Privacy Policy
Surf & Scale Chat Effective Date: October 2024 Last Updated: May 2026
Surf and Scale Consulting ("Surf & Scale," "we," "us," or "our") operates the Surf & Scale Chat platform, accessible at chat.surfandscale.com. This Privacy Policy describes how we collect, use, store, and protect personal information from two groups of users:
- Clients (also called "tenants"): Businesses that subscribe to Surf & Scale Chat and manage AI chat assistants through our portal.
- End Users (also called "visitors"): Individuals who interact with the AI chat widget embedded on a Client's website or social media channel.
By using our platform in any capacity, you agree to the practices described in this Privacy Policy.
1. Information We Collect
1.1 Information from Clients
When you register for a Surf & Scale Chat account or subscribe to a plan, we collect:
- Account information: Name, email address, password (stored as a bcrypt hash, never in plain text), and business name.
- Billing information: Payment details are collected and processed by Stripe, our third-party payment processor. We store your Stripe customer ID and subscription ID but do not store credit card numbers, bank account numbers, or other sensitive financial data on our servers.
- Business content: Website URLs submitted for scraping, uploaded knowledge base documents (PDFs, text files, CSVs), FAQ entries, shortcut responses, and custom AI instructions you provide to configure your assistant.
- Integration credentials: When you connect third-party services (Google Calendar, Microsoft Outlook, Calendly, Cal.com, HubSpot, GoHighLevel, Zoho, or a custom webhook), the API keys and OAuth tokens you provide are encrypted using AES-256 encryption before storage. We never store these credentials in plain text.
- Usage data: Message counts, page scrape counts, agent counts, and billing cycle usage tracked monthly.
1.2 Information from End Users
When a visitor interacts with the AI chat widget on a Client's website, we may collect:
- Lead capture data: Name, email address, and phone number, if the visitor voluntarily provides this information through the pre-chat form or during conversation.
- Conversation content: The text of messages exchanged between the visitor and the AI assistant, including any personal information the visitor includes in their messages.
- Session data: A randomly generated session identifier stored in the visitor's browser localStorage to maintain conversation continuity. This is not a tracking cookie and is not shared with any third party.
- Technical data: The communication channel used (web, Facebook Messenger, Instagram, WhatsApp) and timestamp of messages.
We do not collect IP addresses of end users through the chat widget. We do not use cookies in the chat widget.
1.3 Information Collected Automatically
When Clients access the portal, standard web server logs may record IP addresses, browser type, and pages visited. This data is used solely for security monitoring and troubleshooting.
2. How We Use Information
2.1 Client Information
We use Client information to:
- Provide, maintain, and improve the Surf & Scale Chat platform.
- Process subscriptions and billing through Stripe.
- Enforce plan limits (message quotas, page scraping limits, agent limits).
- Send service-related communications (account notifications, billing alerts, security notices).
- Provide technical support.
2.2 End User Information
We use End User information to:
- Deliver AI-powered chat responses using the Client's configured knowledge base and instructions.
- Capture and store leads on behalf of the Client.
- Book calendar appointments on behalf of the Client when calendar integration is active.
- Sync contact information to the Client's connected CRM when CRM integration is active.
Important: End User data collected through the chat widget is processed on behalf of the Client. The Client is the data controller for their end users' personal data. We act as a data processor. Clients are responsible for informing their own website visitors about the use of AI chat technology and for maintaining their own privacy policies that disclose the use of Surf & Scale Chat.
3. AI Processing Disclosure
Surf & Scale Chat uses artificial intelligence to generate responses to End User questions. When a visitor sends a message through the chat widget:
- The message is compared against the Client's configured shortcut responses. If a match is found, the pre-written response is returned without any AI processing.
- If no shortcut match is found, the message is processed through our retrieval-augmented generation (RAG) pipeline. The visitor's message is converted into a numerical representation (embedding) using the Jina Embeddings API to find relevant information from the Client's knowledge base.
- The visitor's message, along with relevant knowledge base excerpts and the Client's custom instructions, is sent to a large language model hosted by OpenRouter (currently Qwen models by Alibaba) to generate a response.
- If the primary AI provider is unavailable, a fallback provider (MiniMax) may be used.
AI outputs are generated text and may contain inaccuracies. The AI assistant is configured to answer only from the Client's provided knowledge base and to avoid fabricating information. However, no AI system is perfectly reliable. End Users should not treat AI responses as professional, legal, medical, or financial advice.
We do not use End User conversation data to train AI models. Conversation data is processed solely to generate responses within the context of the specific Client's chat assistant.
4. Third-Party Service Providers
We use the following third-party services to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Client billing details (managed by Stripe) |
| OpenRouter | AI model routing | Chat messages and knowledge base context (for response generation) |
| Jina AI | Text embeddings | Knowledge base text and visitor messages (converted to numerical vectors) |
| MiniMax | Fallback AI provider | Chat messages and context (only when primary provider is unavailable) |
| Google (Calendar API) | Calendar integration | Appointment data (when Client connects Google Calendar) |
| Microsoft (Graph API) | Calendar integration | Appointment data (when Client connects Outlook) |
| Meta (Business Suite API) | Social messaging | Messages from Facebook and Instagram (when Client connects their page) |
| SMTP (Google Workspace) | Email notifications | Recipient email addresses and notification content |
Each of these providers maintains their own privacy policies. We encourage you to review them.
When Clients connect their own CRM (HubSpot, GoHighLevel, Zoho, or a custom webhook), lead data is transmitted to those services under the Client's own account and subject to that provider's privacy policy. We facilitate the connection but do not control how the CRM provider handles the data.
5. Data Storage and Security
- All data is stored on a virtual private server hosted by Hostinger, located in a data center with physical and network security controls.
- The platform is served over HTTPS with SSL/TLS encryption for all data in transit.
- Client integration credentials (API keys, OAuth tokens) are encrypted at rest using AES-256 encryption.
- Passwords are hashed using bcrypt and are never stored or transmitted in plain text.
- Access to the server and database is restricted to the platform owner via SSH key authentication.
- The database uses SQLite with file-level access controls.
We implement reasonable administrative, technical, and physical safeguards to protect personal information. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
6. Data Retention
- Client account data is retained for as long as the Client maintains an active account. Upon account termination, Client data (including tenant configuration, knowledge base content, and conversation history) will be retained for 30 days to allow for account recovery, after which it will be permanently deleted.
- End User conversation data is retained for as long as the Client's account is active. Clients may request deletion of specific conversations or leads through the portal or by contacting us.
- Billing records are retained as required by applicable tax and financial regulations.
7. Data Sharing
We do not sell, rent, or trade personal information to third parties for marketing purposes.
We may share personal information in the following limited circumstances:
- With service providers listed in Section 4, solely to operate the platform.
- With a Client's connected integrations (CRM, calendar), as directed by the Client.
- To comply with legal obligations, such as in response to a valid subpoena, court order, or government request.
- To protect rights and safety, if we believe disclosure is necessary to protect the rights, property, or safety of Surf & Scale, our Clients, or others.
- In a business transfer, if Surf & Scale is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users of any change in ownership or control.
8. Your Rights
8.1 All Users
You may:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your personal information, subject to our retention obligations.
- Object to processing of your personal information in certain circumstances.
To exercise any of these rights, contact us at the address listed in Section 12.
8.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To submit a CCPA request, contact us at the address listed in Section 12. We will verify your identity before processing any request.
8.3 European Economic Area Residents (GDPR)
If you are located in the European Economic Area, our legal bases for processing your personal information are:
- Contract performance: Processing necessary to provide the services you have requested.
- Legitimate interests: Processing necessary for our legitimate business interests (security monitoring, service improvement), where those interests are not overridden by your rights.
- Consent: Where you have given explicit consent (for example, when voluntarily providing lead capture information through the chat widget).
You have additional rights including the right to data portability and the right to lodge a complaint with your local data protection authority.
9. Client Responsibilities
Clients who embed the Surf & Scale Chat widget on their websites are responsible for:
- Informing their website visitors that an AI-powered chat assistant is in use.
- Updating their own privacy policies to disclose the collection of visitor data through the chat widget, including names, email addresses, phone numbers, and conversation content.
- Obtaining any necessary consents from their visitors as required by applicable law, including GDPR consent where required.
- Ensuring that any data they upload to the knowledge base (documents, FAQs, text) does not contain personal information of third parties without proper authorization.
We recommend that Clients add a disclosure similar to the following to their own privacy policies:
"This website uses Surf & Scale Chat, an AI-powered chat assistant, to answer visitor questions and capture inquiries. When you use the chat feature, your name, email address, and messages may be collected and processed. For more information, refer to the Surf & Scale Chat Privacy Policy at [URL]."
10. Children's Privacy
Surf & Scale Chat is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child under 16, please contact us immediately, and we will take steps to delete that information.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify Clients by email or through the portal dashboard. The "Last Updated" date at the top of this policy reflects the most recent revision.
Continued use of the platform after changes are posted constitutes acceptance of the revised Privacy Policy.
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Surf and Scale Consulting Email: ride@surfandscale.com Website: https://surfandscale.com