← Back to surfturf.ai
Privacy Policy
Effective Date: April 25, 2026 | Last Updated: April 25, 2026
SurfTurf.ai ("Company," "we," "us," or "our") operates the SurfTurf.ai platform, an AI-powered commercial real estate portfolio management service available at surfturf.ai ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
Note: SurfTurf.ai uses Anthropic's Claude API to process documents you upload to the Service. Please see Section 4 (Third-Party Sharing) for details.
1. Information We Collect
We collect the following categories of information:
a. Account Information
- Name and email address (provided during registration)
- Company name and job title
- Password (stored in hashed form; we never store plaintext passwords)
- OAuth identity token if you sign in via Google, Microsoft, Apple, or Yahoo SSO
b. Uploaded Documents and Customer Data
- Documents, PDFs, and files you upload to the Service for processing (e.g., rent rolls, budget reports, receivables)
- Data extracted or derived from those documents as part of providing the Service
c. Payment Information
- Billing details such as name, billing address, and payment card information are collected and processed by Stripe, Inc., our third-party payment processor. SurfTurf.ai does not store full payment card numbers. Stripe's use of your payment information is governed by Stripe's Privacy Policy.
d. Usage Data
- Log data such as your IP address, browser type, pages visited, and actions taken within the Service
- Device information (device type, operating system)
- Feature usage patterns to help us improve the Service
e. Communications
- Emails or messages you send to us (e.g., support requests, feedback)
2. How We Use Your Information
We use the information we collect for the following purposes:
- To provide and operate the Service — process uploaded documents, display extracted data, manage your account
- To process payments — via Stripe, as described above
- To improve extraction accuracy — analyze aggregated, de-identified usage patterns to improve our AI models and Service performance
- To communicate with you — send transactional emails (receipts, password resets), product updates, and Service announcements
- To ensure security — detect fraud, abuse, and unauthorized access
- To comply with legal obligations — respond to lawful requests from public authorities
We do not use your Customer Data to train AI models or for any purpose other than providing the Service to you.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:
- Contract performance — processing necessary to fulfill our subscription agreement with you
- Legitimate interests — improving the Service, ensuring security, preventing fraud
- Legal obligation — complying with applicable laws
- Consent — for optional communications (you may withdraw consent at any time)
4. Third-Party Sharing and Sub-Processors
We do not sell, rent, or trade your personal data or Customer Data. We share information only as described below:
We may also disclose your information if required by law, court order, or to protect the rights, property, or safety of SurfTurf.ai, our customers, or others.
5. Data Retention
- Uploaded documents: Stored for as long as your account is active, and for up to 30 days after account termination or deletion of the file, after which they are permanently deleted.
- Account information: Retained for the duration of your subscription and for up to 90 days after cancellation to allow for account recovery, then deleted or anonymized.
- Payment records: Retained as required by applicable tax and accounting laws (typically 7 years).
- Usage logs: Retained for up to 12 months for security and service improvement purposes.
6. Your Rights (GDPR — EEA Residents)
If you are located in the EEA, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention requirements
- Right to data portability — receive your personal data in a structured, machine-readable format
- Right to restrict processing — request that we limit how we use your data in certain circumstances
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
To exercise any of these rights, contact us at privacy@surfturf.ai. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
7. Your Rights (CCPA — California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:
- Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, and how we use and share it
- Right to delete — request deletion of personal information we have collected from you, subject to certain exceptions
- Right to opt out of sale — SurfTurf.ai does not sell personal information, so no opt-out is required
- Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
To submit a CCPA request, contact us at privacy@surfturf.ai.
8. Cookies and Tracking
We use the following types of cookies and similar technologies:
- Essential cookies — required for authentication and to keep you logged in (session cookies)
You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using parts of the Service.
9. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest for stored documents
- Access controls limiting data access to authorized personnel only
- TOTP two-factor authentication available for all accounts
- OAuth 2.0 / OIDC for SSO sign-in (Google, Microsoft, Apple)
No method of transmission over the Internet is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.
10. International Data Transfers
SurfTurf.ai operates in the United States. If you access the Service from the EEA, your personal data will be transferred to and processed in the U.S. We rely on appropriate transfer mechanisms (including Standard Contractual Clauses where required) to ensure adequate protection of your data in cross-border transfers. To request a copy of applicable transfer safeguards, contact us at privacy@surfturf.ai.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) or by posting a prominent notice on the Service, at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:
© 2026 SurfTurf.ai. All rights reserved.