Surfaced ("the App") is developed by Forethought Studio. This policy explains what data we collect, why, and how we protect it.
1. What data we collect
Installation identifier: A randomly generated unique ID stored on your device. This is not linked to your name, email, or any personal account. We send this ID to our server on every cold start so we can record that the install is still active (a "last seen" timestamp), and it is included with the engagement events listed below.
Anonymous usage analytics: We record a small number of pseudonymous engagement events keyed to your installation identifier so we can distinguish active users from one-time openers. Each event type is recorded at most once per install. Currently we record:
install heartbeat: registers your installation identifier, device hash, and platform, and updates a "last seen" timestamp on every cold start.
first_card_added: fires the first time you save a loyalty card.
purchase funnel events: when you start, complete, fail, or restore a subscription, we record the event type, platform, app version, and (on failure) the error code so we can monitor purchase reliability. No payment details are recorded.
These events are not linked to your name, email, or any advertising identifier.
Device hash: A one-way hash used to manage your trial period and to anchor your consent record. We cannot identify your device from this hash.
Subscription status and receipt: If you subscribe, we send your purchase receipt token to our server, which forwards it to Apple or Google for verification, and we store the verification result (subscription active/inactive, expiry date, original transaction ID) keyed to your installation identifier. We do not see your payment details.
Loyalty card data: Your card names, barcodes, and colors are stored locally on your device only. We never upload your loyalty card data to our servers.
Location data: If you enable location services, your device captures your approximate location and uses it in two ways:
On-device sorting: the App sorts cards by proximity to known store locations on the device.
Nearby store lookup: when the App needs to surface a card for a nearby store, your latitude and longitude are sent to our server in a query (/api/locations/nearby) so we can return matching merchant locations within a ~10 km radius. These coordinates are used only to answer the request and are not stored against your installation identifier.
Community merchant database (optional): if you save a card for a merchant we do not yet know about and you have community contributions enabled (default on, toggleable in Settings), we send the merchant name and a coordinate truncated to ~11 m precision to our community store-locations database so other users can also benefit. This contribution is not linked to your installation identifier.
We never collect or store precise location traces, GPS history, or background location.
Feedback: If you choose to send feedback through the App, we store the message you wrote, your installation identifier, app version, build number, build creation timestamp, platform, and a debug log snippet from the App (recent screen names and non-sensitive event traces, used to reproduce bugs). The feedback form also includes an optional reply-to email address; if you supply one, we store it alongside your feedback solely so we can respond. Leaving the email field blank is supported and we will not attempt to identify you.
Crash reports: If the App crashes, we collect anonymous error data (error message, stack trace, app version, platform). This is sent both to our own server (where it is stored against your installation identifier so we can correlate repeat crashes from the same install) and to Sentry, a third-party error monitoring service. Crash reports never include your loyalty card data, location, or feedback contents.
IP address: When you use features that contact our server (such as merchant search, nearby-store lookup, install registration, or sending feedback), your IP address is visible to our server as part of the network connection. We record your IP address alongside your consent record for legal compliance. We do not use IP addresses for tracking or advertising.
Merchant suggestions: If you add a card for a merchant not in our database, we may anonymously submit the merchant name, brand color, and category to our community database. This data is not linked to your identity or device.
Consent record: When you agree to this privacy policy and our terms of service, we store your device hash, the date of consent, the versions of the policy and terms you agreed to, and your IP address. This is required for GDPR compliance.
2. What we do NOT collect
Your name, phone number, or any account credentials
Your email address (unless you voluntarily supply one in the feedback form)
Your loyalty card data (it stays on your device)
Background location, GPS history, or precise location traces
Any advertising identifiers
Any data from other apps on your device
3. Why we collect data
Installation ID and device hash: To manage your free trial, prevent abuse, and anchor consent and subscription records (legitimate interest: contract fulfillment and fraud prevention).
Anonymous usage analytics: To measure activation (e.g. how many installs add a first card) and to monitor purchase reliability (legitimate interest: improving and operating the App).
Subscription receipts: To verify your subscription is active with Apple or Google (legitimate interest: contract fulfillment).
Crash reports: To identify and fix bugs (legitimate interest: maintaining App functionality).
Feedback (and optional email): To improve the App based on your suggestions and, if you supplied an email, to reply to you (legitimate interest: you initiated contact).
Location (nearby-store queries): To answer your request for nearby loyalty stores (legitimate interest: providing the feature you opted into when you enabled location).
IP address: Recorded with consent records for legal compliance (legal obligation: demonstrating valid GDPR consent). Visible during all server requests as a standard part of network communication.
Merchant suggestions and community store locations: To build a shared merchant database that benefits all users (legitimate interest: improving product for all users).
4. Third-party services
Apple App Store / Google Play: Handle payment processing for subscriptions, and verify subscription receipts on our behalf when our server forwards them. Their privacy policies apply to payment data.
Crash logs and feedback are retained for up to 2 years, then automatically deleted. Subscription records are retained as long as your subscription is active plus 1 year after cancellation. Engagement events (install heartbeat, first_card_added, purchase funnel events) are retained for up to 2 years. Consent records (including IP addresses) are retained for the lifetime of the service to demonstrate valid legal consent as required by GDPR.
6. Your rights (GDPR)
If you are in the EU/EEA, you have the right to:
Request access to your data
Request deletion of your data
Object to processing
Data portability
6a. Self-service deletion (GDPR Article 17)
The fastest way to delete your data is from inside the app:
Open Surfaced and go to Settings.
Scroll to the PRIVACY section near the bottom.
Tap Delete My Data and confirm both prompts.
When you tap Delete My Data, your local cards and preferences are removed from your device immediately. Your cloud backup and account records are retained on our servers for 30 days for the sole purpose of allowing you to recover your account if you change your mind. After 30 days, all server-side records are permanently deleted (your installation row, subscription history, purchase event log, feedback messages, crash reports, engagement events, consent record, and trial state), your cloud backup file is removed, and any error reports tied to your installation are purged from our error-tracking provider.
To recover within the 30-day window, re-open the app, sign back into iCloud (on iOS) or Google Drive (on Android), and tap Yes, Cancel Deletion when prompted. Your cards, subscription, and trial state are all restored to the same account you had before. If you also kept the device installed, you can tap Cancel Scheduled Deletion from Settings → PRIVACY at any point during the window.
The 30-day retention is the only thing we keep after you tap Delete; we do not use it for any other purpose, and no further data is collected about you during that window. After day 30 the deletion is irreversible. No customer-support ticket or email is required.
6b. Email fallback if you no longer have the device
If you have lost, sold, or wiped the device that ran Surfaced, you can no longer use the in-app button (the installation ID is stored on the device, and we have no other identifier tied to you). In that case, email [email protected] from the address you previously used in the in-app feedback form. We will:
Match your email against the email column of the feedback table to locate the associated installation IDs.
Run the same cascade-delete that the in-app button performs, for every matched installation.
Reply once the deletion is complete (typically within 30 days, the GDPR statutory deadline).
If you never submitted feedback with an email address, we have no link between you and any installation row, so we cannot identify your data to delete it. In that case, deletion is not possible without the original device's installation ID. You can find it by reinstalling and using the in-app button on the new install (which will erase only the new install).
For other rights (access, portability, objection), contact us at [email protected] with your installation ID (found in Settings under About).
7. Children
Surfaced is not directed at children under 13. We do not knowingly collect data from children.
8. Changes
We may update this policy. Material changes are accompanied by a version bump in the App; on next launch the App will re-prompt you for consent before sending any further data to our server.