SURFACED · LEGAL

Privacy Policy

Effective 10 May 2026

Who we are

Surfaced ("we", "us") is operated by Surfaced OÜ, registered in Estonia. Contact: hello@rewrite.ee. We act as the data controller for personal data described below.

What we collect

  • Email address. Used for magic-link sign-in. We never sell or share this with marketers.
  • Display name. Optional, shown in the app and used to personalize your daily briefing.
  • Interests. Role, topics, companies, and avoid lists you provide. Used to rank news and generate briefings.
  • Watchers. Brand, competitor, and topic terms you add to the Monitor tab.
  • Push token. An opaque identifier from Apple/Google so we can deliver your daily briefing notification.
  • Briefings & listening history. Daily generated content stored on our server so you can replay it.
  • Server logs. IP address and basic request metadata, kept for up to 30 days for security and debugging.

We do not use third-party advertising SDKs, behavioral trackers, or analytics that identify you across other apps and websites.

Why we collect it

  • To authenticate you and keep your account secure (lawful basis: contract).
  • To generate and deliver your personalized news briefings (contract).
  • To send the morning push notification you opted into (consent).
  • To detect abuse, debug bugs, and keep the service running (legitimate interest).

Who we share it with (sub-processors)

We use the following processors to deliver the service. Each is bound by a data-processing agreement:

  • OpenAI — generates article summaries, audio briefings, sentiment scores, and trend patterns. Prompts may include your interests and titles/snippets of public news articles. OpenAI does not train on API content per their policy.
  • Firebase Cloud Messaging (Google) — relays push notifications to your device.
  • Apple Push Notification Service — delivers push to iOS devices.
  • Zone Media OÜ (Estonia) — sends magic-link login emails over SMTP.
  • DigitalOcean — hosts the application server (EU region).
  • NewsAPI, Reddit — public news/forum data sources we query on your behalf for the Monitor tab. We send them keywords you defined; they don't receive your identity.

We do not sell personal data and do not transfer it to third parties for advertising purposes.

Where data lives

Application data is stored on a server in the EU (Frankfurt). Backups are kept in the same region. Some sub-processors above (e.g. OpenAI, Firebase) may process data in the United States; transfers rely on Standard Contractual Clauses.

How long we keep it

  • Account & profile — until you delete your account.
  • Briefings & mentions — kept while your account is active so you can replay.
  • Server logs — up to 30 days, then automatically rotated.
  • Login codes — expire after 10 minutes; consumed codes are removed.

Your rights

Under GDPR (and equivalent laws), you can:

  • Access a copy of your data.
  • Correct inaccurate data — most fields are editable directly in the app.
  • Delete your account. Open the You tab → "Delete account". This permanently removes your profile, briefings, watchers, mentions, and push tokens within 7 days.
  • Object to processing or withdraw consent (turn off push notifications in iOS Settings).
  • Lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority.

For any of the above, email hello@rewrite.ee and we'll respond within 30 days.

Children

Surfaced is intended for adults. We do not knowingly collect data from anyone under 13.

Security

Traffic is served over HTTPS via Let's Encrypt. Magic-link codes are short-lived and single-use. Authentication tokens are stored in the iOS Keychain on your device. We restrict server access to a small number of operators.

Changes to this policy

We'll update the "effective" date at the top whenever we make changes. Material changes will be communicated in the app or via email before they take effect.

Contact

Surfaced OÜ · Tallinn, Estonia · hello@rewrite.ee