privacy statement · last updated 3 July 2026
Privacy Statement
Ryan Gao trading as Surfaced("we") complies with the New Zealand Privacy Act 2020. This page says what we collect, why, where it goes, and your rights — without the legalese fog.
What we collect and why
- Website audits. When you (or anyone) runs a free check, we fetch the public pages of the entered website and store the resulting report so its permanent link works. We also keep a short-term record of the requesting IP address for rate limiting and abuse prevention.
- Email addresses you give us. If you ask for your report by email or join a waitlist, we store your address with a note of what you asked for. We use it only for that purpose and anything you separately opt into. Every email has an unsubscribe link; unsubscribes are honoured promptly and permanently.
- Publicly available business information.To build industry statistics and (in future) to tell relevant businesses about the service, we may collect information that businesses have made public — websites, listings on public registers such as the NZBN register, and contact details published in a business capacity. Where we collect information about you indirectly like this, this statement (and a note in any first contact) is how we make you aware of it, as the Privacy Act's IPP 3A requires. We record where and when each detail was collected.
- Account and billing data (paid plans). Handled by Stripe; we never see or store full card numbers.
Where your information is stored
We run on infrastructure provided by Vercel and Supabase, with email via Resend and payments via Stripe. Some of these providers store data outside New Zealand (including the United States). Under IPP 12 we only use providers whose safeguards are comparable to the Privacy Act's protections, bound by their published data-processing terms.
What we don't do
- We don't sell or rent personal information. Ever.
- We don't buy email lists or use address-harvesting software.
- We don't publish individual audit results with a business's name — public statistics are aggregated and anonymised.
Retention
Audit reports are kept so links keep working; raw fetch data isn't kept beyond what the report needs. Lead records are deleted on request or after prolonged inactivity. Rate-limit records expire within hours.
Your rights
You can ask what personal information we hold about you, ask us to correct it, or ask us to delete it: email hello@surfaced.co.nz. If we ever suffer a privacy breach likely to cause serious harm, we'll notify the Office of the Privacy Commissioner (NotifyUs) and affected people as the Act requires. Complaints can also go to the Privacy Commissioner at privacy.org.nz.