Privacy Policy
Last updated: February 27, 2026
Surfbot is built on the principle that we should only collect what we absolutely need. We scan external, publicly accessible data on your behalf. We do not require agents, network access, or credentials.
What We Collect
- Account information: Email address, name, and organization name when you sign up.
- Domain configuration: The domains you add to Surfbot for monitoring.
- Scan results: Publicly accessible information about your domains (assets, vulnerabilities, technologies).
- Usage data: Feature usage, API calls, and session data for product improvement.
What We Do Not Collect
- Network traffic from inside your environment
- Internal system data or logs
- User credentials or private keys
- Personal data beyond what is listed above
Legal Basis for Processing
We process your personal data under the following legal bases (Article 6 GDPR):
- Contract performance (Art. 6(1)(b)): Processing your account information and domain configuration is necessary to provide the Surfbot service you signed up for.
- Legitimate interest (Art. 6(1)(f)): We process usage data to improve product quality, ensure security, and prevent abuse. We balance this against your rights and only collect what is proportionate.
- Consent (Art. 6(1)(a)): Where required (e.g., marketing emails, optional cookies), we obtain your explicit consent, which you may withdraw at any time.
Your Rights
If you are in the European Economic Area (EEA), United Kingdom, or a jurisdiction with similar data protection laws, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
- Restriction (Art. 18): Request we limit processing of your data.
- Portability (Art. 20): Request your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.
Cookies and Tracking
Surfbot uses the following categories of cookies and similar technologies:
| Category | Purpose | Examples | Duration |
|---|---|---|---|
| Essential | Authentication, security, session management | Session cookies, CSRF tokens | Session / 30 days |
| Analytics | Product improvement, usage patterns | PostHog | Up to 1 year |
| Marketing | N/A — we do not use marketing cookies | — | — |
You can manage cookie preferences through your browser settings. Essential cookies cannot be disabled as they are required for the service to function.
For users in the EEA/UK, non-essential cookies are only set after you provide consent via our cookie banner.
International Data Transfers
Surfbot is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US.
For transfers from the EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
We ensure all sub-processors provide adequate data protection safeguards.
Sub-processors and Third Parties
We share data with the following categories of service providers:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure (e.g., AWS/GCP) | Hosting and data storage | All service data |
| Payment processor (e.g., Stripe) | Billing | Email, payment info |
| Analytics (e.g., PostHog) | Product analytics | Anonymized usage data |
| Email provider (e.g., Resend) | Transactional email | Email address, name |
We do not sell your personal data to any third party.
A current list of sub-processors is available at surfbot.io/legal/sub-processors and we will notify you 30 days before adding new sub-processors.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Domain configuration | Duration of account + 30 days |
| Scan results | Duration of plan + 30 days, or as configured |
| Usage/analytics data | 24 months (anonymized after 12 months) |
| Support communications | 3 years |
| Billing records | 7 years (legal/tax requirement) |
You can request deletion at any time by emailing [email protected]. Scan data can also be deleted per-domain from your dashboard.
Data Processing Agreement
For customers who require a Data Processing Agreement (DPA) under GDPR Article 28 or similar regulations, we offer a pre-signed DPA.
You can request our DPA at [email protected] or download it at surfbot.io/legal/dpa.
The DPA covers: scope of processing, sub-processor obligations, data breach notification (within 72 hours), audit rights, and data deletion upon termination.
Children's Privacy
Surfbot is not directed to individuals under 16. We do not knowingly collect personal data from children. If we learn we have collected data from a child under 16, we will delete it promptly.
Contact
For privacy questions or data requests, contact us at [email protected].
This policy will be updated as we grow. Significant changes will be communicated via email.