1. Introduction
Welcome to Surfe (“we,” “us” or “our“). Your privacy is important to us, and we are committed to protecting the personal data we collect, process, and sell.
This Privacy Policy explains how we access, collect, use, share, and protect personal data under applicable data privacy laws such as EU General Data Protection Regulation (GDPR) or other relevant international data protection laws.
This policy applies to:
1. Customers using our services with which we enter into a service agreement;
2. Individuals whose data we collect and sell as part of our services, even if they do not directly use our services.
By using our website, services, or interacting with Surfe, you acknowledge and agree to the practices described in this Privacy Policy.
If you have any questions or wish to exercise your privacy rights, you may contact us at: [email protected].
2. Personal data we process
Surfe processes personal data from various sources. This section details the categories of personal data we process and when we process it:
| Information provided directly by customers | When you subscribe to our services, or contact us, you may provide the following personal data: - Contact information (name, email address, phone number)
- Account information (username, password, company details)
- Billing information (if applicable, for purchasing services)
- Support and inquiry information (when contacting customer support)
- Contact information accessible via your own CRM
|
| Information collected automatically through website interactions | When you visit or interact with our website, we automatically collect certain information through cookies, tracking technologies, and log files, including: - Device information (IP address, browser type, operating system)
- Usage data (pages visited, time spent on site, referring website)
- Tracking data (cookies and tracking pixels for analytics and advertising)
|
| Business contact data (third-party data acquisition) | Surfe purchases and compiles business contact data from publicly available sources and third-party data providers. This data may include: - Name
- Business email address
- Business phone number
- Job title and company name
- Professional social media profiles
- Industry and company details
The data concerned is strictly limited to professional information used in a business environment. No special categories of personal data are processed, and the information involved is generally considered to be of low sensitivity. |
3. How we use personal data
Surfe processes personal data for various business purposes, including providing services and improving our platform. The Finality and legal basis for which we process personal data are outlined below:
| Finality | Capacity | Legal basis |
| Providing and managing our services | - Operate, maintain, and improve our website and services.
- Respond to inquiries, provide customer support, and communicate with users.
- Manage accounts, process transactions, and fulfill service-related obligations.
| - Contractual necessity (to provide requested services and manage accounts).
- Legitimate interests (to improve our services and ensure efficient support).
- Legal obligation (where required for record-keeping and compliance).
|
| Marketing and advertising | - Sending promotional emails and targeted advertisements.
- Personalizing marketing communications based on user interests.
- Tracking and analyzing user engagement with advertisements.
You may opt out of receiving marketing communications at any time by following the opt-out instructions provided in the emails or contacting us directly. | - Consent (for sending electronic marketing communications where required, and for non-essential cookies).
- Legitimate interests (for promoting our services and analyzing engagement to improve effectiveness).
|
| Selling business contact data to customers | Surfe collects and sells business contact data to third parties. This data is used by companies for various purposes including: - Identifying and reaching potential customers.
- Enhancing sales and marketing strategies.
- Improving the accuracy of business contact information.
Please refer to section 5 below to obtain further information on how we process business contact data. | - Contractual necessity (to provide requested services to customers).
- Legitimate interests (to provide requested services to customers).
Please refer to our Legitimate Interests Assessment (LIA) to obtain more information in this respect: https://www.surfe.com/legitimate-interests-assessment/ |
| Security, fraud prevention, and legal compliance | - Detect and prevent fraudulent activities, security threats, and unauthorized access.
- Comply with legal obligations, such as responding to lawful requests from authorities.
- Enforce our terms of service and protect our legal rights.
| - Legitimate interests (to maintain the security and integrity of our services).
- Legal obligation (to comply with applicable laws and regulatory requirements).
|
4. In what capacity do we process personal data
While processing the above personal data, Surfe acts in various capacities as outlined below:
| Finality | Capacity |
| Providing and managing our services | Data processor This applies when Surfe accesses and processes its customers’ already existing data through their databases or CRM, in particular, to enrich said databases and CRM systems. |
| Data controller This applies when Surfe processes data of its customers (personnel, users’ identification and usage data) necessary to monitor and provide the services. |
| Marketing and advertising | Data controller |
| Selling business contact data to customers | Data processor This applies when Surfe collects data exclusively on the instructions of its customer to enrich its already existing database. In this case, we act as a mere intermediary. We do not determine the data to be collected or the use to be made of it. Furthermore, we do not store the data collected but transmit it directly to our customer. |
| Data controller This applies when Surfe collects data on its own behalf for the purpose of building a database that will be useful for future customers. |
| Security, fraud prevention, and legal compliance | Data controller |
A data controller is the natural or legal person, public authority, agency or other body that determines the purposes and the essential means of the processing of personal data, meaning that it decides both why the data is processed and how such processing is carried out.
A data processor acts exclusively on behalf of the data controller and does not process personal data for its own purposes, except in strictly limited circumstances provided for by law. It may process such data only on the basis of the documented instructions of the data controller and within the scope defined by those instructions.
5. Business contact data
This section explains how we collect, use, and share business contact data, as well as how individuals can opt out.
5.1 What is business contact data?
Business contact data refers to professional information relating to individuals acting in a business capacity, which is used by Surfe’s customers primarily for business-to-business (B2B) marketing, prospecting and lead generation purposes. Such data may include, in particular:
- Full name
- Business email address
- Business phone number
- Job title and company name
- Industry and company details
- Office address
- Professional social media profiles
- Other publicly available business-related information
5.2 How we collect business contact data
Surfe collects business contact data from multiple sources, including:
- Publicly available sources: Company websites, professional directories, and publicly accessible social media profiles.
- Third-party data providers: Data aggregation and business intelligence providers that lawfully collect and license business contact information.
- User submissions: Individuals who voluntarily provide their business contact information for networking or promotional purposes.
5.3 How we use business contact data
Surfe does not use the collected business contact data directly (including for personal consumer marketing) but sells said data to its customers mainly for B2B marketing, lead generation, and sales outreach.
In the vast majority of cases, Surfe acts in the capacity of a data processor within the meaning of the GDPR, processing business contact data solely on the documented instructions of its customers acting as data controllers. Surfe does not determine the purposes of the processing carried out by its customers and does not have detailed knowledge of the specific purposes pursued. The customers remain solely responsible for the lawfulness of the processing operations they perform and warrant that their use of the business contact data complies with applicable data protection laws.
Surfe ensures that the business contact data processed is strictly limited to professional information used in a business environment. The impact on privacy is limited, as the processing does not concern private life, confidential information or sensitive personal data.
5.4 Opt-out of business contact data processing and sales
If you decide to object to the processing of your business contact data or wish to remove said data from our records, please fill out the form accessible here: https://www.surfe.com/opt-out-mechanism/. We will process your request as soon as possible.
6. What are your rights as regards our processing of your personal data, how can you exercise them and how can you contact us?
In accordance with Articles 15 to 22 of the GDPR, you have the right under certain circumstances set out in the GDPR:
- to be provided with a copy of any personal data that we hold about you, and receive information about our processing of your personal data;
- to require us to update or correct any inaccurate personal data, or complete any incomplete personal data;
- to object to the processing of your personal data;
- to require us to delete your personal data; and
- to restrict our processing of your personal data.
These rights can be exercised by contacting us at the following email address: [email protected].
If you consider that personal data is processed by Surfe in a manner constituting an infringement of the GDPR, you may file a complaint with the competent supervisory authority (CNIL or any other authority mentioned in the list available at the European Commission).
We strive to respond to all legitimate requests within one month. Sometimes our response may take longer if the request is particularly complex or in case of multiple or incomplete requests. In this case, we will keep you informed and do our best to reduce your waiting time.
7. Cookies and Tracking Technologies
Surfe uses cookies and similar tracking technologies to enhance user experience, analyze website traffic, and support marketing activities. Please refer to our Cookie Policy to obtain more information regarding our use of cookies and how you can take control of said cookies: https://www.surfe.com/cookie-policy/.
8. Security
Surfe attaches particular importance to the security of your personal data, and has been certified ISO27001:2022.
We have taken all necessary precautions to ensure the security and confidentiality of the personal data processed and to prevent it from being distorted, damaged, destroyed, or accessed by unauthorized third parties. All security measures implemented are state-of-the-art and include:
- Encryption protocols to protect personal data during transmission and storage;
- Access to personal data is restricted to authorized personnel only, based on role-based permissions;
- Firewalls, intrusion detection systems, and regular security audits help protect against unauthorized access;
- We collect only the personal data necessary for our business operations and limit retention periods;
- We continuously monitor for security threats and have procedures in place for responding to potential breaches.
9. Data Retention
Personal data is retained for a period that does not exceed the time necessary for the purposes that justify its processing. We retain your personal data for the minimum period required by law, where specified. Where our legitimate interests require a different retention period, the sensitivity of the data, the potential risk, and the security requirements for such data will be taken into account in order to determine the retention period.
In addition, Surfe may need to retain data relating to closed accounts in order to comply with legal requirements, for example for the purposes of fraud prevention or dispute resolution. We try to limit the retention period of personal data as much as possible.
When the retention of your data is no longer necessary for the purposes for which it is retained, we will delete or anonymize your personal data.
10. Data Breaches
Surfe has procedures in place for responding to potential breaches. In the event of a security breach affecting personal data, we will:
- Investigate and contain the incident;
- Notify affected individuals and/or competent supervisory authority (CNIL or any other authority) if required by law; and
- Take corrective measures to prevent future breaches.
11. International data transfers
Surfe endeavours to keep personal data within the European Union to the greatest extent possible.
However, given the global nature of Surfe’s services, personal data may in certain circumstances be transferred outside the European Economic Area. In such cases, Surfe implements all necessary and appropriate safeguards to ensure a level of protection for personal data that is essentially equivalent to that guaranteed within the European Union, including, where applicable, the use of standard contractual clauses adopted by the European Commission.
12. Changes to this Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time in particular to reflect changes in our data practices, legal requirements, or business operations.
In case of material updates to this Privacy Policy (i.e. if we make significant updates that affect how we collect, use, or share personal data) we will notify users by posting a notice on our website and/or sending email notifications to registered customers and users.
In case of minor updates (i.e. if we make clarifications or formatting improvements) no notification will be sent.
You are encouraged to periodically review this Privacy Policy to stay informed about how we handle personal data. Please note that the “Last updated” date at the top of this Privacy Policy indicates when the most recent changes were made.
13. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you may contact us here: [email protected].
