SurfBuddy LogoSurfBuddy Logo

Privacy Policy

Last updated: November 9, 2025

Introduction This Privacy Policy explains how R28 Inc. (“we,” “us,” “our”) collects, uses, discloses, and protects personal data when you use SurfBuddy, our consumer product available at surfbuddy.ai (including related apps and features, the “Service”). By using the Service, you acknowledge this Policy.

1. Personal data we collect

A. You provide:

  • Account data: name, email, profile details.
  • Billing data: payment method and transaction details (processed by our payment processor).
  • Inputs & attachments: prompts, messages, files, links, and images you submit.
  • Outputs: responses generated for you.
  • Feedback & support: ratings, comments, bug reports, surveys, and help requests.
  • Preferences: cookie choices, notifications, and other settings.

B. Collected automatically:

  • Device/app info: device type, OS, browser, app version, locale, time zone.
  • Network/logs: IP address (for security and regional experience), timestamps, error logs, latency, feature flags, rate-limit events.
  • Cookies & similar tech: for sign-in, session continuity, preferences, analytics, and safety.
  • Server-side fetching: when we validate a link, the destination sees our server IP (not yours).

C. From integrations you authorize (optional): If you connect third-party accounts (e.g., Google Workspace apps or YouTube), we access only the scopes you grant and process that data solely to perform actions you request (e.g., draft/send an email you initiate, read/update a doc you select, create a calendar event you request, summarize a video link you provide). You can disconnect at any time.

Children & sensitive data: SurfBuddy is not for children under 13 (or 16 where required). Please don’t submit regulated sensitive data (e.g., health/financial under specialized regimes) unless we’ve agreed in writing.

2. How we use personal data

  • Provide & operate SurfBuddy features you request.
  • Secure & protect the Service (fraud/abuse detection, rate-limit enforcement, incident response).
  • Maintain & improve performance, fix bugs, and develop new features.
  • Communicate service messages and product updates; marketing only where permitted (you can opt out).
  • Process payments and manage subscriptions.
  • Comply with law and handle disputes.
  • Research/analytics on de-identified or aggregated data.

Model training & providers

  • We do not train our own models on your Inputs or Outputs by default.
  • Content flagged for safety/abuse may be reviewed to improve enforcement.
  • If you explicitly submit feedback and opt-in where offered, we may use it for improvements.
  • When you invoke AI features, necessary Inputs/context are sent to third-party inference providers to generate Outputs. Where controls exist, we endeavor to disable provider training/retention, but providers’ policies apply.

3. How we share personal data

We do not sell personal data and we do not process personal data for targeted advertising.

  • Service providers (processors): hosting, storage, AI inference, auth, payments, observability, support, analytics—only as needed under contract.
  • Integrations you choose: shared at your direction to complete the action you requested; subject to the third party’s policies.
  • Affiliates; business transfers; legal/safety disclosures where required.
  • With your consent: where you direct us to share.

Google API Services — Limited Use (if you connect Google):

  • Used only to provide user-facing features you request.
  • No ads; not sold; not used to train generalized AI/ML.
  • No human review except with your consent, to comply with law, or for security/abuse investigations.
  • You can disconnect anytime; we revoke tokens.

4. Retention

We retain personal data only as long as necessary to provide the Service and for legitimate purposes (security, backups, compliance, accounting), then delete or de-identify it.

  • Conversations/files: persist until you delete them or close your account.
  • Logs/telemetry: kept for limited periods.
  • Billing records: retained as required by law. Residual copies may remain briefly in backups.

5. Security

We use industry-standard administrative, technical, and organizational safeguards (e.g., encryption in transit, access controls, secrets management, audit logging, vulnerability management). No system is perfectly secure; please protect your devices and credentials and be mindful of what you share.

6. Your rights and choices

Subject to your jurisdiction and verification, you may request: access/portability, deletion, correction, objection/restriction, and withdrawal of consent (where applicable). We don’t “sell” personal data or “share” it for cross-context behavioral advertising under US state laws.

In-product controls: export/delete conversations, disconnect integrations, and manage notifications/cookies.

How to exercise rights: email privacy@r28.ai (or support@r28.ai) and we’ll respond within applicable timelines. You may appeal a denial by replying to our decision.

7. Jurisdiction-specific disclosures

EEA/UK (GDPR):

  • Controller: R28 Inc.
  • Bases: Contract (provide SurfBuddy), Legitimate Interests (security, improvement), Legal Obligation, Consent (marketing/optional features).
  • Transfers: We use safeguards (e.g., SCCs) for transfers outside the EEA/UK. You may complain to your DPA.

United States (state privacy laws):

  • We do not sell personal data or process it for targeted advertising. You may submit access/correction/deletion and appeal requests.

Australia:

  • You may request access/correction. If unsatisfied, you can complain to the OAIC.

8. Privacy policy changes

We may update this Policy. We’ll post a new “Last updated” date and provide additional notice where required. Continued use after changes take effect indicates acceptance.

9. Contacting us

We encourage you to contact us at legal@r28.ai if you have any questions about this Privacy Policy.

R28 Inc. is responsible for SurfBuddy at surfbuddy.ai.