Privacy Policy

Effective as of November 19, 2023

A. Introduction

Surfsite and our existing affiliates (collectively “Surfsite”, the „Company”, “we”, “us”, “our”) are the controllers with respect to your data. This means that we determine the purpose and manner in which your personal data is processed, as specified in this Data Privacy Policy (hereinafter referred to as the "Policy"). wwwebmarc.com SRL, a limited liability company organized and operating in accordance with Romanian law, sole identification code RO34814968 (hereinafter referred to as  „Company”) is the contact entity for any questions regarding how your personal data is being processed.

Surfsite collects, uses and discloses information, and what choices you have with respect to your personal data when you access and use of our websites (www.Surfsite.ai.) or when accessing and/or using the Surfsite app and during any other interaction (e.g., customer service inquiries, user conferences, authentication page etc.) you may have with Surfsite (collectively the “Services”). If you do not agree with the terms of this Privacy Policy, do not access or use the Services.

The document explains the personal data we collect from you („You”, “User” or “Customer”), as a user how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it. Our goal is to ensure information and network security by providing quality products and services while also respecting privacy and personal data of website visitors, customers, suppliers, business partners, employees and other individuals. This Privacy Policy also documents the responsibilities of Surfsite business departments and employees and contractors while processing personal data. 

For this purpose, we collect only that personal data absolutely necessary for the specified purposes, on a best efforts basis. We do not sell your data. For the collected information and data, we strive to apply adequate solutions to pseudonymize it.

Surfsite cares about protecting your right to privacy and we are committed to implementing the personal data protection standard imposed by the General Data Protection Regulation adopted by the European Parliament and the European Council on 27 April 2016 (hereinafter referred to as the "GDPR") 

B. Definitions

The following definitions of terms used in this Policy are drawn from and coordinated with Article 4 of the GDPR and are presented for informational purposes:

1. Personal Data

   Any information relating to an identified or identifiable natural person (the “Data Subject“) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Sensitive Personal Data

   Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

3. Data Controller

   The natural or legal person, public authority, agency or any other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.

4. Data Processor

   A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a Data Controller.

5. Processing

   An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.

6. Anonymization

   Irreversibly de-identifying personal data such that the person cannot be identified.

7. Pseudonymization

   The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

8. Cross-border processing of personal data

   Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

C. Personal information we collect

We collect personal information relating to you (“Personal Information”) as follows:

1. Personal Information You Provide

   We collect Personal Information if you create an account to use our Services or communicate with us as follows:

   • Account Information: When you create an account with us, we will collect information associated with your account, including your name, contact information and account credentials, (collectively, “Account Information”).
   • User Content: When you use our Services, we collect Personal Information that is included in the input  or feedback that you provide to our Services (“Content”). 
   • Communication Information: If you communicate with us, we collect your name, contact information, and the contents of any messages you send (“Communication Information”).
   • Social Media Information: We have pages on social media sites like Instagram, Facebook and LinkedIn. When you interact with our social media pages, we will collect Personal Information that you elect to provide to us, such as your contact details (collectively, “Social Information”). In addition, the companies that host our social media pages may provide us with aggregate information and analytics about our social media activity.
   • Other Information You Provide: We collect other information that you may provide to us, such as when you participate in our events or surveys or provide us with information to establish your identity (collectively, “Other Information You Provide”

2. Personal Information We Receive Automatically From Your Use of the Services

   When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions (“Technical Information”):

   • Log Data: Information that your browser or device automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our Services.
   • Usage Data: We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection.
   • Device Information: Includes name of the device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.
   • Cookies: We use cookies to operate and administer our Services, and improve your experience. A “cookie” is a piece of information sent to your browser by a website you visit. You can set your browser to accept all cookies, to reject all cookies, or to notify you whenever a cookie is offered so that you can decide each time whether to accept it. However, refusing a cookie may in some cases preclude you from using, or negatively affect the display or function of, a website or certain areas or features of a website. For more details on cookies, please visit All About Cookies.
   • Analytics: We may use a variety of online analytics products that use cookies to help us analyze how users use our Services and enhance your experience when you use the Services.

D. How we use personal information

We may use Personal Information for the following purposes:

• To provide, administer, maintain and/or analyze the Services;
• To enhance our services, such as refining the models that drive Surfsite, we may utilize personal data included in the content provided to us. This encompasses all user activities on our platform, including created tasks, implemented suggestions, and written content;
• To communicate with you; including to send you information about our Services and events;
• To develop new programs and services;
• To prevent fraud, criminal activity, or misuses of our Services, and to protect the security of our IT systems, architecture, and networks;
• To carry out business transfers; and
• To comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties.

E. Basic principles regarding personal data processing

The data protection principles outline the basic responsibilities for organizations handling personal data. Article 5(2) of the GDPR stipulates that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

1. Lawfulness, fairness and transparency

   Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

2. Purpose limitation

   Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Data minimization

   Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.

4. Accuracy

   Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.

5. Storage period limitation

   Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

6. Integrity and confidentiality

   Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized access to, or disclosure. Appropriate technical or organizational measures are to be taken in order to comply with this requirement: such data security measures can include the use of encryption and authentication and authorisation mechanisms.

7. Accountability

   Data Controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.

F. Legal Basis for processing (for EEA Users)

If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have a legal basis for doing so under applicable EU laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your information only where:

• We need that information as to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
• It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
• You give us consent to do so for a specific purpose; or
• We need to process your data to comply with a legal obligation.

If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.  Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.

G. What analytics tools we use 

In order to understand the navigational trends related to our Services, we use third-party analytics tools which collect information which your browser sends when you visit our web page. Here are tools which we use and information about their privacy policies:

1. Mailchimp uses the information collected according to its privacy policy, which also contains indications on how to unsubscribe
   https://legal.hubspot.com/privacy-policy
2. CookieBot uses the information collected according to its privacy policy, which also contains indications on how to unsubscribe
   https://www.cookiebot.com/en/privacy-policy/
3. Posthog uses information collected according to its privacy policy, where you can also find opt-out information
   https://posthog.com/privacy
4. SendGrid uses information collected according to its privacy policy, where you can also find opt-out information
   https://www.twilio.com/en-us/legal/privacy
5. LogRocket uses information collected according to its privacy policy, where you can also find opt-out information
   https://logrocket.com/privacy/
6. Cookies - we are using cookies, a small software file stored temporarily or placed on the hard drive of your device in order to allow a web server to identify your device and the web browser you use, in order to recognize you when you are visiting the site again. Cookies may also store preferences or other information about you. For more information please visit our Cookies Policy.

H. How we share information we collect and who has access to personal data. 

1. Internally & with affiliated companies 

   We share information we collect internally within Surfsite, e.g. with the Product Development team, Support team, Marketing team, Sales & Business Development, and with affiliated companies and, in some cases, with prospective affiliates. Affiliated companies are companies owned or operated by us. The protections of this privacy policy apply to the information we share in these circumstances.

2. Managed accounts and administrators

   If you register or access the Services using an email address with a domain that is owned by your employer or organization or associate that email address with your existing account, and such organization wishes to establish an account or site, certain information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organization’s administrator and other Service Customers sharing the same domain.  If you are an administrator for a particular site or group of Customers within the Services, we may share your contact information with current or past Service Customers, for the purpose of facilitating Service-related requests.

3. With third parties service providers 

   We work with third-party service providers (e.g. advertising, market research ) to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, analysis and other services for us, which may require them to access or use information about you.  

4. With third parties products

   We work with third parties who provide consulting, sales, support, and technical services (e.g. Hubspot, WebSurfsite, CookieBot, Hotjar, Miro) to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to provide localized support, and to provide customizations. We may also share information with these third parties where you have agreed to that sharing of information. 

5. With third Party Widgets

   Some of our Services may contain widgets and social media features, such as the Facebook "like" button or the LinkedIn "applause" button. These widgets and features may collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly. Widgets and social media features are either hosted by a third-party or hosted directly on our Services. You should always check the privacy settings and notices in these third-party services to understand how those third-parties may use your information.

6. With your consent

   We share information about you with third parties when you give us consent to do so. For example, we can display personal testimonials of satisfied customers on our public websites. With your consent, we may post your name alongside the testimonial.

7. Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights

   In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements, (b) enforce our agreements, policies and terms of service, (c) protect the security or integrity of our products and services, (d) protect Surfsite, our customers or the public from harm or illegal activities, or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

    

I. How we store and secure personal data 

1. Storage and security 

   We use industry standard technical and organizational measures to secure the information we store. While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, is  safe from intrusion by others.

   If you use your server or data center, responsibility for securing storage and access to the information you put into the Services rests with you and not with Surfsite. We strongly recommend that server or data center users configure SSL to prevent interception of information transmitted over networks and to restrict access to the databases and other storage points used.

2. Duration of storage

   How long we keep information we collect about you depends on the type of information, as described in further detail below. 

    

   • We retain your account information for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.
   • For marketing purposes, if you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.
   • For solving technical problems you reported: we store the information until we solve the issue you reported and we close the ticket within our support department. 

After such time, we will either delete or de-identify your information or, if this is not possible, then we will securely store your information and isolate it from any further use until deletion is possible.

J. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

K. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

L. Personal data rights

According to the GDPR, the Data Subjects shall have the right to access to data, rectification, erasure, restriction on processing, objection to processing and right to data portability, as follows:

1. Request access to your personal data.

   This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

2. Request correction of your personal data.

   This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

3. Request erasure of your personal data.

   This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.

4. Request restriction of processing your personal data.

   This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

5. Object to processing of your personal data.

   You may object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.

6. Right to withdraw consent.

   Where we are relying on consent to process your personal data, you may withdraw that consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

For exercising these rights, you may send a written request, dated and signed and send it to the above mentioned Trencadis headquarters or via email to the data protection officer at dpo@Surfsiteos.com.

You also have the right to lodge a complaint with a competent supervisory authority on data protection.

M. Fair processing guidelines 

1. Notices to data subjects

   At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, the Company is responsible to inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. All such information is provided through this Policy.

2. Obtaining consents

   Whenever personal data processing is based on the Customer’s consent, the Company is responsible for retaining a record of such consent. The Company is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
   When requests to correct, amend or destroy personal data records are received, the Company must ensure that these requests are handled within a reasonable time frame. The Company must also record the requests and keep a log of these.
   Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s).

N. Guidelines for establishing the lead supervisory authority 

Whether acting as a controller or as a processor, will have as a lead supervisory authority the Romanian Data Processing Authority (anspdcp@dataprotection.ro) or any other relevant data protection agency in a state where Surfsite operates (including but not limited to the US or other EU country).  

O. Response to personal data breach incidents 

When the Company learns of a suspected or actual personal data breach, it must perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the Romanian Data Processing Authority or for that matter, any other relevant data protection agency without undue delay and, when possible, within 72 hours after having become aware of the personal data breach.

P. Contact details 

The Customers can raise their questions in relation to their rights or to address any questions in relation to this Policy by:

               Email:  contact@surfsite.ai

Each request will be reviewed as soon as possible, but no later than 30 days since its submission.

Q. Disclaimers. Publications date 

This privacy Policy has been adopted on the date mentioned in the title of the document and will be modified each time is necessary without prior or future notice of the changes. If you use the Services after any such modification or update to this Policy, you consent to those modifications or updates. Modifications will not be applied retroactively. The new version will enter into force when published on the website and it will be marked accordingly.