1. Who We Are

Superficial Company Pty Ltd

58 Latrobe Terrace

Paddington, QLD 4064

Australia

legal@superficial.org

We are subject to the Privacy Act 1988 (Cth) in Australia and comply with applicable international privacy laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

2. What We Collect

3. How We Use Your Data

We use your data to:

We do not use your data to train models unless explicitly stated and agreed to.

• Provide and operate the services
• Respond to your requests or enquiries
• Monitor and improve system performance
• Prevent fraud, abuse, and misuse
• Enforce our terms and comply with legal obligations

4. Lawful Bases for Processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or other GDPR jurisdictions, we process your data based on:

• Your consent (e.g. when subscribing or contacting us)
• Performance of a contract (e.g. providing our services)
• Legitimate interests (e.g. fraud prevention, service improvements)
• Legal obligations (e.g. responding to lawful requests)

5. Your Rights Under GDPR

If you are an EU/EEA/UK resident, you have the right to:

You may contact us at legal@superficial.org to exercise these rights.

You also have the right to lodge a complaint with your local data protection authority.

• Access personal data we hold about you
• Correct inaccuracies
• Request erasure (right to be forgotten)
• Restrict or object to processing
• Port your data to another provider
• Withdraw consent at any time

6. Your Rights Under CCPA / CPRA

If you are a California resident, you have the right to:

To exercise your rights, email legal@superficial.org. We will not discriminate against you for exercising these rights.

• Know what categories of personal data we collect and why
• Request access to specific personal data
• Request deletion of your personal data (subject to exemptions)
• Opt out of sale or sharing of personal data (we do not sell data)
• Correct inaccurate data
• Limit use of sensitive personal information (we do not collect any)

7. Data Retention

We retain personal data only as long as necessary to:

Where possible, data is anonymised or deleted when no longer needed.

• Provide the services
• Comply with legal and contractual obligations
• Resolve disputes and enforce our agreements

8. Security

We use appropriate technical and organisational security measures to protect your data, including encryption in transit, access controls, and audit logging. However, no system is 100% secure.

9. International Transfers

Data may be processed outside your country, including in jurisdictions that may not offer the same level of protection. When required, we use legally approved mechanisms (e.g., Standard Contractual Clauses) to safeguard international data transfers.

10. Subprocessors

We may engage trusted third-party service providers (e.g., cloud infrastructure, authentication, analytics). These providers are contractually required to protect your data and may only use it to perform services on our behalf.

A current list of subprocessors can be requested via legal@superficial.org.

11. Children

Our services are not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has submitted data, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will post changes on this page and revise the “Effective Date” above. If changes are material, we may notify you directly via email or the service.

13. Contact Us

Superficial Company Pty Ltd

legal@superficial.org

58 Latrobe Terrace

Paddington, QLD 4064

Australia