Privacy Policy

Last updated: May 24, 2026

This Privacy Policy explains what personal data Surfacer collects, why it is processed, and what rights you have under the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).

1. Controller

Justus Gotthardt & Lukas Gogol GbR, Birkenauer Str. 51, 68309 Mannheim, Germany.
Contact: kontakt@jl-studios.de

Data Protection Officer. A statutory Data Protection Officer (DPO) is not required under § 38 BDSG for an organisation of our size that does not primarily process special categories of personal data. Privacy enquiries are handled directly by the controller at the contact address above.

2. Data We Collect

Category	Data	Purpose
Account	Name, email, hashed password, plan, trial status, organisation membership	Authentication, service delivery, billing eligibility
Session & security	IP address, user-agent, session token, login timestamps	Login security, fraud prevention, abuse mitigation
Usage	Pages visited, features used, swipe ratings, dwell times, learned preference profile	Product improvement, lead-ranking personalisation
Cookies	Session token, middleware session cookie, consent preferences, language preference	Login persistence, OAuth state, compliance
Pipeline / scans	URLs submitted, extracted company data (name, address, size, products, jobs, news, legal entity from public Impressum), scan job history	Core service functionality
Discovery tasks	Ideal-customer-profile descriptions you provide, generated search keywords, discovered URLs, task status	Lead discovery for your account
Custom signals	Signal definitions you compose (atoms + free-text rider), per-signal subscriptions, match events, composer telemetry (per-session UUID)	Notifying you when monitored conditions fire
Monitoring slots	The companies you elect to monitor, change-signal history	Recurring change detection
Dashboard event stream	In-memory pub/sub of recent signal fires, last ~30s window per user	Live updates on the dashboard
Contact enrichment	Decision-maker names, email addresses, phone numbers, job titles obtained from Hunter.io against companies you save	Lead generation for your outreach (per-user, never shared between users)
CRM connection	OAuth tokens (encrypted), CRM portal ID, sync preferences, closed-won customer domains, lookalike centroid (384-dim homepage embedding average)	Syncing leads to your CRM, lookalike ranking
Mailbox connection	Gmail OAuth tokens (encrypted), authenticated email address	Sending B2B outreach from your mailbox (only when you click Send)
Outreach configuration	Pitch, email signature, Impressum URL, attestation timestamp, template content, blocklist entries	Composing the emails you send + respecting opt-outs
Outreach audit log	Per-send: subject, body, recipient, Gmail message-id, status, timestamps	Audit trail for compliance — retained per §10
Billing & credits	Stripe customer ID, subscription ID, plan, monthly + rollover credit balances, append-only credit-transaction ledger with reason codes, top-up purchase history, slot-overage charges	Subscription billing, top-up checkout, dispute resolution
Support tickets	Subject, messages, attachments you upload to in-app feedback	Customer support, bug reports

Source of indexed company data (Art. 14 GDPR). Surfacer indexes companies from publicly available sources — corporate websites, public business registries (Impressum), public job-board listings, RSS news feeds, and search-engine results. Where indexed records contain personal data of a managing director, contact person, or signatory, that data is taken only from sources where the data subject has actively made it public for business-identification purposes. See §11 (your rights) to request rectification or erasure of any individual record.

3. Contact Enrichment & Data Isolation

When you save a company as "Interested", we may use third-party services to find decision-maker contact information (name, email, phone, job title). This data is:

Stored per-user — your enrichment results are never visible to other users, even if they analyse the same company
Encrypted at rest — contact data and OAuth tokens are encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256) before database storage; the encryption key is stored separately in Google Secret Manager
Not used for training — we never use your enrichment data, CRM data, contact information, or outreach content to train models, improve algorithms, or benefit other users
Deletable on request — you can request deletion of all enrichment data at any time

4. CRM Integration

You may optionally connect a third-party CRM (such as HubSpot) via OAuth 2.0. When connected:

We create company and contact records in your CRM when you save a lead
We read company domains from your CRM to avoid showing duplicates in your feed, and to compute a "lookalike" centroid from your closed-won customers' homepages
We never modify or delete your existing CRM data
We never access CRM data beyond what is needed to operate the integration
OAuth tokens are encrypted at rest and stored separately from your CRM data
You can disconnect at any time from Feed Settings — this revokes access and removes synced blocklist data

5. Mailbox Connection & Outreach

You may optionally connect a mailbox (Gmail) via OAuth 2.0 to send B2B outreach drafted by Surfacer. When connected:

We send only the emails you click Send on — the feature is not autonomous; the From: header is your authenticated mailbox address
We request the minimum scope necessary — gmail.send only; we do not read your inbox, list messages, or access labels
OAuth tokens are encrypted at rest using application-level encryption (Fernet/AES-128) before database storage
For each send, we retain an audit row (subject, body, recipient, Gmail message-id, status, timestamps) so compliance disputes can be reconstructed
You are the legal sender for every email composed and sent through the feature. The legal responsibilities of an email sender (UWG §7, Art. 6(1)(f) GDPR / berechtigtes Interesse, anti-spam) sit with you. Surfacer acts as a tool / processor for the composing and sending step
If you provide an Impressum URL, you attest that the linked page is your own legitimate business identification page in compliance with §5 TMG. We do not verify ownership; the truthful-attestation burden is yours
You can disconnect at any time from Settings → Outreach — this revokes the OAuth grant and disables further sends; the audit log of past sends is retained per §10

6. Legal Basis (GDPR Art. 6)

Contract performance (Art. 6(1)(b)) — account management, pipeline execution, contact enrichment, CRM sync, billing, credit ledger, monitoring slots, custom-signal subscriptions, support tickets
Consent (Art. 6(1)(a)) — analytics cookies (only with opt-in), CRM connection (you initiate), mailbox connection (you initiate)
Legitimate interest (Art. 6(1)(f)) — security and fraud prevention, essential cookies, de-duplication of leads, abuse mitigation via reCAPTCHA on signup forms, indexing of publicly available company data for B2B research
Legal obligation (Art. 6(1)(c)) — tax-record retention for billing data, response to lawful authority requests

7. Automated Decision-Making & Profiling

Surfacer applies algorithmic ranking to surface leads. None of these processes produce a "decision based solely on automated processing which produces legal effects" within the meaning of Art. 22 GDPR — every meaningful outcome (whether to contact a company, save them, send an email) is taken by you, not by the system. The relevant processes are:

ICP scoring — a 0-10 score generated per company using LLM analysis against your ideal-customer-profile description
Preference learning — your swipe ratings update a per-dimension preference profile that re-ranks the feed
Lookalike scoring — for CRM-connected users, similarity to your closed-won customer centroid
Signal matching — a custom-signal rule fires when extracted company data matches your saved conditions; the LLM verifier confirms ambiguous matches

You can request a manual review of any specific ranking, signal match, or extracted record by contacting us. You can also reset your preference profile from Settings.

8. Cookies

Cookie	Type	Purpose	Duration
`session`	Essential	Login session (JWT)	30 days
`surfacer_mw`	Essential	Server-side session state (OAuth flow)	Session
`cookie_consent`	Essential	Cookie preferences	365 days
`lang`	Functional	Language preference (en / de)	365 days

You can manage your cookie preferences at any time using the cookie settings button in the page footer. Surfacer does not currently set advertising or analytics cookies.

9. Third-Party Processors

Processor	Purpose	Data shared	Location
Google Cloud Platform	Application hosting (Cloud Run web + worker), database (Cloud SQL Postgres), object storage, DNS, secret management, load balancing	All application data	EU (Frankfurt, `europe-west3`)
OpenAI	LLM processing for data extraction, briefings, signal verification, image generation for release-art previews	Website content excerpts, extracted facts, signal-rule definitions — no payment data, no contact-enrichment PII	US (EU SCCs)
Hunter.io	Decision-maker email lookup	Company domain, managing director name	EU (France)
HubSpot	CRM sync (only if you connect)	Company data, contacts you save, blocklist entries	EU (Ireland)
Stripe	Payment processing for subscriptions + credit top-up packs	Payment details (handled directly by Stripe), customer ID, subscription state, invoice + webhook events	EU / US (EU SCCs)
ScrapingBee	Web page fetching for sites that block direct extraction	URLs we attempt to fetch on your behalf	EU (France)
Google (Gmail API)	Sending outreach emails (only if you connect a mailbox)	Drafted email body, subject, recipient address	EU / US (EU SCCs)
Google Workspace (SMTP)	Transactional emails from Surfacer (signup, verification, password reset, billing receipts, monitoring digests, newsletter)	Recipient email, subject, body, send metadata	EU / US (EU SCCs)
Google reCAPTCHA v3	Bot mitigation on the public lead-magnet signup form	IP address, user-agent, interaction signals on the form page	EU / US (EU SCCs)
Calendly	Embedded booking widget on the landing page for scheduling demo calls	Visitor selections within the widget; only the chosen slot + the data you actively enter when booking	US (EU SCCs)

All processors are bound by data processing agreements (DPAs). Data is transferred only as necessary for the stated purpose. Where a processor is located outside the European Economic Area, the transfer relies on the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision.

10. Data Retention

Account data — retained while your account is active
Pipeline results — retained while your account is active
Discovery tasks & results — retained while your account is active
Custom-signal subscriptions & match events — retained while the subscription is active; the underlying canonical signal definitions may be retained longer (de-identified) for system caches
Enrichment data (decision-maker contacts) — automatically deleted after 12 months, and immediately on opt-out, a deletion request, or account deletion. Stored per-user and application-encrypted; the audit log never stores the contact email. You can opt out or delete this yourself at any time via our opt-out & data-request page
Suppression (opt-out) list — we keep a hash-only record of opt-out / objection requests so we don't re-process you; it contains no plaintext name or email
CRM tokens — deleted immediately when you disconnect; automatically invalidated if revoked on the CRM side
Mailbox tokens — deleted immediately when you disconnect; automatically invalidated if you revoke the OAuth grant from your Google account
Outreach audit log — retained while your account is active for compliance and dispute reconstruction; deletable on request alongside other account data
Session / security logs (IP, user-agent, login attempts) — retained for up to 30 days for abuse mitigation, then deleted or anonymised
Billing & credit-ledger records — retained for 10 years to satisfy German commercial- and tax-record obligations (§ 257 HGB, § 147 AO), independent of account deletion
All other data — deleted within 30 days of an account deletion request

11. Security

We protect your data through:

Application-level encryption (Fernet / AES-128-CBC + HMAC-SHA256) for OAuth tokens and sensitive credentials; keys stored separately in Google Secret Manager
Database encryption at rest (Google Cloud SQL)
HTTPS-only transport (TLS 1.2+), managed certificate via Google Cloud Load Balancer
Per-user data isolation for contact enrichment results
CSRF protection on all state-changing requests
Input sanitization to prevent cross-site scripting
Bcrypt password hashing with per-user salt
Per-user JWT session tokens with 30-day expiry, server-side session revocation on logout / password change
Workload Identity Federation for CI/CD — no long-lived service-account keys

12. Your Rights

Under the GDPR you have the right to:

Access (Art. 15) — request a copy of your personal data
Rectification (Art. 16) — have inaccurate data corrected
Erasure (Art. 17) — request deletion of your personal data, subject to legal retention obligations (see §10)
Restriction of processing (Art. 18)
Data portability (Art. 20) — receive your data in a structured, machine-readable format
Object (Art. 21) — object to processing based on legitimate interest
Withdraw consent (Art. 7(3)) — at any time for any consent-based processing, without affecting the lawfulness of processing before withdrawal
Lodge a complaint with the competent supervisory authority. For our establishment in Mannheim, that is:
Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
www.baden-wuerttemberg.datenschutz.de

For opt-out, deletion, and data-access (Art. 15 / 17 / 21) requests you can use our self-service opt-out & data-request page — no account needed, and it works by email or name. You can also exercise any of these rights by contacting us at kontakt@jl-studios.de. We will respond within 30 days (Art. 12(3) GDPR).

13. Changes to this Policy

We may update this policy to reflect changes in our service, applicable law, or third-party processors. Material changes are notified by email to active users and announced on the dashboard at least 14 days before they take effect. The "Last updated" date above always reflects the most recent revision.

14. Contact

For privacy-related requests: kontakt@jl-studios.de