Surfnerd Short Icon

Privacy Policy

TL;DR

  • We collect only what we need: account info, usage analytics, and payment details (via Stripe).
  • No selling data.
  • Cookies: minimal, for log-in and analytics.
  • GDPR rights: access, fix, delete, export.
  • Delete account → we wipe personal data except what law forces us to keep.

1. Data Controller

Surfnerd B.V., Hoeveneind 60, 4847NG Teteringen, Netherlands. Contact: [email protected].

2. What We Collect & Why

CategoryExamplesPurposeLegal Basis (GDPR)
Account Dataname, email, password hashcreate & secure accountArt 6(1)(b) contract
Surf Statspage views, forecast views, IP, deviceimprove product, fight fraudArt 6(1)(f) legitimate interest
Payment Datacard last 4, billing address (via Stripe)process Plus fees, comply with tax lawArt 6(1)(b) & (c)
Cookiessession token, analytics cookiekeep you logged in, know what’s popularArt 6(1)(f)

OAuth Logins (Google & Apple)

If you choose to log in using Google or Apple, we receive your email address from them. We use this to create and manage your Surfnerd account. We do not access your contacts, calendar, or other data. Authentication is handled via secure OAuth2. Use of these services is subject to the privacy policies of Google and Apple.

3. Retention

We keep account data while you have an account. Backups purge after 30 days. Transaction records stay 7 years for tax compliance.

4. Processors & Sharing

  • Stripe – payments
  • Amazon AWS (Germany & international) via Render.com – hosting
  • Google Cloud Platform via Render.com – hosting
  • Digital Ocean – hosting
  • Plausible self-hosted – analytics

We don’t sell or rent data. We only disclose if the law compels us.

5. International Transfers

Our primary servers are in the EU (Germany), but we may also process or back up data outside the European Economic Area (EEA), including in the United States or other countries. In those cases, we rely on safeguards like Standard Contractual Clauses or adequacy decisions. You may request details via [email protected].

6. Security

TLS everywhere, no passwords (we use email verification), least-privilege access, quarterly pentests.

7. Your Rights

Access, rectify, erase, restrict, object, export. Email us at [email protected]. You can also complain to the Dutch DPA (Autoriteit Persoonsgegevens).

8. Children

Surfnerd is not directed to children under 16. We don’t knowingly collect their data.

9. Changes

We’ll notify you of material changes 14 days in advance via email or banner.

Last updated: 20 June 2025