Privacy Notice
Updated 30 May 2026
This notice explains how Surgifai, Inc. (“Surgifai,” “we,” “us”) handles personal data across the Surgifai marketing site at surgifai.com and the Surgifai customer application at app.surgifai.com. It does not cover data Surgifai processes on a customer's behalf under a separate data-processing agreement; that processing is governed by the Data Processing Agreement and the customer's order or business terms.
Surgifai is operated from the United States and is intended for use by businesses and professionals in the United States. The data controller is Surgifai, Inc., reachable at [email protected].
Scope of this notice
This notice covers personal data Surgifai collects and controls about the people who visit our sites and use our application. Where a customer organization submits data to the service and Surgifai processes that data on the organization's behalf, the organization is the controller and Surgifai acts as its service provider under the Data Processing Agreement.
Information we collect
Information you provide
- Your work email address. Your sole sign-in credential — we do not use passwords. Clicking the link we email you both signs you in and verifies the mailbox.
- Firm membership derived from your email domain. When you register, the registrable domain of your email (for example, acme.com) is used to create a firm record. The first user from a new domain becomes the firm's owner; additional users from the same domain join as members.
- Research queries. Questions and conversations you submit through the research chat or an authorized third-party client.
- Communications. Any message you send us, including requests to [email protected].
Information collected automatically
- Bot-protection signals. Cloudflare Turnstile runs on sign-in and registration pages and processes device and browser signals — including your IP address — to distinguish people from automated abuse. See the Cloudflare Turnstile Privacy Policy.
- Abuse-prevention records. To detect and rate-limit automated abuse, we store one-way hashed forms of your email address and source IP address, together with sign-in and registration event metadata. We do not store the raw email address or IP address against these abuse records.
- Server-side request logs. Cloudflare retains operational logs and metrics on our behalf. Our application code does not write your raw email address or raw IP address into these logs.
Sensitive personal information
We do not collect personal information for the purpose of inferring characteristics, and we do not collect categories of sensitive personal information as defined under California law for any purpose beyond what is necessary to provide and secure the service. The IP address processed by our bot-protection and rate-limiting systems is used solely for security and abuse-prevention and is stored only in hashed form against abuse records. We do not use or disclose sensitive personal information for purposes that would trigger a right to limit its use.
How we use this information
- Authenticate you and deliver your single-use sign-in link.
- Identify and provision the firm associated with your email domain.
- Operate the research chat and the third-party client sign-in surface.
- Protect the service against bots, abuse, and email-relay misuse.
- Operate, secure, and improve the service, and meet legal obligations.
We do not use your research queries or your content to train foundation models. The large-language-model service that powers the research chat processes your query to produce a response and is not used to train models on your inputs.
Service providers we use
The Surgifai customer application runs on Cloudflare, which provides compute, database storage, transactional email delivery, bot protection, and the large-language-model service that powers the research chat. Cloudflare processes data on Surgifai's behalf as a service provider; see the Cloudflare Privacy Policy.
Email delivery. Sign-in and verification email is sent from [email protected]; operational and no-reply email is sent from [email protected].
Research chat. When you submit a chat message, the message text and any results retrieved in response are processed by a large language model hosted by Cloudflare. Your email address, account identifier, and firm identifier are not sent to the model.
Research backend. Surgifai operates its own research backend on Cloudflare. When you submit a query through the chat or through an authorized third-party client, the query text is sent to that backend. Authenticated requests carry a short-lived signed token identifying your firm, your user account, and your role within the firm. We do not attach your email address to research queries.
Data retention
- Account email and firm membership are retained while your account or firm is active. On deletion of your account, we remove your profile, firm membership, and active sessions.
- Firm records. A firm record is created from your email domain and may persist after an individual user deletes their account, because other members may still belong to the firm. When the last member of a firm deletes their account, we delete the firm record and associated firm-level account data. Research history associated with a deleted account is removed with that account; research history associated with a firm is deleted when the firm record is deleted.
- Sign-in links are single-use and short-lived; they become unusable after a single click.
- Sign-in sessions expire 7 days after your last activity, with continued use extending the session.
- Abuse-prevention records are counted in a sliding window of approximately one hour, stored only in hashed form, and pruned automatically.
- Server-side operational logs are retained by Cloudflare in accordance with its own policies.
- We may retain certain records (for example, abuse-prevention signals or records required by law) beyond the periods above where necessary to meet legal obligations or to enforce our terms.
Security
- Passwordless authentication. Magic-link-only sign-in; there is no password to phish or breach.
- Encrypted transport. All traffic is served over HTTPS.
- Encrypted-at-rest storage.Account information is stored in Cloudflare's database service, which provides storage-layer encryption at rest.
- One-way hashed abuse identifiers. Email-address and IP-address values used for rate-limit and abuse tracking are stored only in hashed form; raw values are never written to those records.
- Hardened session cookies and short-lived authorization tokens for any access granted to research or to third-party clients.
- Rate limiting on the registration, sign-in, and email-send endpoints, per IP address and per email address.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Your privacy rights
Surgifai serves users in the United States. Depending on your state of residence, you may have the right to:
- Know and access the categories and specific pieces of personal information we have collected about you.
- Correct inaccurate personal information we hold about you.
- Delete your account and associated personal information.
- Opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share personal information, so there is nothing to opt out of.
- Limit the use of sensitive personal information. We do not use sensitive personal information for purposes that trigger this right.
- Non-discrimination for exercising any of these rights.
To exercise any of these rights, contact us at [email protected]. We will verify your request using the email address associated with your account and respond within 45 days, with one permitted extension where reasonably necessary. You may use an authorized agent to submit a request on your behalf, subject to verification.
California residents.The California Consumer Privacy Act, as amended, provides the rights described above. We do not sell or share personal information for cross-context behavioral advertising, and we do not use or disclose sensitive personal information beyond the purposes permitted without a right to limit. In the preceding twelve months, we have collected the categories of personal information described in “Information we collect” and disclosed personal information only to the service providers and in the circumstances described in “How we share your data.”
Children's privacy
Surgifai is a business service intended for use by adults in professional contexts. We do not knowingly collect personal data from anyone under 16. If we learn we have done so, we will delete it.
Changes to this notice
We may update this notice as the service evolves. Material changes will be reflected by the “updated” date above. For substantive changes affecting how we use your data, we may also notify you by email.
Contact
Privacy questions and rights requests: [email protected].