  • Objection (Art. 21) — You can object to processing carried out under legitimate interest.
  • Withdraw consent (Art. 7(3)) — From Settings → Notifications, or unsubscribe links in marketing emails. Withdrawing does not affect processing that already happened lawfully.
  • Not to be subject to fully automated decisions (Art. 22) — We do not make such decisions (see §4).

10. Supervisory Authority Complaints

You can lodge a complaint with a supervisory authority at any time — you do not have to contact us first:

  • UK — Information Commissioner's Office (ico.org.uk)
  • EU — Your national Data Protection Authority (find yours at edpb.europa.eu)

We'd prefer the chance to resolve things first, but it's your right and we support you exercising it.

11. Cookies and Terminal-Equipment Storage

We use essential cookies and browser storage for authentication, session security, and your saved UI preferences. A cookie banner appears on first visit and lets you accept or decline non-essential storage; declining does not affect core site functionality. We do not sell cookie data, and we do not use third-party advertising trackers.

12. California Residents (CCPA/CPRA)

California residents have rights equivalent to those in §9 above: to know, access, delete, correct, and port personal information, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise these rights, use the tools in Settings → Privacy & Data or email privacy@reachsurge.ai. We recognise the Global Privacy Control (GPC) browser signal as an opt-out of sale/sharing.

13. Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where the risk is high, notify affected individuals without undue delay with the nature of the breach, likely consequences, and mitigation steps.

14. Children

Our service is not directed to children under 16. We require age confirmation at signup and do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete the account.

15. Changes to This Policy

When we change this policy we bump the version number above and record what a user agreed to at signup so there is no ambiguity. Material changes will be communicated by email or in-app notice.

16. Contact

Privacy: privacy@reachsurge.ai · General: hello@reachsurge.ai