✨ Start for free • Upgrade anytime with 3 free AI video creditsView Plans
Surf LogoSurf

Privacy Policy

Effective Date: January 5, 2026
Last Updated: January 5, 2026

Introduction

Welcome to Surf (also known as "Surf to") ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered social video scheduling platform.

Information We Collect

1. Account Information

  • Email address
  • Password (encrypted)
  • Profile information (name, profile picture from OAuth providers)
  • Subscription status (free or premium)

2. Social Media Account Connections

When you connect your social media accounts (YouTube, TikTok, Instagram, Facebook, LinkedIn, Bluesky), we collect:

  • Account ID and username
  • Access tokens and refresh tokens (encrypted)
  • Channel/profile metadata (subscriber count, follower count, etc.)
  • We do NOT download or store video content from your social media accounts

3. Video Content You Upload

  • Video files you upload from your device
  • Video metadata (title, description, duration, resolution)
  • Captions and transcripts you generate or edit
  • Video editing settings and preferences

4. Usage Information

  • Video upload history
  • Scheduled posts
  • Credits usage (for freemium model)
  • Application analytics and error logs

Critical Google API Data Segregation Policy

Our Commitment to Google User Data Protection

IMPORTANT: We maintain complete, auditable data isolation between Google API Services and third-party AI services (AssemblyAI) in full compliance with Google's Limited Use of User Data requirements.

What This Means for You:

1. No YouTube Content Downloaded

  • We NEVER download video content from your YouTube channel
  • We ONLY use YouTube API to:
    • Upload your edited videos to your YouTube channel
    • Retrieve your channel metadata (name, subscriber count, statistics)
    • Display your YouTube account information in our app

2. Complete Data Segregation

  • Videos you upload to Surf come ONLY from your device
  • These user-uploaded videos are separate from any Google API data
  • When you generate captions using our AI transcription service (AssemblyAI), ONLY user-uploaded videos (from your device) are processed
  • Google User Data obtained via YouTube API is NEVER sent to AssemblyAI or any third-party AI service

3. Two Separate Data Flows

Flow A: Video Upload & Caption Generation (No Google Data)

Your Device → Upload Video → Surf Storage → AssemblyAI (captions only)
  • Source: Videos from your device (NOT from YouTube)
  • Processing: AI transcription for captions
  • No Google API data involved

Flow B: YouTube Publishing (Google Data - Isolated)

Surf → YouTube API → Your YouTube Channel
  • Purpose: Upload your edited videos to YouTube
  • Data: Channel metadata and video upload endpoint
  • No video content sent to AI services

4. Your Responsibilities

  • You must ONLY upload videos you created or own the rights to
  • Do NOT upload videos downloaded from YouTube, TikTok, Instagram, or other platforms
  • You must confirm content ownership before generating AI captions
  • Violating these terms may result in account suspension

How We Use Your Information

1. Video Upload and Storage

  • Store videos you upload in secure cloud storage (AWS S3)
  • Generate presigned URLs for temporary access (1-hour expiry)
  • Process videos for editing, trimming, and template application

2. AI Caption Generation (AssemblyAI)

  • Send presigned URLs (NOT video files directly) to AssemblyAI for transcription
  • Receive word-level transcripts with timestamps
  • Store transcripts in our database for your editing and reuse
  • CRITICAL: Only user-uploaded videos (from your device) are sent to AssemblyAI
  • Google User Data from YouTube API is NEVER sent to AssemblyAI

3. Social Media Integration

  • Use OAuth access tokens to publish videos to your connected accounts
  • Retrieve channel/profile metadata for display in the app
  • Schedule posts according to your preferences
  • We do NOT download videos from social media platforms

4. Service Improvement

  • Analyze usage patterns to improve features
  • Monitor errors and performance issues
  • Provide customer support

Data Sharing and Disclosure

Third-Party Services We Use:

1. AssemblyAI (Caption Generation)

  • Purpose: Audio-to-text transcription
  • Data Shared: Presigned S3 URLs of user-uploaded videos
  • Data NOT Shared: Google User Data, YouTube videos, OAuth tokens
  • Retention: Transcripts processed and returned immediately
  • Privacy: AssemblyAI does not train models on our user data per our agreement

2. AWS S3 (Video Storage)

  • Purpose: Secure video file storage
  • Data Shared: Encrypted video files
  • Security: Server-side encryption, private buckets

3. Supabase (Database and Authentication)

  • Purpose: User authentication, database storage
  • Data Shared: User accounts, video metadata, captions
  • Security: Row-Level Security (RLS), encrypted connections

4. Social Media Platforms (YouTube, TikTok, Instagram, Facebook, LinkedIn, Bluesky)

  • Purpose: OAuth authentication, video publishing
  • Data Shared: Edited videos (with your consent), video metadata
  • Data Received: Account metadata (username, statistics)
  • Data NOT Received: Video content from your social media accounts

Legal Compliance:

We may disclose your information if required by law, court order, or government regulation, or to:

  • Protect our legal rights
  • Prevent fraud or abuse
  • Protect user safety

Data Retention

  • Video Files: Retained until you delete them or terminate your account
  • Captions: Stored with associated videos
  • Social Media Tokens: Encrypted and stored until you disconnect the account
  • Account Data: Retained until you request account deletion
  • Usage Logs: Retained for 90 days for troubleshooting

Data Security

We implement industry-standard security measures:

  • HTTPS/TLS encryption for all data in transit
  • Server-side encryption for video files at rest
  • Encrypted OAuth tokens in database
  • Row-Level Security (RLS) in Supabase
  • Regular security audits and updates
  • Restricted access to production systems

Your Rights and Choices

You Have the Right To:

1. Access Your Data

  • View all videos, captions, and account information
  • Export your data upon request

2. Delete Your Data

  • Delete individual videos and captions
  • Disconnect social media accounts
  • Request full account deletion

3. Control Data Sharing

  • Choose which social media accounts to connect
  • Control when videos are published
  • Opt out of optional features

4. Revoke Permissions

  • Disconnect social media accounts at any time
  • Revoke OAuth access through your social media account settings

How to Exercise Your Rights:

Google API Services User Data Policy Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specific Commitments:

1. Limited Use:

  • We use Google User Data ONLY for providing and improving our video publishing features
  • We do NOT use Google User Data to train generalized AI models
  • We do NOT sell Google User Data to third parties
  • We do NOT use Google User Data for advertising purposes

2. Data Isolation:

  • Google User Data is stored separately from user-uploaded content
  • YouTube API data is NEVER sent to AssemblyAI or other AI training services
  • Clear technical and organizational safeguards prevent data mixing

3. Scope Usage:

  • youtube.upload: Upload user-edited videos to YouTube
  • youtube.readonly: Retrieve channel metadata (title, subscriber count)
  • userinfo.email: Link YouTube account to Surf account
  • userinfo.profile: Display user profile information

4. Transparency:

  • We clearly inform users about data flows
  • We require explicit consent before processing videos
  • We provide this privacy policy and technical documentation

Children's Privacy

Our service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

International Data Transfers

Your information may be transferred to and stored on servers located outside your country of residence. We ensure appropriate safeguards are in place for international transfers.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification (for significant changes)

Contact Us

If you have questions about this Privacy Policy or our data practices:

Glossary of Terms

  • Google User Data: Information obtained from Google APIs, including YouTube channel metadata, user email, and profile information
  • User-Uploaded Content: Videos uploaded from your device, NOT obtained via any Google API
  • OAuth Tokens: Encrypted access credentials that allow us to publish to your social media accounts
  • AssemblyAI: Third-party AI transcription service used for caption generation
  • Presigned URL: Temporary URL (1-hour expiry) that provides time-limited access to a video file

Compliance Statement

This Privacy Policy is part of our compliance with:

  • Google API Services User Data Policy
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • Other applicable data protection laws

Last Reviewed: January 5, 2026