Privacy Policy

Surfient is a product of Onviqa Inc. (registered at 11651 157th ST 2G, Jamaica, NY 11434, USA). When this policy says "we," "us," or "Surfient," we mean Onviqa Inc. operating the Surfient product.

This policy describes how Surfient collects, uses, and protects personal data when:

• you visit surfient.com (marketing website);
• you install or use the Surfient Shopify app from a store you administer;
• you contact us, sign up for the newsletter, or run a free GEO audit.

It does not cover the behaviour of shoppers on your Shopify storefront — that's your store's privacy policy, not ours. We never receive or process shopper PII.

We collect only what we need to deliver the service:

• Merchant account data: name, email, store domain, Shopify user ID, billing plan, usage metrics.
• Catalog metadata: product titles, descriptions, attributes, images, collections, pages, blog articles, storefront metafields, theme templates. This is the data we index for AI discoverability.
• Site telemetry: Plausible page views (cookieless), PostHog product events keyed to merchant ID (anonymous user IDs, no fingerprinting), Sentry error traces.
• Marketing interactions: newsletter sign-ups, free-score submissions, contact form messages. We store the SHA-256 of your IP plus a salt — not the raw IP — for rate-limiting only.

We never collect: shopper orders, customer addresses, payment card data, or any PII belonging to your end customers. If you see Shopify asking you to authorise scopes like read_customers or read_orders, that's not Surfient — report it.

Legal basis for processing (GDPR Article 6):

• Contract (6(1)(b)): running the Shopify app, generating audits, storing fixes, sending transactional emails.
• Legitimate interests (6(1)(f)): product analytics via PostHog, crash telemetry via Sentry, security monitoring. You can opt out of PostHog via the cookie banner.
• Consent (6(1)(a)): the GEO newsletter. One-click unsubscribe in every message.
• Legal obligation (6(1)(c)): tax, accounting, lawful government requests.

We do not build advertising profiles of merchants. We do not train third-party AI models on your catalog, and no subprocessor may either — this is enforced in every subprocessor agreement.

We do not sell personal data. We share it only:

• with subprocessors who host or operate parts of the service — see §8 for the full list;
• with Onviqa Inc. internal teams (engineering, support, finance, legal) under the same confidentiality obligations as staff on the Surfient team;
• with a successor entity if Onviqa Inc. is acquired or restructured — we'll notify you 30 days before the transfer and you can export/delete your data first;
• with authorities if lawfully compelled. We push back on overbroad requests and publish an annual transparency report.

Retention is scoped to the purpose:

• Account data: kept for the life of your account and 90 days after cancellation, then deleted unless we're legally required to keep it longer (tax: 7 years, invoices only).
• Catalog snapshots: the current state + a rolling 30-day audit log. Purged 90 days after uninstall.
• Site telemetry: PostHog raw events retained 90 days, then rolled into anonymous aggregates. Plausible retains page views for 24 months per their docs.
• Support messages: 3 years after the thread closes.
• Free-audit submissions: 12 months, so we can show you the delta if you run the same store again.

Regardless of where you live, you can:

• access the data we hold about you (JSON export via admin panel or DSR form);
• rectify data that's inaccurate;
• delete your data (with the exceptions listed in §5);
• port your data to another platform in a machine-readable format;
• object to processing based on legitimate interests;
• withdraw consent for anything processed on that basis (newsletter, analytics).

Submit any of these at /legal/gdpr. We reply within one business day and complete the request within 30 days (GDPR limit). No identity-verification theatre — if the request comes from the email on the account, we trust it.

Our primary data centre is AWS US-East-1 (Virginia). Cloudflare R2 mirrors static assets to Cloudflare's global edge. If you're in the EU, UK, or Switzerland, your data is transferred under:

• the EU Standard Contractual Clauses (2021/914);
• the UK International Data Transfer Addendum for UK-controlled data;
• the Swiss revFADP amendments for Swiss-resident data subjects.

The full DPA is at /legal/dpa — ready to sign; email [email protected] to countersign.

Current subprocessors (as of 2026-04-19):

• AWS (Amazon Web Services, Inc.): hosting, us-east-1.
• Cloudflare: CDN, R2 object storage, Turnstile bot protection.
• Clerk (Clerk.com): admin authentication.
• Resend (Resend.com): transactional email delivery.
• Stripe: billing (Shopify-managed billing for merchants; Stripe only for direct contracts).
• Plausible (Plausible Insights OÜ): cookieless page analytics.
• PostHog (PostHog Inc.): product analytics, EU region.
• Sentry (Functional Software, Inc.): error telemetry.
• OpenAI, Anthropic, Google Gemini: LLM APIs used only for audit text generation. Your catalog is sent in-request and never retained for training (zero-data-retention endpoints).

We give 30 days' notice before adding, changing, or removing any subprocessor via an in-product banner and an email to every account. The full list at any point is the one above.

Every control lives on our security page. Highlights:

• TLS 1.2+ in transit, AES-256 at rest (AWS EBS + RDS + R2).
• Principle-of-least-privilege access to production; staff access through Okta SSO + hardware YubiKeys.
• Backups encrypted, daily retention 30 days, geo-replicated.
• 72-hour breach notification to customers per GDPR Article 33.
• Responsible disclosure at [email protected].

Surfient is a B2B product for Shopify merchants. It isn't designed for, marketed to, or usable by anyone under 16. If you believe we've inadvertently collected data from a child, email [email protected] and we'll delete it immediately.

We review this policy at least annually and whenever we add or remove a subprocessor. Material changes (purpose of processing, data categories, retention) are notified 30 days before they take effect via email to the account owner + an in-product banner. Minor edits (typos, clarifications) are applied silently and visible in the page's "Last updated" stamp.