Privacy Policy

Surfstyk Limited
Hendrik Bondzio
Email: hello@surfstyk.com

If you have any questions about how we handle your personal data, you can reach us at the address above.

When you use our website and chat service, we may process the following data:

• Chat conversations — messages you send to our virtual assistant Justec, including timestamps and session identifiers.
• Behavioural signals — typing duration, keypress count, scroll depth, and mouse activity. These are used for quality-of-service scoring, not for tracking or advertising.
• Contact details — name, email address, or phone number when you voluntarily provide them during a conversation or through our contact form.
• Technical data — IP address, browser type, operating system, referrer URL, and device information collected automatically by our hosting provider and security services.
• Booking data — date, time, and payment information when you schedule a consultation.

We process your data based on the following legal grounds under the GDPR:

• Consent (Art. 6(1)(a) GDPR) — for chat conversation logging and behavioural signal collection. You are asked for explicit consent before the conversation begins. You may decline, in which case no conversation data is stored.
• Contractual performance (Art. 6(1)(b) GDPR) — for processing bookings, payments, and delivering the services you request.
• Legitimate interest (Art. 6(1)(f) GDPR) — for basic website security, abuse prevention, and service improvement. Our legitimate interest does not override your rights.

We use the following third-party services that may process your data:

• Cloudflare (USA) — DNS, CDN, and DDoS protection. Cloudflare processes IP addresses and request metadata. Cloudflare Privacy Policy
• Cloudflare Turnstile — bot detection for chat sessions. Processes device and browser signals. No cookies are set on the visitor.
• Hetzner (Germany) — server hosting. Data is stored on servers physically located in Germany. Hetzner Privacy Policy
• Google Fonts — font delivery. Google may collect IP addresses when fonts are loaded. Google Privacy Policy
• Stripe (USA) — payment processing for consultation bookings. Stripe Privacy Policy
• PayPal (USA) — alternative payment processing. PayPal Privacy Policy

Where data is transferred to the USA, these providers rely on EU Standard Contractual Clauses or equivalent safeguards.

• Chat conversations — retained for up to 90 days, then automatically deleted.
• Contact form submissions — retained as long as necessary to respond to your enquiry, then deleted.
• Booking and payment data — retained for the duration required by applicable tax and accounting regulations (typically 7–10 years).
• Server logs — automatically rotated and deleted after 30 days.

This website does not use tracking cookies or advertising cookies. We use only technically necessary session identifiers stored in your browser's memory for the duration of your visit. No data persists after you close the browser tab.

Under the GDPR, you have the following rights:

• Access (Art. 15) — request a copy of the data we hold about you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — request deletion of your data.
• Restriction (Art. 18) — limit how we process your data.
• Data portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@surfstyk.com.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You may contact the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement.

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.