Privacy Policy

Surfacedd is an AI advertising network. This Privacy Policy describes how we collect, use, share, and retain personal data across four groups: brand advertisers who buy inventory through Surfacedd; AI app developers (publishers) who integrate the Surfacedd SDK into their applications; end users of those publisher AI applications who see sponsored surfaces delivered by Surfacedd; and visitors to the Surfacedd marketing website at surfacedd.com.

Surfacedd is a dual-entity company. The US operating entity is the contracting party for counterparties in the Americas and acts as the business under the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the "CCPA") and as the controller under equivalent US state privacy laws, the EU General Data Protection Regulation (the "GDPR"), the UK GDPR, and the Brazilian General Data Protection Law (the "LGPD"). The Singapore holding entity is the contracting party for counterparties in Asia-Pacific and acts as the organization under the Singapore Personal Data Protection Act (the "PDPA") and, at Surfacedd's election, as the Data Fiduciary under the India Digital Personal Data Protection Act 2023 (the "DPDP Act"). Where the identity of a specific contracting entity becomes material in context, it is identified in the relevant Order Form or commercial agreement and will be updated in this document before general availability of the platform.

This policy does not govern personal data that Surfacedd processes solely as a service provider, processor, or equivalent role on behalf of an advertiser or publisher. That processing is governed by the Data Processing Addendum available at /legal/dpa and incorporated into each commercial agreement.

Surfacedd collects the minimum personal data necessary to deliver its services. The categories differ by the role the data subject occupies. The tables below describe each category, its source, the purposes for which it is used, the legal basis under the GDPR (and equivalent frameworks), and the retention period.

2.1 Advertiser account data

2.2 Publisher account data

2.3 End-user data (sponsored surfaces inside publisher AI apps)

Surfacedd does not require end users to register, identify themselves, or create a Surfacedd account. Surfacedd does not use third-party cookies, mobile advertising identifiers, cross-site identifiers, or persistent unique identifiers to deliver sponsored content. Ad matching is performed on the basis of transient query context supplied by the publisher's AI application at the moment of the ad request. That query context is processed to return a matching sponsored surface and is not retained in identifiable form after the match event. Surfacedd does not build a profile of any end user and does not combine information across publisher applications to infer end-user attributes.

2.4 Marketing-site visitors (surfacedd.com)

Surfacedd uses personal data only for the following purposes. Each purpose is tied to a specific legal basis under the GDPR and equivalent frameworks; see Section 4.

• Delivering and matching contextual sponsored content to AI app queries at the moment of the ad request.
• Measuring impressions, clicks, and conversions for advertiser billing, publisher payouts, and performance reporting.
• Invoicing and payments — including invoicing advertisers, paying publishers via Stripe Connect, and complying with tax-reporting obligations.
• Detecting invalid traffic, fraud, and sanctions-list matches consistent with the IAB/MRC Invalid Traffic Detection and Filtration Guidelines and applicable sanctions regimes (OFAC, EU, UK, Singapore, UN).
• Providing the self-serve dashboard, authentication, and account security for advertisers and publishers.
• Operating the marketing website at surfacedd.com and responding to demo, sales, and support inquiries.
• Complying with law, enforcing our terms, and defending claims in courts or before regulatory authorities.
• Improving the product through aggregate analysis of platform performance. Surfacedd does not use end-user query context, impressions, or clicks to train foundation models or general-purpose AI systems, and does not license that data to any third party for model-training purposes.
• Direct B2B marketing to advertisers and publishers about Surfacedd products, events, and research, with a one-click unsubscribe mechanism.

Where the GDPR, the UK GDPR, or the LGPD applies, Surfacedd relies on the following legal bases for processing:

Under the LGPD, the equivalent lawful bases in Article 7 apply — contract, legal obligation, legitimate interest, and consent as described above. Under the UK GDPR the equivalent bases in Article 6 apply without modification.

Surfacedd shares personal data only with the categories of recipients listed below, in each case for the purpose stated and subject to appropriate contractual safeguards.

Surfacedd maintains the full, current list of subprocessors in the Data Processing Addendum at /legal/dpa. Material changes to the subprocessor list are notified to advertisers and publishers via the dashboard and email.

Surfacedd operates globally. Personal data may be processed outside the country in which it was collected. Where required, Surfacedd implements transfer mechanisms that provide an essentially equivalent level of protection.

• EEA to outside the EEA: Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"), supplemented by a transfer impact assessment available on request.
• United Kingdom to outside the UK: The UK International Data Transfer Agreement (the "UK IDTA") or the UK Addendum to the EU SCCs, as applicable.
• Singapore transfers: Contractual clauses providing a standard of protection comparable to the Singapore PDPA, consistent with PDPC guidance on Section 26.
• India transfers: Where the DPDP Act applies, transfers occur only to jurisdictions not restricted by the Ministry of Electronics and Information Technology.
• Brazil transfers: Transfers under LGPD Article 33, relying on standard contractual clauses or controller documented commitments as published by the ANPD.

If any of Surfacedd's subprocessors is certified under the EU-US Data Privacy Framework or its UK or Swiss extensions, that certification is identified in the DPA. Surfacedd provides redacted copies of transfer impact assessments to data subjects on request where disclosure does not compromise security or confidentiality.

Surfacedd retains personal data only as long as needed for the purpose it was collected, for periods required by law, or for the resolution of disputes. The standard retention periods below apply unless law or an enforceable contractual obligation requires a different period.

Where a specific retention period cannot be pre-determined, Surfacedd uses the criteria described in each row of the table — for example, the end of the audit window, the closure of the case, or the withdrawal of consent — to determine when the data is deleted or aggregated.

Subject to the limits of applicable law, individuals have the rights listed below. To exercise a right, email [email protected] with your request, your jurisdiction of residence, and identifying information sufficient to verify the request. Verification does not require creating a new account and does not result in the collection of data beyond what is necessary.

• Access — a copy of the personal data Surfacedd holds about you.
• Correction or rectification — correction of inaccurate or incomplete data.
• Deletion or erasure — deletion subject to statutory retention and overriding interests.
• Portability — a structured, commonly used, machine-readable export of data you provided.
• Restriction — pausing processing while a request is under review.
• Objection — to processing based on legitimate interest, including to direct marketing.
• Withdraw consent — where processing relies on consent.
• Opt out of sale, sharing, and targeted advertising — Surfacedd does not sell or share personal data as defined by US state privacy laws; the Do Not Sell or Share link is honored regardless.
• Limit use of sensitive personal information — where US state laws recognize that right.
• Opt out of profiling and automated decision-making — where US state laws (Colorado, Connecticut, Virginia, Delaware, Oregon, Texas, Maryland, Minnesota, New Hampshire, New Jersey) or the GDPR recognize that right.
• Non-discrimination — exercising a right will not result in denial of service, differential pricing, or degraded quality.
• Appeal — in Colorado, Connecticut, Virginia, Oregon, and similar states, a right to appeal a denial and, if denied on appeal, to contact the state attorney general.
• Lodge a complaint — with your supervisory authority (the ICO in the UK; your home-country data protection authority in the EEA; the PDPC in Singapore; the Data Protection Board under the DPDP Act in India; the ANPD in Brazil).

Global Privacy Control (GPC). Surfacedd honors the GPC signal on surfacedd.com as a valid opt-out of sale, share, and targeted advertising under US state laws that recognize a universal opt-out mechanism as of 1 January 2026, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas. A confirmation signal is displayed when the opt-out is registered.

Authorized agents. You may designate an authorized agent to submit a request on your behalf. The agent must provide proof of authorization and Surfacedd may still verify the identity of the underlying consumer.

Response windows. 45 days from verifiable receipt under US state laws (extendable by another 45 days where warranted); 30 days under the GDPR and UK GDPR (extendable by two months for complex requests); the statutory windows under the India DPDP, Singapore PDPA, and Brazil LGPD. Response is free of charge, except where requests are manifestly unfounded or excessive, in which case Surfacedd may charge a reasonable fee or decline to act as the law allows.

Surfacedd does not intentionally process sensitive personal information (as defined by the CPRA, Colorado, Connecticut, Oregon, Virginia, and equivalent statutes) or special categories of personal data (as defined by GDPR Article 9) except where required by law (for example, tax identification numbers for publisher payouts and KYC documentation required by Stripe Connect). Surfacedd does not sell, share, or use sensitive personal information for cross-context behavioral advertising.

Query context received from publisher AI applications may incidentally contain sensitive topics — for example, a user asking a health-related question of a medical-advice AI app. Surfacedd processes that context transiently for the sole purpose of matching the sponsored surface, does not retain it in identifiable form after the match event, and does not use it to build a profile, categorize the user, or serve content across applications. Publisher apps are responsible for any end-user notice or consent required in the publisher\u2019s own UX; see the Publisher Terms Addendum.

Effective 1 January 2026, personal information of California consumers under the age of 16 is treated as sensitive personal information under the CCPA. Surfacedd is a business-to-business service and does not direct any product at persons under 16. Surfacedd does not knowingly collect personal data from children under 13 (COPPA), under 16 (GDPR Article 8 where applicable), or the equivalent age thresholds in other jurisdictions.

Surfacedd operates an automated ad-matching engine. The engine decides which sponsored surface to return in response to a publisher\u2019s ad-request API call. Those decisions are about sponsored content, not about the end user. The engine does not score, categorize, or profile end users; does not make decisions with legal or similarly significant effects (eligibility for employment, credit, housing, insurance, education, or government benefits); and therefore does not engage GDPR Article 22 or equivalent provisions in US state or Brazilian law.

Surfacedd does not use end-user query context, impressions, or click data to train foundation models or general-purpose AI systems, and does not license that data to any third party for model-training purposes.

EU AI Act Article 50. The EU AI Act (Regulation (EU) 2024/1689) Article 50 imposes transparency obligations on deployers of AI systems that interact directly with natural persons and on deployers that generate synthetic text published to the public. Where a Surfacedd-integrated publisher deploys such a system, the publisher is the "deployer" under Article 50 and is responsible for the deployer-side disclosures. Surfacedd provides a clearly-labeled "Sponsored" marker and the technical mechanics required to render that label through the SDK. Publishers are contractually required to render the label as provided and to keep it visible and proximate to any Surfacedd-served content. See the Publisher Terms Addendum.

Surfacedd is a business-to-business service and its product surfaces are not directed at children under 13 (United States, under COPPA), under 16 (European Economic Area, under GDPR Article 8 where applicable), or the equivalent age thresholds in other jurisdictions. Surfacedd does not knowingly collect personal data from children. If a parent or guardian believes a child has provided personal data to Surfacedd, contact [email protected] and Surfacedd will delete the data and terminate any associated account.

Surfacedd maintains administrative, technical, and organizational measures designed to protect personal data. These include transport-layer encryption with TLS 1.2 or higher for data in transit; AES-256 encryption for data at rest; least-privilege access controls in the managed Postgres database; hardware-backed key storage where supported; nonce-based Content Security Policy headers on the web tier; security headers enforced at the edge (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy); encrypted OAuth tokens; and logging of administrative actions.

Surfacedd\u2019s security program is maturing toward SOC 2 Type II readiness. External penetration tests and vulnerability scans are performed on a recurring basis. No security program is perfect; if Surfacedd becomes aware of a personal data breach affecting EEA or UK data subjects, it will notify the relevant supervisory authority within 72 hours under GDPR Article 33 and UK GDPR equivalent and, where a high risk to rights and freedoms exists, will notify affected individuals. Equivalent breach notifications apply under the India DPDP Act, the Singapore PDPA, the US state laws requiring breach notification, and the Brazil LGPD.

California (CCPA as amended by CPRA)

In the preceding 12 months Surfacedd has collected the categories of personal information described in Section 2 from the sources described in Section 2 and has used them for the purposes described in Section 3. Categories disclosed to service providers are described in Section 5. Surfacedd has not sold or shared personal information for cross-context behavioral advertising and does not offer financial incentives in exchange for personal information. You can exercise your rights as described in Section 8, including via the "Do Not Sell or Share My Personal Information" link in the surfacedd.com footer. The California Consumer Privacy Rights Act of 2020, effective as amended on 1 January 2026, applies; Surfacedd honors the Global Privacy Control and displays a confirmation signal when the opt-out is registered. California residents additionally have "Shine the Light" rights under Civil Code §1798.83.

Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Delaware, Maryland, Minnesota, New Hampshire, New Jersey, Montana, Tennessee, Iowa, Indiana

Consumers resident in these states have the rights described in Section 8, subject to the specific rules of the applicable state statute. Colorado, Connecticut, Virginia, and Oregon provide an internal appeal right when Surfacedd declines a request; contact [email protected] to appeal. Surfacedd recognizes universal opt-out mechanisms (Global Privacy Control) where state law requires recognition.

EEA and United Kingdom

Section 4 describes the legal bases relied on under the GDPR and UK GDPR. Surfacedd will appoint an Article 27 representative in the EEA and an Article 27 UK representative before general availability of the platform; contact for the representative will be published in this document. Until then, inquiries may be directed to [email protected] and will be routed to the team responsible for EEA and UK matters. You have the right to lodge a complaint with your supervisory authority (ICO for the UK; the supervisory authority in your country of residence in the EEA).

India (DPDP Act 2023)

Surfacedd acts as a Data Fiduciary for the purposes of the India DPDP Act in respect of the data processing described in this policy. Consent notices meeting DPDP Section 5 and 6 requirements are provided at the point of collection where consent is relied upon. Data Principals have the rights described in DPDP Sections 11 to 14, including access, correction, erasure, grievance redressal, and nomination. A Grievance Officer will be appointed and the contact address published in this document before general availability of the platform; until then, inquiries may be directed to [email protected]. If a Significant Data Fiduciary designation applies, Surfacedd will appoint an India-based Data Protection Officer and publish those details accordingly. Data Principals may also complain to the Data Protection Board of India.

Singapore (PDPA)

Surfacedd\u2019s Singapore holding entity is the organization under the Singapore Personal Data Protection Act. A Data Protection Officer is designated as required by PDPA Section 11; the DPO business contact address will be published in this document before general availability and, until then, inquiries may be directed to [email protected]. Transfers of personal data out of Singapore occur only where the recipient provides a standard of protection comparable to the PDPA, consistent with Section 26 and PDPC guidance.

Brazil (LGPD)

Where the LGPD applies, Surfacedd acts as Controlador with respect to the processing described in this policy and will publish the contact address of its Encarregado (Data Protection Officer) in this document. Data subjects have the rights in Article 18 of the LGPD and may lodge a complaint with the ANPD.

Canada and Québec

Where Canadian federal PIPEDA or Québec Law 25 applies, Surfacedd will designate a Privacy Officer and publish the contact address in this document. Individuals may exercise the rights available under PIPEDA or Law 25, including access, correction, and complaint to the Office of the Privacy Commissioner of Canada or the Commission d\u2019accès à l\u2019information du Québec, as applicable.

Surfacedd may update this Privacy Policy from time to time. Material changes will be notified to advertisers and publishers at least 30 days in advance by email and via the product dashboard. Non-material changes take effect upon posting. The "Last updated" date at the top of this page reflects the most recent revision. An archive of prior versions is available on request.

For privacy, policy, or legal inquiries contact [email protected]. Named representatives and officers under the GDPR, UK GDPR, PDPA, DPDP Act, and LGPD will be appointed and published in this document before general availability of the platform.