Legal

Privacy Policy

We respect your privacy and are committed to protecting your personal data.

Effective date: January 1, 2025Last updated: April 2026Company: SurgeScribe

This Privacy Policy explains how SurgeScribe (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use our platform. By using SurgeScribe, you agree to the practices described in this policy.

1. Information We Collect

We collect only the data necessary to provide and improve our service.

Account information (provided by you)

  • Full name
  • Email address
  • Website URL (your WordPress or Shopify site)
  • Password (stored as a hashed, salted value — we never see your plaintext password)

Content & configuration data (created by you)

  • Brand settings — tone, audience description, keywords, competitor URLs
  • Content calendar entries and scheduling preferences
  • AI-generated articles and images stored in your account
  • Pillar topics and content strategy configurations

Usage data (collected automatically)

  • Pages visited, features used, and actions taken within the platform
  • Browser type, device type, and operating system
  • IP address and approximate geographic region
  • Error logs and performance diagnostics

Payment data

We do not store your payment card details. All payment information is handled directly by Dodo Payments. We receive only a transaction confirmation and the credit amount purchased.

2. How We Use Your Data

We use your data exclusively to operate and improve SurgeScribe. Specifically:

  • Authenticate your account and maintain your session
  • Generate AI-powered content based on your brand settings and topic inputs
  • Store and retrieve your content calendar, articles, and settings
  • Process credit purchases and apply them to your account balance
  • Send transactional emails (account confirmation, password reset)
  • Diagnose bugs, improve platform stability, and develop new features

We do not sell your data. We do not use your data for advertising. We do not share your content with other users.

3. Third-Party Services

We use a small number of carefully selected third-party services to operate the platform. Each receives only the data necessary for its specific function.

Supabase

Database & authentication

Account info, content data, generated articles, images, and session tokens. Supabase Storage hosts your AI-generated images.

Privacy policy →

Vercel

Hosting & edge infrastructure

IP address and request logs for serving the application. Vercel does not access your account content.

Privacy policy →

OpenRouter / Google Gemini

AI content + image generation

Your brand settings, topic inputs, content briefs, and image prompts are sent to AI models (Google Gemini via OpenRouter) to generate articles, landing pages, and creatives. Content you provide is processed per OpenRouter's and Google's data policies. We recommend not including sensitive personal data in content prompts.

Privacy policy →

Dodo Payments

Payment processing

Payment card details and billing information. SurgeScribe does not receive or store raw payment data.

Privacy policy →

Meta (Facebook & Instagram)

Publishing posts to your Facebook Page and Instagram Business account

When you connect a Facebook Page, we access your Facebook user ID, the list of Pages you can manage, each Page's ID and name, and (if linked) the connected Instagram Business account ID and username. We store a long-lived Page access token, encrypted at rest with AES-256-GCM. We use it only to publish the posts you create in SurgeScribe and to read basic Page metadata. We do NOT access your personal profile content, friend lists, messages, or photos outside the Page. You can disconnect at any time in Integrations, and you can remove our app from your Facebook settings — we'll receive Meta's deauthorize callback and delete your tokens. See our Data Deletion page for full removal instructions.

Privacy policy →

4. Data Retention

We retain your data for as long as your account is active.

  • Active accounts: All account data, content, and settings are retained indefinitely while your account remains open.
  • After account deletion: All personal data, generated content, images, and settings are permanently deleted within 30 days of account deletion.
  • Payment records: Transaction records may be retained longer as required by applicable financial regulations.

To request account deletion, email contact@surgescribe.com or use the account deletion option in your dashboard settings.

5. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”).
  • Right to data portability: Request a machine-readable export of your personal data.
  • Right to restriction: Request that we restrict processing of your data under certain circumstances.
  • Right to object: Object to processing of your data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, contact us at contact@surgescribe.com. We will respond within 30 days.

6. Your Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: Request disclosure of what personal information we have collected, used, disclosed, or sold about you in the past 12 months.
  • Right to delete: Request deletion of personal information we have collected from you.
  • Right to opt out of sale: We do not sell personal information. No opt-out is required.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email contact@surgescribe.com with the subject line “CCPA Request”.

7. Cookies & Local Storage

We use a minimal number of cookies — only those strictly necessary to operate the platform. We do not use cookies for advertising, tracking, or analytics.

  • Authentication session cookie: Set by Supabase to maintain your logged-in session. Expires when you sign out or after a defined session duration.
  • Theme preference cookie: Stores your light/dark mode preference. Contains no personal data.

We do not use third-party tracking cookies, advertising cookies, or any form of cross-site tracking.

8. Children's Privacy

SurgeScribe is not intended for use by individuals under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us immediately at contact@surgescribe.com and we will delete the information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Send an email notification to registered users if the changes are significant

Continued use of SurgeScribe after changes are posted constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

SurgeScribe

Email: contact@surgescribe.com

We aim to respond to all privacy-related enquiries within 5 business days.

Privacy Policy — SurgeScribe