Privacy Policy 2022
Surf values your privacy. This section sets out the Privacy Policy which applies to our Surf mobile application and our website It explains what personal information we collect from users of our Service and what we do with that information. We update our policy from time to time, and recommend for you to revisit our website regularly to see the latest copy of our Privacy Policies.

Any changes will come into effect when the updated Privacy Policies are posted to the website. We have created these Privacy Policies to demonstrate our commitment to protecting your privacy and to disclose our information and privacy practices for our website, our software and our services.

If you have any further questions about our Privacy Policies, email us at

1. Who are we?
This Service is operated by Surf Ltd. “Surf”, which is a company registered in England and Wales with company number 13752730. Its registered office is at 139, 15 Bessemer Place, London, SE10 0GQ.

2. Collection and Use of Personal Data
Personal data is collected by us when you sign up for an account to use our Service, when you contact us through a contact form or send us an email. If, in that email or any attachment to the email, you voluntarily provide us with personally identifiable information about yourself, such as your name, email, address or telephone number, we will collect and store that personal information. By signing up to an account, or by using the contact form, you consent to us doing so.

In order to use our Services, each user must voluntarily submit to us one or the other means of ID verification. We consider this, alongside the other information relating to user identity and interests, as sensitive personal data, and take steps to process and protect it as such.

Other information that we may collect from you or you provide to us includes:
a) The frequency and extent of your use of our app.
b) Information about any requests that you might submit to us through the Surf Bar, as well as those existing requests you might match with via the Shoreline
c) Information about your interactions with the vendors that we advertise to you through the app, including your visits to your personal Vendor’s Index and any actions (including click throughs and blacklisting) you might take there.
d) Other communications that you send to us for example for email or a contact form on our website.
e) Information collected from surveys that we may send to you from time to time about your experience or preferences when using our Services
f) Information contained in a CV if you are applying to one of our vacant job positions

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

3. Control and Processing of Personal Information
We process personal data on behalf of our customers, who use our Service to gather information about an application made to them. However, when we Surf, do this we do so as a Data Controller under UK and EU data protection law. This means that we may make independent decisions about how personal information is processed in order to provide the Services to our users and customers. For example, we may store your personal information in our user database, and on our servers, and customer relationship management software in order to record and process your personal data so as to be able to provide you with the Service that you have subscribed for or purchased from us.

4. Sharing of Personal Information
Surf will operate an advertising service that will display to a given user a selection of curated vendors whose respective goods and services are of direct and demonstrable pertinence to the requests and matching profile of the user in question — for instance, a user who has requested and/or matched in the categories of golf, rock music and European travel will see advertisements that are of clear relevance to these categories.

Relative to those vendors with whom we work, Surf holds all user data in the strictest trust. We will not disclose any of your personal information to third party vendors either for the purposes of facilitating vendor-user matching or for the purposes of supplying batched user behavioural analysis.

Your personal information will be disclosed only to those third party suppliers whose products and services are vital to the operation of our own services, to the extent that such data storage may count as a disclosure. It may also be handled by employees and agents of Surf for the purposes of communicating with you, the user.

As a result of us disclosing your personal information to any of the parties mentioned above, you consent to your personal information being held by us and additionally by the parties mentioned above for the purposes of providing the Service.We will not disclose your personal information to anyone other than those parties set out within this Privacy Policy without your consent unless the law requires us to do so.

5. Device Privacy
We will not collect information about your computer or device, including your IP address, operating system and browser type, for any purpose beyond such system administration as is absolutely necessary to operate our services.

Information about our use of cookies can be found in our Cookies Policy. For example, we use Google Analytics to understand how users are using our website so that we can improve it.

6. Data Sanctity
We take the security and disclosure of personal information very seriously and as such we will not sell, trade, rent or otherwise provide personal information sent to us via the Service to any third parties through any transactional agreement. Your personal information, including request data, will be used to allocate vendors to your account, but no such vendor will have access to your personal data.

We are mindful of the importance of upholding the security of information under our control. All data collected through our website that is stored electronically on secure servers, and we have stringent security and confidentiality procedures covering the storage and disclosure of such information, in accordance with UK data protection law.

We endeavour to take all reasonable steps to protect the privacy of your personal information. However, we cannot guarantee the security of any personal information you disclose online. As a user of Surf, you accept the inherent security risks of providing information and performing transactions over the Internet, and will not hold us responsible for any breach of security, unless this is probably due to our negligence or wilful default.

7. Other Websites
Some websites that have links to and from our website or app may from time to time collect personal information about you when you access or utilise those links. We do not control the collection or use of such information, and the practices of those websites are not covered by this Privacy Policy.

Some websites that have links to and from our website from time to time may also use their own cookies. We have no access to, or control over these cookies, and you are advised to check the cookie policies on such other websites or to amend your website browser's settings with respect to cookies accordingly.

If you visit a website that has been linked to from our website, you should review the privacy and cookies policies of that website or service in order to understand how that website or service is using any personal information that they have collected.

8. Indemnity
By using our Service, you agree to indemnify and hold harmless Surf from and against any and all losses, claims, damages, costs and expenses (including reasonable legal and accounting fees) that we may become obliged to pay, arising or resulting from your use of our website, the content, or your breach of this Privacy Policy and the Terms of Use of which they are a part. Surf reserves the right to assume or participate, at your expense, in the investigation, settlement and defense of any such action or claim.

9. Your Legal Rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
a) Request access to your personal data.
b) Request correction of your personal data.
c) Request erasure of your personal data.
d) Object to processing of your personal data.
e) Request restriction of processing your personal data.
f) Request transfer of your personal data.
g) Right to withdraw consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee will commonly be required to have any action as listed above performed. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your data request is particularly complex or you have made a number of such requests. In this case, we will notify you and keep you updated.

If you have any questions about our processing of personal information, or the rights set out in these Privacy Policies and how to exercise them you can write to:
The Data Protection Officer
Surf Limited
139, 15 Bessemer Place,
London, SE10 0GQ

Or, you may send an email, with the subject line ‘For the Attention of the Data Protection Officer’, to

10. Glossary

Legitimate Interest
means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.


You have the right to:
Request access
to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it infringes on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
a) if you want us to establish the data's accuracy;
b) where our use of the data is unlawful but you do not want us to erase it;
c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

How We Contact Customers
This page provides information about how we use and share personal data relating to our customer contacts and their representatives.
1. What We Use Personal Data For
This section explains the purposes for which we use personal data about our customer contacts and their representatives.

We use personal data for marketing purposes. This includes informing you about products and services that we think may be of interest to you and providing you with related materials such as news items and blog posts. We would contact you for marketing purposes by email, telephone or post with your consent and would stop any such communication upon your request. You might also be contacted through any channel for other purposes – for example, as part of our ordinary relationship management activity and as necessary to deliver the Service.

Vendor allocation
We use your personal data — specifically, your request/matching profile and your location — to allocate the most relevant and useful possible vendors to you. Using this data allows us to be confident that we are showing you adds that are appropriate to your interests that you will hopefully find interesting and useful relative to the subject interests you have made evident through using our platform.No data used to allocate vendors to you, the user, will be passed on to any of the vendors in question.

Relationship management
We use personal data for relationship management purposes. Relationship management is the ongoing maintenance of our relationship with our customers. This could include activities such as letting you know about product changes or planned maintenance activity, contacting you with billing enquiries, dealing with your enquiries, or asking you for feedback or about what sorts of products, services you want us to develop.

Providing services
Sometimes we might need to use your personal data to provide you with information, services and facilities that you have asked for. For example, if you ask us for more information about one of our apps or ask for assistance.

Monitoring and improving our Service
We may use information such as how different people navigate around our mobile apps and websites, how long they spend on particular pages, how and when they interact with our Service, whether they download any of our content or watch videos in order to help improve the user experience of our Service offerings and your experience of them.

2. Our Legal Grounds for Handling Personal Data
Generally speaking, we rely on your consent to make contact with you by email for marketing purposes. You can withdraw that consent and ask us to delete your information at any time by contacting us directly via – please see section 6 below.

The United Kingdom’s data protection law also allows the use of personal data where the benefits (or “legitimate interests”) of doing so outweigh the possible negative implications for the relevant individuals. These are the grounds on which we usually rely when we use your information for anything other than making contact with you by email for marketing purposes with your consent.

In some circumstances, we may have other grounds to process personal data for example:
a) Necessary for performance of a contract with the relevant individual, or to take steps for entering into a contract. For example, if you download our app, it will often be necessary for us to use your details in order to provide that product or service and you must consent to our use of your details to the extent required to provide that product or service in order to use that product or service.
b) Necessary in order to comply with a legal obligation. For example, some regulators, government bodies and courts have powers to order us to provide personal information and, like any other organisation, we sometimes have to comply with their requests and we whilst we may make commercially reasonable efforts to defend personal information from unjustified regulatory or governmental access, we cannot make any guarantee about the extent to which we are able to do so.

3. Who We Share Personal Information With
Your personal data may be shared between the employees and agents of Surf Ltd. and any of its group companies to allow them to perform their job functions and current or future members of Surf Ltd’s group companies and their employees and agents.

We also provide your information to third parties who help us use it to deliver the service. For example:
a) We use AWS to host our servers.
b) We use analytics providers including Google Analytics and Firebase.
c) We use mailing and communication providers to send personalised emails and push notifications. These services include Zapier and ExpoWe use remarketing and conversion tracking tools provided by Google AdWords, Facebook Pixel, please see our cookies policy for more information about these.
d)Our database of personal data may be hosted by, but not accessible to, third parties on our behalf.

These service providers will not be allowed to use your information for their own purposes or on behalf of other organisations and we have taken contractual and operational steps to protect any personal data shared for these purposes with third parties.

4. Where Your Information is Sent
We are based in the United Kingdom, and will normally access and use your information from here. However, we also have operations in Turkey and the United States and personal data may be accessed from there too.

For that reason, in providing services to you, we may transfer your personal data outside of the EU. By using the Service you consent to our doing so. When we do so we ensure that we have adequate contractual and procedural measures in place to protect any such transfers of personal data outside the EU.

5. How Long Data is Retained
We will normally retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. You can request us to delete it any time as explained in your legal rights.

How Your Login Data is Handled
This section sets out the Privacy Policy which applies to the health data we obtain about you in delivering our Service. It explains what security measures we have in place, how we store log-in credentials and what personal information we collect from users of our software.

1. Security
We maintain our servers in a highly secure server environment with 24 X 7 monitoring, surveillance and support to prevent unauthorised access and data security. Advanced security measures including firewalls, security guards and surveillance are taken to ensure the continued service and protection of our services from natural disaster, intruders and disruptive events.

2. Passwords & Login Credentials
Your passwords and other login credentials may pass through Surf servers or those of its service provider partners, in particular our server provider which is ___. When you enter this confidential information, it goes straight to the secure website.Neither Surf’s employees nor any of its contractors or service provider partners can obtain or access your passwords or other login credentials entered by you. We will also never ask you for your passwords or other login credentials via mail, email or telephone or in any other unsolicited manner and you should not give them out to someone claiming to be from Surf who is asking for them.

3. The Information We Collect
Our Service collects, encrypts and securely transfers confidential, personal information. By accessing the Service and entering information required from time to time to complete a form on our website or in our Service customers consent to Surf providing this service to service provider partners.

We collect and log aggregate user statistics and website traffic. Such information includes traffic statistics, date and time of visits, device and browser type used to access the service, frequency of visits, etc.  We use this information to improve the services delivered to our customers, to track and diagnose software performance problems and to administer our website. We may disclose such aggregated user statistics in order to describe our services to prospective partners, investors, affiliates and other third parties for lawful purposes.

Other than as required by your service provider and agreed by you or as disclosed in this Privacy Policy, at no time will Surf disclose identifiable personal information to any third parties without your express, written consent unless we are compelled or required to do so by law.If you have any further questions about our Privacy Policies, email us at

Surf’s Cookies Policy
This section provides information about how we use cookies on the Surf app and on our website,

1. What are cookies?
A cookie is a small file of letters and numbers that we put on your device when you browse our website.

2. What we use cookies for
We use “analytical” cookies only. They allow us to recognise and count the number of visitors to our website and to see how visitors move around the website as well as customise content and monitor conversion. This helps us to provide visitors with a better experience and improve the way our websites work, for example by ensuring that visitors are finding what they are looking for easily.Our cookies are not used to collect information which (by itself) allows us to identify who you are.

3. Controlling cookies
Most web browsers allow some control of most cookies through the browser settings. For more information on this, and more information about cookies in general, you may wish to visit For information about how to delete cookies from your mobile device you may need to refer to your handset manual.Please be aware that restricting cookies is likely to affect your ability to use our websites effectively and may make areas of our websites inaccessible or inoperable.