Content HQ

Overview

OverviewAnalyticsIdea Inbox

Planning

BoardTableTimelineCalendar

Operations

UploadPublish QueuePayroll
Settings
⌘K

Privacy Policy

Last updated: 16 April 2026

Surge ("we", "our", "us"), operated at trysurge.app, is a content management and analytics dashboard for creators and operators. This Privacy Policy explains what personal data we collect, how we use it, how long we retain it, and your rights in respect of it. By using Surge you agree to the practices described here.

1. Data We Collect

1.1 Account & Identity Data

  • Name and email address collected at sign-up via Clerk authentication
  • Profile picture (where provided)
  • Workspace name and team member information

1.2 Connected Platform Data

When you connect a third-party platform (Instagram, TikTok, YouTube, X/Twitter, LinkedIn, etc.) we request access tokens and retrieve the data permitted by that platform's API. This typically includes:

  • Public profile information (username, display name, profile picture, follower count)
  • Content analytics (views, likes, comments, shares, reach, impressions, engagement rate)
  • Video/post metadata (title, caption, publish date, media type) for content you have already published on that platform
  • OAuth access tokens and refresh tokens required to maintain the connection

We do not collect private messages, financial information, passwords, or any data outside the explicit API scopes you authorise during the connection flow.

1.3 Content You Create in Surge

  • Content plans, scripts, hooks, captions, and notes
  • Scheduled and queued posts
  • Files and attachments you upload

1.4 Usage & Technical Data

  • Log data (IP address, browser type, pages visited, timestamps)
  • Session and authentication metadata via Clerk
  • Error reports to diagnose and fix bugs

2. How We Use Your Data

  • To provide the Surge dashboard and all features within it
  • To display your content analytics and performance data
  • To generate AI-powered content insights and recommendations
  • To maintain platform connections via stored OAuth tokens
  • To send transactional notifications you have opted into (e.g. invite emails)
  • To diagnose errors and improve the Service
  • To comply with legal obligations

We do not sell your data to third parties. We do not use platform API data for advertising, model training, or any purpose beyond operating the features you actively use.

3. Platform-Specific Data Handling

TikTok

Surge integrates with the TikTok API to display your video analytics within your workspace. Data obtained via the TikTok API (including video metrics, profile data, and access tokens) is:

  • Used solely to display analytics inside your Surge workspace
  • Never shared with or sold to any third party
  • Deleted within 30 days of you disconnecting your TikTok account from Settings
  • Stored encrypted at rest using industry-standard controls

TikTok's own privacy policy applies to data held on their platform:  tiktok.com/legal/privacy-policy.

Instagram / Meta

We access Instagram Basic Display API and/or Instagram Graph API data (media, insights, profile) solely to populate analytics inside Surge. Meta's data policy applies:  facebook.com/policy.php.

YouTube / Google

Surge uses YouTube Data API v3 to display your channel and video analytics. We comply with the YouTube API Services Terms of Service. Google's privacy policy:  policies.google.com/privacy.

X (Twitter)

We use the X API v2 to retrieve post analytics for content you have published. X's privacy policy:  twitter.com/en/privacy.

LinkedIn

We use the LinkedIn API to display post and profile analytics. LinkedIn's privacy policy:  linkedin.com/legal/privacy-policy.

4. Data Storage & Security

All data is stored using Supabase, hosted on AWS infrastructure in the EU. We apply industry-standard security measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Row-level security policies scoped to your workspace
  • OAuth tokens stored encrypted; never exposed client-side
  • Access limited to workspace members you have explicitly invited

5. Data Retention

  • Active account: data is retained for as long as your account is active
  • Disconnected platform: platform API data (tokens, analytics) deleted within 30 days of disconnection
  • Account deletion: all personal data deleted within 30 days of your written deletion request
  • Logs: server logs retained for up to 90 days for security purposes, then deleted

6. Your Rights

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure— request deletion of your personal data ("right to be forgotten")
  • Restriction — request we limit processing of your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Disconnect platforms — revoke any platform integration at any time via Settings → Connected Platforms

To exercise any of these rights, email us at mason@infoscalelab.com. We will respond within 30 days.

7. Cookies & Tracking

Surge uses essential session cookies managed by Clerk for authentication. We do not use advertising cookies or third-party tracking pixels. Analytics, where used, are aggregated and anonymised.

8. Third-Party Sub-Processors

  • Clerk — authentication and session management (clerk.com)
  • Supabase — database and file storage (supabase.com)
  • Anthropic — AI content generation (anthropic.com); prompts may include content you submit for AI processing
  • Resend — transactional email delivery (resend.com)
  • Vercel — hosting and edge infrastructure (vercel.com)

Each sub-processor is bound by their own data processing agreements and privacy policies. We do not permit sub-processors to use your data for their own purposes.

9. International Transfers

Data is stored on EU-based infrastructure. Where data is transferred outside the EU (e.g. to Anthropic servers in the US), we rely on Standard Contractual Clauses or equivalent transfer mechanisms as required by applicable data protection law.

10. Children

Surge is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe we have inadvertently collected such data, contact us immediately.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 7 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Data controller: Mason Bowstead, operating Surge at trysurge.app.
Email: mason@infoscalelab.com