Privacy Policy
This Privacy Policy explains how [Company Legal Name] ("Surge", "we", "us") collects, uses, and shares information when you use the Surge mobile app, web app, and related services (collectively, the "Service").
By using the Service, you agree to the practices described below. If you do not agree, please do not use the Service.
1. Information we collect
Account information
When you create an account, we collect your email address, name (if provided), and authentication identifiers needed to keep your account secure.
Content you provide
Surge stores the content you create or capture in the Service, including:
- Voice recordings and transcripts you submit as brain dumps
- Tasks, sub-tasks, time estimates, notes, and backlog items
- Focus session history and completion data
- Settings and preferences you configure
Usage and device data
We collect basic usage information so we can operate and improve the Service, including device type, operating system, app version, language, time zone, crash logs, and high-level event data (for example, "session started" or "task completed"). We do not collect the contents of your tasks for analytics purposes.
2. How we use your information
We use your information to:
- Provide, maintain, and secure the Service
- Organize your brain dumps into structured tasks using AI
- Sync your data across devices and recover incomplete sessions
- Communicate with you about updates, support, and important changes
- Detect and prevent abuse, fraud, and security issues
- Comply with legal obligations
3. Voice input and speech recognition
When you use voice input, Surge requests microphone access on your device. Speech-to-text transcription is performed by your device's operating system (Apple Speech on iOS, Google Speech on Android). Depending on your device, language, and OS settings, audio may be sent to Apple or Google servers for processing. Surge does not store the raw audio after transcription.
4. AI processing
To turn your brain dump into organized tasks, Surge sends the transcribed text to Anthropic for processing by the Claude language model. Anthropic processes this content on our behalf as a service provider and is contractually prohibited from using your content to train its models.
If you connect Surge to a third-party AI assistant (for example, via Model Context Protocol), that assistant will receive only the data you ask it to retrieve. The assistant's provider is responsible for how it handles that data.
5. How we share information
We do not sell your personal information. We share data only with:
- Service providers listed in Section 6 below, who help us operate the Service. They are bound by contract to use your data only to provide their services.
- Legal authorities when required by law, valid legal process, or to protect rights, safety, or property.
- A successor entity in the event of a merger, acquisition, or asset sale, subject to this Privacy Policy.
- With your explicit consent for any other purpose.
6. Service providers and subprocessors
Surge relies on the following third-party service providers to deliver the Service. Each is bound by data-processing terms that limit how they may use your information.
| Provider | Role | Data they process |
|---|---|---|
| Anthropic | AI task organization (Claude) | Transcribed brain-dump text you submit for organization |
| Clerk | Authentication and account management | Email address, name, login activity, session tokens |
| Replit | Backend application hosting | All data in transit to and from the Surge API |
| Neon | Managed Postgres database | All content stored in your account (tasks, sessions, backlog, settings) |
| Apple | iOS app distribution and device speech recognition | Device identifiers, App Store install data, voice audio (when iOS speech recognition is used) |
| Android app distribution, Android speech recognition, web fonts on the marketing site | Device identifiers, Play Store install data, voice audio (when Android speech recognition is used), IP address when fonts are loaded | |
| Expo (EAS) | Mobile build pipeline and over-the-air updates | Build artifacts and update payloads; no personal account data |
| Vercel | Marketing website hosting | IP address, browser user-agent, and page-request metadata for visitors to surge.app (no account data) |
If we add or change a subprocessor in a way that materially affects your data, we will update this table and, where required, notify you in advance.
7. Data retention
We retain your information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete or anonymize your content within [30/60/90] days, except where we are legally required to retain it (for example, financial records).
8. Your rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your account and associated data
- Export a copy of your data in a portable format
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
To exercise any of these rights, contact us at [privacy@yourdomain.com]. We will respond within the timeframe required by applicable law.
9. Security
We use industry-standard safeguards including encryption in transit (TLS), encryption at rest, and access controls to protect your information. No system is perfectly secure, however, and we cannot guarantee absolute security.
10. Children's privacy
The Service is not directed to children under 13 (or the equivalent minimum age in your country). We do not knowingly collect information from children. If we learn we have, we will delete it.
11. International data transfers
Your information may be processed in countries other than the one you live in, including the United States. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) to protect your information when it crosses borders.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect.
13. Contact us
If you have questions about this Privacy Policy or our data practices, contact us at:
[Company Legal Name]
[Mailing address]
[privacy@yourdomain.com]