Privacy Policy

Last updated: December 10, 2025

1. Introduction

SurfMind (hereinafter referred to as "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our services, including our browser extensions and related platforms (collectively referred to as the "Services"). By using the Services, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Personal Information

Account Information: When you create an account, we collect your email address and authentication information. This information is necessary to provide the Services, manage your subscription, and communicate with you about your account.

Subscription and Payment Information: When you subscribe to our paid services, we collect subscription details including your plan type, token usage, and payment status. Payment processing is handled by third-party providers (such as Stripe), and we do not store your credit card information.

Support Communication Information: If you contact us through email, chat, or other communication channels, we will collect the information you provide, including your name, contact details, and the content of your inquiries.

2.2 Usage Data (when using SurfMind tokens)

If you use SurfMind tokens, we collect usage metadata to manage your token balance and billing:

• AI model selected (e.g., GPT, Claude, Gemini)
• Timestamp of request
• Token cost for billing calculation

2.3 Non-Personal Information

Analytics and Performance Data: We use analytics tools to collect non-personal information about the performance of the Services, such as extension load times, error rates, and feature usage patterns. This information helps us improve the quality and performance of the Services.

Device and Connection Information: We collect information about your device, such as the browser type, browser version, operating system, and extension version. This information is used to optimize the Services for your device and to provide a seamless user experience.

3. How We Use Your Information

3.1 Provide and Improve the Services

We use the information we collect to:

• Authenticate your account and provide access to the Services
• Manage your subscription, token balance, and billing
• Route your AI requests to the appropriate providers
• Track usage for billing and to prevent abuse
• Maintain and enhance the functionality of the SurfMind extension
• Ensure compatibility across different browser environments
• Identify areas for improvement and develop new features

We use your usage information to understand how you interact with the Services while maintaining our commitment to privacy-first design principles. We do not sell this information to third parties.

3.2 Communication

We may use your contact information to send you important updates, announcements, and administrative messages related to the Services, such as service changes, security alerts, and legal notices.

4. Local Data Processing and Third-Party AI Providers

4.1 Processing Architecture: Your Choice, Your Privacy

Website content is extracted and processed locally within your browser using client-side technologies. This happens the same way regardless of which option you choose.

4.2 Third-Party AI Provider Integration

Your conversations with AI models are transmitted to your chosen AI provider (OpenAI, Anthropic, Google). The privacy practices of these third-party AI providers are governed by their respective privacy policies

• OpenAI Privacy Policy
• Anthropic Privacy Policy
• Google Privacy Policy

Each AI provider maintains its own data retention, usage, and privacy practices. We recommend reviewing their terms of service and privacy policies to understand how your data is handled by these third-party services.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share limited information with third-party service providers who assist us in operating the Services. These service providers are contractually obligated to protect your personal information and use it only for the purposes for which it was shared.

Such service providers may include:

• Payment processors (e.g., Stripe) for subscription management and billing
• Database providers for storing account and usage information
• Analytics platforms for extension performance monitoring
• Error tracking services for debugging purposes
• Customer support platforms for handling inquiries

In all cases, we ensure that these providers adhere to strict data protection standards and use data only as necessary to provide their specific services. We do not sell your personal information to any third party.

5.2 Legal Requirements

We may disclose your personal information if required to do so by law, regulation, or legal process, such as a court order, subpoena, or government investigation. We may also disclose your information to protect our rights, property, or safety, or the rights, property, or safety of others.

6. Data Security

We implement reasonable security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These security measures include physical, technical, and administrative safeguards, such as encryption protocols, secure coding practices, access controls, and security audits.

Specific security measures include:

• Encryption of data in transit using industry-standard protocols
• Secure development practices and regular code reviews
• Regular security assessments and vulnerability testing
• Compliance with browser extension security standards

However, no security system is 100% secure, and we cannot guarantee the absolute security of your personal information. We encourage users to take appropriate measures to protect their own data, including using secure API keys and following best practices for browser security.

7. Data Retention

We will retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including for the establishment, exercise, or defense of legal claims, and in accordance with applicable laws and regulations.

8. GDPR Compliance and User Rights

We are committed to complying with the General Data Protection Regulation (GDPR) in the European Union and similar data protection laws worldwide. If you are a resident of the European Economic Area (EEA), the United Kingdom, or other jurisdictions with applicable data protection laws, you have certain rights regarding your personal information.

Your rights include:

• Right of Access: Request access to the personal information we have about you
• Right of Rectification: Request correction of inaccurate or incomplete personal information
• Right of Erasure: Request deletion of your personal information under certain circumstances
• Right to Restrict Processing: Request limitation of processing of your personal information
• Right to Data Portability: Request a copy of your personal information in a structured, machine-readable format
• Right to Object: Object to processing of your personal information for certain purposes
• Right to Withdraw Consent: Withdraw previously given consent for data processing

To exercise these rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within 30 days in accordance with applicable data protection laws.

9. Do Not Sell Personal Information

We do not sell your personal information to third parties for monetary consideration. However, as described in the "Data Sharing and Disclosure" section above, we may share your information with third-party service providers and in certain legal circumstances, always in accordance with the terms outlined in this Privacy Policy.

10. International Data Transfers

If you access or use our Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We ensure that appropriate safeguards are in place for such transfers in accordance with applicable data protection laws.

For transfers to countries that do not provide an adequate level of data protection, we implement appropriate safeguards such as standard contractual clauses or other legally recognized transfer mechanisms to protect your personal information.

11. Children's Privacy

The Services are not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete the information as soon as possible.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately using the contact information provided below so that we can take appropriate action.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards. When we make changes to this Privacy Policy, we will post the updated version on our website and indicate the date of the last update.

For significant changes that materially affect your privacy rights, we will provide additional notice through the extension interface or via email if we have your contact information. Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact us at:

Email: wave@surfmind.ai

Subject Line for Privacy Inquiries: "Privacy Policy Inquiry"