Privacy Policy

This policy explains what personal data Incogsurf collects, why, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and the Dutch Implementing Act (UAVG).

1. Who we are

Serointech VOF is the data controller for personal data processed in connection with the Incogsurf service. We are a Dutch general partnership (VOF (Vennootschap onder firma)) registered at KvK 81485492 with VAT identification number NL862111997B01.

Contact for privacy matters: privacy@incogsurf.com.

2. What we collect, why, and how long we keep it

Account data

Email address and a hashed password (Argon2id via Supabase Auth). TOTP factor secret, MFA-enrollment timestamp. Used to authenticate you. Retained for the life of the account; deleted on account closure plus 30 days.

Billing data (Stripe)

Payments are processed by Stripe Payments Europe, Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland), acting as the payment processor and as an independent data controller for the purposes of payment processing.

The following flows to Stripe when you subscribe:

• Your email address and (optionally) your name.
• Billing address, including country — required by EU VAT rules.
• Payment-method details (card number, expiry, CVC) — entered directly in Stripe's hosted Checkout page; we never see your full card number.
• Your VAT identification number, if you provide one (B2B customers only).

Stripe retains this data per Stripe's own Privacy Policy. We retain:

• Your Stripe customer ID (a reference; we use it to look up invoices on your behalf).
• The country used for tax calculation.
• Aggregated VAT totals per country, retained for 7 years as required by the Dutch Algemene wet inzake rijksbelastingen (Awr).

We do not receive or store your card number, CVC, or full bank account data.

Identity tuples

When you upload an identity to the app (email, phone, payment instrument, etc.) we encrypt it at rest using a per-tenant key. Identity tuples are retained for the life of the tenant and deleted when you delete them or close the account. Crypto-shred — destroying the per-tenant key — is the canonical deletion primitive.

Audit events

Every privileged action (profile launch, identity validation, Checkout, suspension, AUP click-through, and similar) writes a row to our audit log with your tenant ID, user ID, IP address, user-agent, and event metadata. Audit rows are retained for 18 months for abuse-detection and forensic purposes, then deleted.

Bandwidth usage

We meter the number of gigabytes consumed by your profiles in the current billing period for quota enforcement and overage billing. Per-launch counters are retained for 90 days; aggregated monthly totals for 7 years (tax).

Email delivery

We send transactional email via Resend (Resend B.V., Netherlands). Recipient addresses in our send log are stored as SHA-256 hashes; the plaintext lives only in the Supabase auth.users table. Send-log rows are retained for 12 months.

In-app notifications

We surface a small log of significant account events (paid invoice, payment failure, scheduled deletion, suspension) inside the application's notification bell. The log is stored in our database scoped to your account and is deleted when you delete the account.

Error monitoring

Application crashes and Edge Function 5xx responses are sent to Sentry (Functional Software, Inc., EU ingest at de.sentry.io). Before transmission we strip authentication tokens, Stripe keys, and known PII fields. Error events are retained per Sentry's free tier — typically 30 days. We use error monitoring only to diagnose bugs, not to profile users.

Telemetry

We do not run third-party analytics or trackers on the marketing site or inside the app. Server access logs (Vercel, Supabase) are retained per those providers' policies (typically 30-90 days) and are limited to operational diagnostics.

Service status

Real-time uptime of our infrastructure is monitored by BetterStack and published publicly at incogsurf.betteruptime.com. Monitoring is endpoint-level (HTTP probes); no per-user data is sent to BetterStack.

3. Legal basis for processing

• Contract (Article 6(1)(b) GDPR) — account data, billing data, identity tuples, bandwidth usage. Processing is necessary to provide the Service.
• Legal obligation (Article 6(1)(c)) — VAT totals retained 7 years (Awr).
• Legitimate interest (Article 6(1)(f)) — audit events, abuse-signal aggregation. Our interest: detect and respond to AUP violations and fraud. Balanced against your privacy by minimising fields, hashing PII where possible, and time-bounded retention.

4. Sub-processors

The full, current list of sub-processors lives at /legal/subprocessors with region, role, and date added for each one. We will notify subscribers via email at least 30 days before adding or replacing a sub-processor. You may object to a new sub-processor by terminating your subscription before the change takes effect.

5. International transfers

Our primary infrastructure (Supabase, Vercel deployments, Resend, Cloudflare DNS) is configured for EU regions. Where a sub-processor operates infrastructure outside the EU/EEA, transfers rely on the EU-US Data Privacy Framework (where applicable) and standard contractual clauses (Commission Implementing Decision 2021/914).

6. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Article 15).
• Request rectification of inaccurate data (Article 16).
• Request erasure ("right to be forgotten") (Article 17), subject to our statutory retention obligations.
• Restrict or object to processing (Articles 18 and 21).
• Data portability (Article 20) — receive an export of your account data in JSON.
• Lodge a complaint with a supervisory authority. In the Netherlands: Autoriteit Persoonsgegevens.

Two routes are available to exercise the access and erasure rights:

• Self-serve from inside the app. Account → Profile → Danger zone has Download my data (Article 15 export, returns a full JSON archive) and Delete my account (Article 17 erasure with a 30-day recoverable grace — signing in within 30 days cancels the deletion and restores any active subscriptions).
• Email. privacy@incogsurf.com for any of the rights above (or any of the self-serve routes if you cannot access the app). We respond within 30 days (Article 12(3)).

7. Children

The Service is not directed at children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us at privacy@incogsurf.com and we will delete the account.

8. Law enforcement requests

We respond to valid legal process (Dutch court order, EU production order under Article 7 of Regulation 2023/1543, equivalent instruments from comity countries). We require the request to identify the user account and the specific data sought. We notify the affected user unless prohibited by the order.

9. Changes to this policy

Material changes are announced via in-app notice and email at least 30 days before they take effect. Past versions are retained on request.