Privacy Policy

Last updated: May 7, 2026

1. Data Controller

The data controller responsible for the processing of personal data on SurgeNiche under Art. 4 (7) GDPR is:

Contact: support@surgeniche.com

2. What Data We Collect

We collect only the minimum data necessary to operate the Service:

• Account data — email address, name (when provided by your Google account on sign-in), and a unique account identifier. Authentication is handled via Supabase Auth.
• Subscription data — current tier (Free / Basic / Premium), subscription status, and billing-period dates. We do not store card numbers, CVVs, or any raw payment-card data; that is held by Stripe.
• Usage data — niches you save, AI features you trigger (Niche Health Check, Content Angles), and per-day quota counters.
• Product analytics — page views and feature interactions collected via PostHog (EU region) only after you accept the cookie banner. IP addresses are anonymized at collection.
• Error telemetry — Sentry captures exception data for debugging. Auth headers, cookies and Stripe signatures are stripped before transmission.

3. Legal Bases for Processing (Art. 6 GDPR)

• Performance of contract (Art. 6 (1)(b)) — to deliver the Service you signed up for, including authentication, subscription billing, and AI feature execution.
• Legitimate interests (Art. 6 (1)(f)) — for keeping the Service secure (rate limiting, bot defense via Cloudflare Turnstile) and for diagnosing errors via Sentry. You may object to this processing at any time.
• Consent (Art. 6 (1)(a)) — for non-essential analytics cookies (PostHog). You can revoke consent at any time via the cookie banner or browser controls.
• Legal obligation (Art. 6 (1)(c)) — Stripe retains billing records for longer periods as required by applicable tax and financial regulations.

4. Sub-Processors

SurgeNiche relies on the following sub-processors. Each operates under its own GDPR-compliant data processing agreement and is selected for EU or adequacy-listed jurisdictions where possible:

• Supabase — database and authentication. Data hosted in the EU region (Frankfurt, Germany). Privacy
• Stripe — payment processing and subscription management. PCI DSS Level 1 certified. Privacy
• Vercel — hosting and edge delivery. Request logs are processed transiently. Privacy
• Resend — transactional email delivery (welcome email, billing receipts). Privacy
• PostHog — product analytics. PostHog Cloud (EU) with IP anonymization enabled. Loaded only after consent. Privacy
• Sentry — error telemetry. Auth headers, cookies, and Stripe signatures are stripped before transmission. Privacy
• Cloudflare — Turnstile bot defense on the login form. Privacy
• Anthropic — AI inference for Niche Health Check and Content Angles. Niche metadata (no email or account ID) is sent for the duration of the request. Privacy
• OpenAI — embeddings generation for replication clustering. Only public YouTube video titles are sent. Privacy
• YouTube Data API (Google) — public channel and video data is fetched server-side. We do not pass user identity to Google. Privacy

We do not sell your personal data to any third party, nor share it for cross-context advertising.

5. International Transfers

Some sub-processors (e.g. Stripe, Anthropic, OpenAI, Sentry) operate infrastructure in the United States. Where personal data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission and, where applicable, the EU-US Data Privacy Framework, to ensure an adequate level of protection.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), Switzerland, or the United Kingdom, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion of your personal data.
• Right to restriction (Art. 18) — request that we restrict processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7) — withdraw analytics consent at any time without affecting the lawfulness of past processing.

To exercise any of these rights, email support@surgeniche.com. We will respond within 30 days. You also have the right to lodge a complaint with the data protection authority of your jurisdiction; for users in Germany this is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

7. Cookies

We use two categories of cookies:

• Essential cookies — required for authentication session management (Supabase Auth) and for basic app state (e.g. the first-login demo cookie). These cannot be disabled without breaking login functionality.
• Analytics cookies — set by PostHog only after you accept the cookie banner. You can revoke consent by re-opening the banner or clearing browser storage.

8. Data Retention

We retain account data (email, subscription status, saved niches) for as long as your account is active. Upon receiving a verified deletion request, we will delete your personal data within 30 days, subject to any legal retention obligations (e.g. tax records held by Stripe). Anonymized analytics data that cannot be linked back to you may be retained indefinitely for aggregate product research.

9. Children

SurgeNiche is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in the Service or in applicable law. Material changes are reflected in the "Last updated" date at the top of this page; we may also notify you by email when changes affect how we process your data.

11. Contact

For any privacy-related questions, data requests, or complaints, email us at support@surgeniche.com. If you believe we have not adequately addressed your concern, you can lodge a complaint with your local data protection authority.