Privacy Policy - SurfLab

1. Introduction

SurfLab Tech (“we,” “us,” or “our”) is committed to protecting your privacy. This policy explains what data is accessed, collected, or processed when you visit our website (surflabtech.com), create an account, or use our WordPress plugins, including SurfLink and SurfPop.

2. Billing, Licensing, and Payments

Our order process is conducted by our online reseller Freemius. Freemius is the Merchant of Record for all our software orders.

Data Collected: When you purchase a Pro license, Freemius collects your name, email address, billing address, and VAT number (where applicable).
Payment Security: Payment processing is handled securely by Freemius via their integrated gateways (Stripe or PayPal). SurfLab Tech does not store or have access to your credit card numbers or payment credentials.
License Management: Freemius provides the technology for license key generation, activation, and automated software updates. For these services to function, your site communicates with Freemius’s servers to verify license validity.

3. Data Collection & Processing via Plugins

In the general case, using our plugins requires “nothing – or, if using an explicit online service, then the minimum required to deliver that service.”

General Logging: For any HTTP requests sent to our servers (browser visits or API calls), these requests are logged and stored for 6 months per UK/International data retention standards. These logs are used solely for security auditing and are never used for marketing.
Backups & Restoration (SurfLink): Taking and restoring backups does not result in communications with SurfLab Tech servers. We do not observe how you use the plugin, and your backup data is never processed by or shared with us.
Diagnostic Tracking (Optional): If you “Opt-in” to diagnostic tracking via Freemius, non-sensitive info (WP version, active theme, etc.) is collected to help us improve the plugin. This is 100% optional and can be disabled at any time.
Update Requests: When your site checks for an update, it sends the WordPress version, PHP version, plugin version, site language, and PHP memory limit. This allows our server to provide the correct, compatible version of the software.
Anonymized Statistics: We reserve the right to aggregate and anonymize this data to produce statistics on our user base (e.g., “50% of users are on PHP 8.1”), which guides our development priorities.

4. Cloud Storage App Privacy Policies (OAuth Authentication)

When using SurfLink to back up to third-party cloud destinations, our built-in apps use an OAuth communication flow. No backup data from your WordPress site goes to our servers—it remains entirely on your hosting server.

If you configure our plugins to back up to third-party providers (Google Drive, OneDrive, Dropbox, pCloud, Amazon AWS, etc.), your backup data remains entirely on your own server and the destination cloud server. No backup data ever passes through or is stored on SurfLab Tech servers.

The following policies apply only if you use our “Built-in App” for authentication. If you configure the plugin to use your own custom API credentials/app, no data comes to our servers at all.

Google Drive App Policy

Authentication Flow: Use of Google Drive involves visiting our authentication server as part of the OAuth flow. When you see the Google authorization screen, it is granting permission to the plugin running on your webserver, not to us.
Security Model Note: Note that Google Drive does not provide a security model that isolates data stored via an app from other data stored by that same app. It is not recommended for storing data belonging to separate websites if administrators of those sites should not have access to each other’s files. Google suggests Google Cloud for such commercial use cases.
Data Handling: Authentication logs your IP address (deleted after 6 months). Upon success, your Google account identifier is stored in our database so that the necessary authentication token can be provided to your site if requested again. We do not share this with any third party.

Microsoft OneDrive App Policy

Authentication Flow: Similar to Google Drive, this involves an OAuth flow through our authentication server.
Data Handling: Your IP address is logged for security auditing (6 months retention). Your Microsoft account identifier may be stored in our database to facilitate future token requests from your site. We currently only perform this storage when technically necessary for service stability and do not process this data for any other purpose.

pCloud App Policy

Authentication Flow: This requires a brief visit to our authentication server to secure the OAuth handshake.
Data Handling: We log the connecting IP address for 6 months. We reserve the right to store your pCloud account identifier in our secure database to ensure the authentication token remains available for your WordPress site. This data is handled confidentially and never shared with third parties.

Amazon AWS & Dropbox

Direct Connection: In cases where these providers use the OAuth protocol via our authentication server, a secure token passes through our server. No personally identifiable information (PII) or backup content is stored or processed by us during this procedure.

5. Third-Party Data Processors

We use a limited number of trusted third-party processors to run our business. These companies are strictly vetted for GDPR/CCPA compliance:

Processor	Purpose	Data Shared
Freemius	Licensing, Payments, & Updates	Name, Email, Billing Address, Site URL.
Kit (ConvertKit)	Email Communications	Email address, Name (only if you opt-in).
Stripe / PayPal	Payment Processing	Handled via Freemius; we never see this data.
Google Analytics	Website Usage Stats	Anonymized IP and browsing behavior.

6. Data Deletion & Retention

We believe in the “Right to be Forgotten.”

What we delete upon request: Support tickets, forum posts, licensing database entries, and your data within our Kit account.
What we must retain: Sales records and transaction data held by payment vendors must be retained for a minimum of 10 years to comply with global taxation and auditing laws. Webserver access logs are kept for 6 months.

Connecting for Updates and Licensing

If you connect your plugin to receive automated updates (managed via Freemius), certain information is stored to facilitate the service:

Update Requests: When your site checks for an update, it sends the WordPress version, PHP version, plugin version, site language, and PHP memory limit. This allows our server to provide the correct, compatible version of the software.
Anonymized Statistics: We reserve the right to aggregate and anonymize this data to produce statistics on our user base (e.g., “50% of users are on PHP 8.1”), which guides our development priorities.

7. California Consumer Privacy Act (CCPA) & CPRA Notice

This section provides additional disclosures required by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). These provisions apply solely to residents of the State of California.

1. Information We Collect and Disclose

In the preceding 12 months, SurfLab Tech has collected (and may have disclosed for a business purpose) the following categories of personal information:

Category	Examples	Collected	Disclosed to 3rd Parties
Identifiers	Name, alias, email address, unique personal identifier, IP address.	YES	Yes (Service Providers)
Commercial Information	Records of products purchased, obtained, or considered.	YES	Yes (Payment Processors)
Internet/Network Activity	Browsing history, search history, information on a consumer’s interaction with our website or plugin.	YES	Yes (Analytics Providers)
Geolocation Data	IP-based location (City/Country level).	YES	No
Professional Information	Business name or job title (if provided during checkout).	YES	No

2. Our Use of Personal Information

We use the categories of personal information listed above for the following “Business Purposes” as defined by California law:

Auditing: Related to current interactions and concurrent transactions.
Security: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible.
Debugging: To identify and repair errors that impair existing intended functionality in our plugins.
Service Provisioning: Maintaining accounts, providing customer service, processing payments, and verifying customer information via our partner, Freemius.
Internal Research: Undertaking internal research for technological development and demonstration to improve our software.

3. Your California Privacy Rights

If you are a California resident, you have the following specific rights:

Right to Know and Access: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, and the business purpose for collecting or selling that information.
Right to Delete: You have the right to request the deletion of your personal information, subject to certain legal exceptions (such as the need to retain data for tax audits or to complete a transaction).
Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale or Sharing: SurfLab Tech does not sell your personal information. We do not share your personal data with third parties for their direct marketing purposes.
Right to Non-Discrimination: We will not discriminate against you (e.g., by charging different prices or providing a different level of quality) for exercising any of your CCPA/CPRA rights.

4. How to Exercise Your Rights

To exercise your right to access, delete, or correct your data, please submit a verifiable consumer request to us by:

Emailing: [email protected]
Contact Form: https://surflabtech.com/contact/ (Please include “CCPA/Data Request” in the subject).

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. We must be able to verify your identity (typically via your account email) before processing your request to prevent “social engineering” attacks or unauthorized access to your data.

5. “Shine the Light” Law

Under California Civil Code Section 1798.83, California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. SurfLab Tech does not share such information with third parties for their direct marketing purposes.

8. Contact Us

To exercise your rights under the GDPR or CCPA, or if you have any questions regarding this policy, please contact our support team:

Website: https://surflabtech.com/contact/

Email: [email protected]