Surifact
EN/FR

Privacy & GDPR Notice

Last updated: 30 May 2026 · Version: 1.0-draft

This notice explains what personal data [LEGAL ENTITY NAME] ("we", "us") collects when you use Surifact, why we collect it, the legal basis for each use, and the rights you have under the EU General Data Protection Regulation (GDPR). We wrote it to be read, not skimmed past — in plain language, as the GDPR requires.

1. Who we are

Surifact is operated by [LEGAL ENTITY NAME], registered in [COUNTRY OF REGISTRATION]. We are the "data controller" for the personal data described here — meaning we decide why and how it is processed.

For any privacy question, or to exercise any of your rights, contact our Data Protection Officer at [DPO / PRIVACY CONTACT EMAIL].

2. What this notice covers

This notice covers the Surifact website and application. It does not cover third-party websites you may reach through links posted by other users — those services have their own privacy notices.

3. Personal data we collect

We practise data minimisation: we collect only what the service genuinely needs.

  • Account data — your email address, your handle, your password (stored only as a secure hash, never in plain text), and the consent choices you make at registration.
  • Profile data — your display name, optional bio, and avatar. Your first and last name, if provided, are shown only to suricates with whom you share a Pack connection; non-connected visitors never see them.
  • Content — the Claims, Takes, annotations, comments, Likes and Vouches you create, and their visibility settings (Public or Pack).
  • Security data — your IP address, logged only for abuse prevention and rate limiting, and automatically purged after 30 days.

We do not collect special-category data, and we ask you not to post it about yourself or others.

4. How and why we use your data

We use your data only for the purposes below. The "legal basis" column states the GDPR Article 6 ground for each.

PurposeLegal basis
Create and secure your account, authenticate you, and provide the core servicePerformance of a contract (our Terms)
Display your Public posts and your Pack-only posts to the audiences you choosePerformance of a contract
Fact-check the Claims you post and publish a verdictPerformance of a contract (you must consent to this to post Claims; you can post Takes instead)
Prevent abuse, spam and fraud, and keep the platform secureOur legitimate interests in a safe service
Produce anonymous, aggregate usage statisticsYour consent (optional — off unless you opt in)
Send you email notificationsYour consent (optional and granular — off unless you opt in)

5. Fact-checking of Claims

When you post a Claim, its text is processed by our fact-checking pipeline, which searches public sources for evidence and produces a trust score and verdict. Takes are never fact-checked.

This processing applies to the content of the Claim itself. You choose whether to post a Claim (fact-checked) or a Take (not fact-checked). If you do not consent to fact-checking, you can still use Surifact by posting Takes only.

6. Who we share your data with

We do not sell your personal data, and we never share it with advertisers or data brokers. We share data only with:

  • Service providers acting as our processors under contract — principally Supabase, which hosts our database, authentication and storage in the EU (Frankfurt, Germany).
  • Other suricates — but only the data you choose to make visible, according to your post visibility and Pack settings.
  • Authorities, where we are legally required to do so, or to protect the rights and safety of our users.

7. International data transfers

Our database and storage are hosted in the EU. Where a provider processes data outside the European Economic Area, we rely on an adequacy decision or on Standard Contractual Clauses approved by the European Commission to protect your data.

8. How long we keep your data

  • Posts and profile data — kept until you delete them or erase your account.
  • Deleted posts — soft-deleted and recoverable by you for 30 days, then permanently purged.
  • IP addresses — purged automatically after 30 days.
  • Inactive accounts — after 12 months of inactivity we notify you; if you do not confirm you want to keep the account, it is deleted after 24 months.
  • Consent and data-rights records — kept as long as needed to demonstrate compliance.

9. Your rights

Under the GDPR you have the following rights, which you can exercise free of charge. Most are available directly in Settings; for anything else, contact our DPO.

  • Access — download all your personal data as JSON, from Settings (we respond within 30 days).
  • Rectification — edit your display name, bio and email in Settings.
  • Erasure — delete your account from Settings; we anonymise your posts (your handle becomes "[deleted]") and remove your personal data within 30 days.
  • Portability — export your posts and annotations as JSON or CSV from Settings.
  • Restriction and objection — ask us to pause or stop a particular processing activity.
  • Withdraw consent — turn off any optional processing (analytics, email) at any time in Settings › Privacy, without losing the core service.
  • Complain — lodge a complaint with your local supervisory authority (in our case, [EU SUPERVISORY AUTHORITY]) if you believe we have mishandled your data.

We do not use your personal data for automated decisions that produce legal or similarly significant effects about you.

10. How we protect your data

  • Passwords are hashed with a strong, slow algorithm (bcrypt or Argon2id) — we never store or see your plain-text password.
  • All connections use TLS 1.2 or higher; plain HTTP is redirected to HTTPS.
  • Database content is encrypted at rest (AES-256 or equivalent).
  • Sessions use short-lived tokens with revocable refresh tokens, so access can be cut off quickly if needed.

11. No tracking

Surifact contains no third-party tracking pixels, advertising SDKs, analytics that identify you, or browser fingerprinting. Your email address is used only for authentication and the notifications you opt into — it is never shown to other users.

12. Children

Surifact is not intended for children under [MINIMUM AGE]. We do not knowingly collect data from anyone below that age; if you believe a child has created an account, contact our DPO and we will remove it.

13. Changes to this notice

We may update this notice. When we make material changes we will update the version and "last updated" date at the top and, where appropriate, notify you in the app.

14. Contact us

Questions, requests or complaints: contact our Data Protection Officer at [DPO / PRIVACY CONTACT EMAIL]. You also have the right to complain to [EU SUPERVISORY AUTHORITY].