SurfBuddy LogoSurfBuddy Logo

SurfBuddy Privacy Policy

Last updated: May 9, 2026

This Privacy Policy explains how R28 AI, Inc., a Delaware corporation that operates the SurfBuddy product ("SurfBuddy," "we," "us," or "our"), collects, uses, discloses, and protects personal data when you use the SurfBuddy web application or browser extension (the "Service"). It is incorporated into the SurfBuddy Terms of Service.

R28 AI, Inc. also operates a separate developer platform called R28. R28 has its own privacy notice and is not covered by this Policy.

By creating an account, installing the extension, or using the Service in any other way, you accept this Policy. If you do not agree, do not use the Service.

1. Where the Service is available

The Service is offered only to users located in the United States. The Service is not directed to, and is not available to, residents of any other country, including the European Economic Area, the United Kingdom, Switzerland, mainland China, Russia, Belarus, Iran, North Korea, Cuba, Syria, the Crimea region of Ukraine, or any country or person subject to U.S. or other applicable trade sanctions. We may detect your location and block access from other regions.

2. Data we collect

A. Information you provide

  • Account data: name, email address, and profile details supplied through our identity provider.
  • Billing data: payment method, billing address, and transaction history, processed by our payment processor.
  • Conversation content: prompts, messages, attachments, and any context you submit to an Agent.
  • Outputs: responses, drafts, and tool-call results generated for you.
  • Feedback and support: ratings, reports, surveys, and help requests.
  • Preferences: notification choices, cookie consent, and other settings.

B. Information collected automatically

  • Device and app information: device type, operating system, browser, application version, locale, and time zone.
  • Network and logs: IP address (for security and rate-limit enforcement), request timestamps, error and latency logs, and feature flags.
  • Cookies and similar technologies: for sign-in, session continuity, preferences, analytics, and abuse prevention.
  • Server-side fetching: when our servers fetch a web page on your behalf, the destination site sees our server's IP, not yours.

C. Information from connected third-party services

When you connect a third-party service through OAuth (for example, Google Workspace or YouTube), we access only the scopes you authorize and only to perform actions you request through an Agent. You can disconnect any integration at any time, and you can revoke our access from inside the third-party provider's account settings.

For Gmail, the connection is made through a third-party integration provider acting on our behalf rather than through a direct Google API client. Section 7 (Google user data) applies regardless of which path is used.

D. Browser extension

The browser extension can attach the page you are currently viewing, a selection of text, a YouTube transcript, or other in-tab content as context for an Agent. The extension extracts page text via a readability library and converts it to markdown; it does not capture screenshots. Anything you attach is transmitted to AI inference providers to generate a response.

You are responsible for what you attach. Do not attach pages, selections, or transcripts that contain passwords, security tokens, API keys, session cookies, financial credentials, identity documents, health records, or confidential information you are not authorized to share with cloud AI providers. The Service does not inspect attachments for sensitive content before transmitting them.

3. How we use your data

  • Provide the Service you request, including running Agents, executing Agent Actions, and processing your conversations.
  • Operate and secure the Service, including fraud and abuse detection, rate-limit enforcement, incident response, and audit logging.
  • Maintain and improve performance and reliability, fix bugs, and develop new features.
  • Communicate with you, including service messages (account, security, billing, legal, and technical notices) you cannot opt out of, and product or marketing emails you can unsubscribe from.
  • Process payments and manage subscriptions through our payment processor.
  • Comply with law, respond to lawful requests, and handle disputes.
  • Conduct internal research and analytics on de-identified or aggregated data.

Model training

  • We do not train SurfBuddy's first-party models on your conversations, attachments, outputs, or other content.
  • When you invoke an Agent, the necessary inputs and context are sent to third-party AI inference providers to generate a response. Where their settings allow, we configure them to disable training and retention on our content. Their own terms still apply.
  • We do not retain or use Google user data to develop, improve, or train any AI/ML model. See Section 7.
  • Content flagged for safety or abuse may be reviewed by us or our security providers as needed to enforce our Terms or comply with law.

4. Who we share your data with

We do not sell your personal data, and we do not process personal data for cross-context behavioral advertising or targeted advertising of any kind.

We share data only in the following categories:

  • Service Providers (acting as processors). Cloud hosting and edge compute, application database, in-memory cache, AI inference, identity, payments, third-party API integration providers, web crawling and search, analytics, observability, and customer support. They may use the data only to perform services for us under written agreements with confidentiality obligations and may not use your data for their own purposes.
  • Connected third-party services. When you instruct an Agent to act in a service you have connected (for example, sending an email through Gmail), the relevant content is sent to that service to complete the action. That third party's own terms and policies govern the data once it is in their system.
  • Compliance, safety, and legal disclosures. Where we are required to disclose by law, court order, or lawful government request, or where disclosure is necessary to protect our rights, the Service, our users, or the public.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, your data may be transferred to a successor entity, subject to this Policy or a successor policy at least as protective.
  • With your consent. Any sharing you specifically direct.

A current list of named subprocessors is available on request by emailing support@surfbuddy.ai.

5. Data location

All conversation data, account data, database records, primary AI inference, hosting, and operational logging are located in the United States. Application servers that handle your data are pinned to U.S. regions. Static assets may be served from a global content delivery network, but the assets do not contain personal data.

6. Retention and deletion

  • Conversations and attachments are retained until you delete them or close your account. Soft-deleting a conversation in the Service hides it from your interface; hard deletion of conversation and account data is available on request by emailing support@surfbuddy.ai.
  • Account data is retained while your account is active and for a reasonable period after closure to comply with legal, billing, and security obligations.
  • Logs and telemetry are retained for limited operational periods.
  • Billing records are retained as required by tax and accounting law.
  • Backups and security logs may persist briefly after deletion of primary data and are overwritten on a rolling schedule.

To request account closure or hard deletion, email support@surfbuddy.ai from the address tied to your account. We will respond and act within the timelines required by applicable law.

7. Google user data

This section applies to all Google user data we receive or process in connection with the Service, regardless of whether we obtain it through a direct Google API integration or through a Service Provider acting on our behalf.

  • Limited purposes only. We access Google user data only to provide user-facing features you request (for example, reading selected threads, drafting and sending email, listing and creating calendar events, reading and updating documents, reading and appending spreadsheets, reading file metadata).
  • No advertising. We do not use Google user data for advertising.
  • No model training. We do not retain or use Google user data to develop, improve, or train generalized AI/ML models.
  • No sale. We do not sell Google user data.
  • Processor-only disclosure. We disclose Google user data only to Service Providers acting as processors under written agreements, only as necessary to operate the Service, and subject to confidentiality obligations.
  • No human review by default. We do not allow human review of Google user data, except with your explicit consent, to comply with law, or as needed for security or abuse investigations.
  • User control. You can disconnect at any time in the Service and revoke access via your Google Account permissions. On disconnection, tokens are revoked.
  • Compliance. Our handling of Google user data complies with the Google API Services User Data Policy, including its Limited Use requirements.

8. What you must not submit

The Service is not designed for, and is not certified for, the categories of data listed below. You must not submit them through any input, attachment, or connected integration:

  • Protected health information regulated by HIPAA;
  • Cardholder data subject to PCI DSS;
  • Financial account data regulated by GLBA;
  • Government identification numbers (Social Security numbers, driver's license numbers, passport numbers, equivalent foreign identifiers);
  • Special categories of personal data such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, health data, or data concerning sex life or sexual orientation;
  • Children's personal information regulated by COPPA or equivalent.

Submitting such data is a breach of the Terms and is at your own risk.

9. Security

We use administrative, technical, and organizational safeguards appropriate to the sensitivity of the data, including encryption in transit, access controls, secrets management, audit logging, and vulnerability management. No system is perfectly secure. You are responsible for protecting your account credentials, your devices, and what you choose to attach to a conversation.

If we become aware of a security incident affecting your data, we will notify you and applicable authorities to the extent required by law.

10. Children

The Service is intended for users 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided personal data to the Service, contact us at support@surfbuddy.ai and we will delete it.

11. Your rights and choices

Subject to your jurisdiction and verification of your identity, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate personal data;
  • Delete your personal data;
  • Receive a portable copy of personal data you provided to us;
  • Object to or restrict certain processing;
  • Withdraw consent to optional processing.

We do not sell personal data and we do not share personal data for cross-context behavioral advertising under U.S. state privacy laws. Marketing emails carry an unsubscribe link, and you can opt out of marketing at any time without losing access to the Service.

To exercise any right, email support@surfbuddy.ai from the address tied to your account. We will respond within the timelines required by applicable law. If we deny a request, you may appeal by replying to our decision.

United States state privacy laws

California (CCPA/CPRA), Colorado, Connecticut, Virginia, Utah, Texas, and other state privacy laws may apply to residents of those states. We do not sell personal data and do not engage in cross-context behavioral advertising. You may submit access, correction, deletion, and portability requests as described above, and you may appeal a denial by replying to our decision.

12. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, measure usage, and detect abuse. You can manage cookies through your browser settings; disabling some cookies may break parts of the Service (for example, sign-in).

13. Communications

We may send you service messages necessary to operate the Service (account, security, billing, legal, and technical notices). You cannot opt out of these while you maintain an account. We may also send product news, launch announcements, and other marketing emails. Each marketing email includes an unsubscribe link, and you can also unsubscribe by emailing support@surfbuddy.ai. Unsubscribing from marketing does not affect service messages.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted with an updated "Last updated" date and, where required, with additional notice through the Service or by email. Changes made for legal or compliance reasons may take effect immediately. Continued use of the Service after the effective date of a change indicates acceptance.

15. Contact

For privacy questions, deletion requests, rights requests, copyright notices, or any other matter related to this Policy: support@surfbuddy.ai.

R28 AI, Inc. is the company responsible for the Service.