Privacy Policy

Effective Date: February 3, 2026
Last Updated: February 3, 2026

Introduction

Surface Layer AI Inc. ("Surface Layer AI," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our websites, platforms, and services (collectively, the "Services").

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our practices, please do not use our Services.

Information We Collect
How We Use Your Information
How We Share Your Information
Data Retention
Security Measures
International Data Transfers
Your Privacy Rights
Cookies and Tracking Technologies
Third-Party Links and Services
Children's Privacy
Changes to This Privacy Policy
Contact Us

1. Information We Collect

We collect information that you provide directly to us, information we obtain automatically when you use our Services, and information from third-party sources.

1.1 Information You Provide to Us

Account Information

Full name
Email address
Password (stored in hashed format)
Organization or company name
Job title or role
Phone number (optional)
Single sign-on (SSO) provider credentials

Business Information

Industry and company size
Use case descriptions
Professional social media profiles (e.g., LinkedIn)
Billing and payment information (processed by third-party payment processors)

Content and Files

Data files, datasets, and documents you upload
Customer data, transaction records, and behavioral data
Product catalogs and configuration files
Simulation parameters and model configurations
AI agent training data and custom prompts

Communications

Messages sent through our support channels
Email correspondence
Survey responses and feedback
Feature requests and bug reports
Event registration information

1.2 Information Collected Automatically

Usage Information

Pages visited and features accessed
Simulation run metadata (number of agents, runtime duration, compute resources used)
Clickstream data and navigation patterns
Search queries within the platform
Time and date of access
Referring and exit pages

Device and Technical Information

IP address and geolocation data
Browser type and version
Operating system and device type
Device identifiers (where applicable)
Screen resolution and display settings
Network connection type

Performance and Diagnostic Data

Error logs and crash reports
Performance metrics and load times
API call logs and response times

1.3 Information from Third Parties

Authentication Providers

Profile information from SSO services (Google Workspace, Microsoft Entra ID, Okta)

Business Partners

Lead generation and marketing platform data
Event attendance records

AI Service Providers

Model execution logs from providers such as OpenAI and Anthropic
API usage and performance metrics

Public Sources

Publicly available business information
Professional profile data from business networking sites

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide and Maintain Our Services

Create and manage your account
Authenticate your identity and authorize access
Process and execute AI simulations
Generate reports, analytics, and visualizations
Store and manage your data and simulation outputs
Provide customer support and respond to inquiries

2.2 To Improve and Develop Our Services

Analyze usage patterns and user behavior (in aggregate or de-identified form)
Develop new features and functionality
Conduct research and development
Train and improve AI models and algorithms
Test and optimize platform performance
Conduct quality assurance and debugging

2.3 To Communicate With You

Send transactional emails (account notifications, password resets, security alerts)
Provide service updates and maintenance notices
Send marketing communications (with your consent)
Conduct surveys and request feedback
Announce new features and product releases

2.4 For Security and Fraud Prevention

Detect, prevent, and investigate fraud, abuse, and security incidents
Monitor for unauthorized access and suspicious activity
Enforce our Terms of Service and other policies
Maintain audit logs and access controls
Conduct security assessments and penetration testing

2.5 For Legal and Compliance Purposes

Comply with applicable laws, regulations, and legal processes
Respond to lawful requests from government authorities
Protect our rights, property, and safety, and that of our users
Resolve disputes and enforce agreements

2.6 Legal Basis for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Contractual Necessity (GDPR Art. 6(1)(b)) — to perform our contract with you and provide the Services
Legitimate Interests (GDPR Art. 6(1)(f)) — for purposes such as security, fraud prevention, service improvement, and business analytics, where our interests are not overridden by your rights
Consent (GDPR Art. 6(1)(a)) — for marketing communications and non-essential cookies (you may withdraw consent at any time)
Legal Obligation (GDPR Art. 6(1)(c)) — to comply with legal requirements

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following circumstances:

3.1 Service Providers and Sub-Processors

We engage trusted third-party companies to perform functions on our behalf, including:

Cloud infrastructure and hosting (Amazon Web Services)
Database services (Supabase, PostgreSQL)
AI model providers (OpenAI, Anthropic)
Payment processing (Stripe)
Email delivery and communications (SendGrid, Postmark)
Analytics and monitoring (Mixpanel, Sentry)
Customer support (Intercom, Zendesk)

These service providers are contractually obligated to:

Process data only on our instructions
Maintain appropriate security measures
Use data solely to provide services to us
Not disclose data to unauthorized parties

A current list of sub-processors is available at occamai.com/subprocessors and is updated regularly.

3.2 Within Your Organization

If you are using Surface Layer AI on behalf of an organization (enterprise customer):

Authorized users within your organization may access simulation outputs and shared resources
Organization administrators may view usage statistics and manage user permissions
Personal data remains isolated and is not shared across organizational boundaries without authorization

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. You will receive notice via email and/or prominent notice on our website of any such change in ownership or control, along with choices you may have regarding your information.

3.4 Legal Requirements and Protection of Rights

We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to:

Comply with legal obligations, court orders, or government requests
Protect and defend our rights or property
Investigate and prevent fraud, security issues, or technical problems
Protect the safety and rights of our users or the public
Respond to lawful requests from public authorities, including national security or law enforcement

3.5 With Your Consent

We may share your information with third parties when we have your explicit consent to do so.

3.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This includes industry benchmarks, usage statistics, and research findings.

4. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: Retained for the duration of your account plus 90 days after closure (unless earlier deletion is requested)

Simulation Data: Retained according to your subscription plan; you may delete datasets at any time through your dashboard or by contacting support

Backup Data: Automatically purged on a 35-day rolling cycle

Communication Records: Retained for up to 7 years for legal and compliance purposes

Logs and Analytics: Retained for up to 2 years in identifiable form; may be retained indefinitely in aggregated or anonymized form

When you request deletion of your data, we will delete or anonymize it within 30 days, except where retention is required by law or necessary to resolve disputes, enforce agreements, or maintain security.

5. Security Measures

We implement comprehensive security measures designed to protect your information from unauthorized access, use, alteration, and destruction. Our security program is aligned with SOC 2 Type II standards and includes:

Technical Safeguards

Encryption in transit using TLS 1.3
Encryption at rest using AES-256
Multi-factor authentication (MFA) options
Secure credential storage and hashing (bcrypt, Argon2)
Regular security patching and updates

Organizational Safeguards

Role-based access controls (RBAC) and principle of least privilege
Employee background checks and security training
Confidentiality agreements for all personnel
Dedicated security team and incident response procedures

Physical Safeguards

Secure data center facilities (via AWS and other cloud providers)
Environmental controls and monitoring

Monitoring and Testing

Continuous vulnerability scanning
Annual third-party penetration testing
Security information and event management (SIEM)
Real-time threat detection and alerting
Comprehensive audit logging

Data Isolation

Dedicated, isolated database environments per customer (where feasible)
Logical separation of customer data
Secure multi-tenancy architecture

While we take reasonable measures to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you acknowledge this when using our Services. Please protect your account credentials and notify us immediately of any unauthorized access.

6. International Data Transfers

Surface Layer AI is headquartered in the United States, and our servers and service providers are primarily located in the United States. If you access our Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

For Users in the EEA, UK, and Switzerland:

We comply with applicable data protection laws regarding international data transfers. When we transfer personal data outside the EEA, UK, or Switzerland, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions recognizing equivalent data protection in the destination country
Supplementary measures to ensure data protection, including encryption and access controls
Your explicit consent where applicable

You may request a copy of the safeguards we have in place for international transfers by contacting us at privacy@occamai.com.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

7.1 General Rights

Right to Access: Request confirmation of whether we process your personal data and obtain a copy of that data

Right to Rectification: Request correction of inaccurate or incomplete personal data

Right to Deletion: Request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, legitimate interests)

Right to Restrict Processing: Request limitation on how we process your data in certain circumstances

Right to Data Portability: Receive your personal data in a structured, machine-readable format and transmit it to another controller

Right to Object: Object to processing based on legitimate interests or for direct marketing purposes

Right to Withdraw Consent: Where we process data based on consent, you may withdraw it at any time (without affecting prior lawful processing)

Right to Lodge a Complaint: File a complaint with your local data protection authority if you believe we have violated your privacy rights

7.2 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request information about the categories and specific pieces of personal information we collect, the sources, purposes, and third parties with whom we share it

Right to Delete: Request deletion of personal information we have collected, subject to exceptions

Right to Opt-Out: Opt-out of the "sale" or "sharing" of personal information for cross-context behavioral advertising

Right to Correct: Request correction of inaccurate personal information

Right to Limit Use of Sensitive Personal Information: Request limitations on use of sensitive personal information (where applicable)

Right to Non-Discrimination: Exercise privacy rights without receiving discriminatory treatment

We do not "sell" personal information as defined by the CCPA. To the extent we "share" information for cross-context behavioral advertising, you may opt-out by contacting us or adjusting your cookie preferences.

Authorized Agents: California residents may designate an authorized agent to submit requests on their behalf. We will require verification of both the agent's authority and your identity.

7.3 Nevada Privacy Rights

Nevada residents may opt-out of the sale of certain covered information. We do not currently sell covered information as defined under Nevada law. If our practices change, we will update this Privacy Policy and provide Nevada residents with appropriate opt-out mechanisms.

7.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@occamai.com
Web Form: occamai.com/privacy-request
Mail: Surface Layer AI Inc., Attn: Privacy Team, 123 Innovation Drive, Suite 500, San Francisco, CA 94105

We will verify your identity before processing your request and respond within the timeframe required by applicable law (typically 30-45 days). In some cases, we may need additional information to verify your identity or clarify your request.

8. Cookies and Tracking Technologies

We use cookies, web beacons, local storage, and similar technologies to collect information and provide functionality.

8.1 Types of Technologies We Use

Cookies: Small text files stored on your device that help us recognize you and remember your preferences

Web Beacons (Pixels): Small graphic images embedded in emails or webpages to track user behavior

Local Storage: Browser-based storage for larger amounts of data

Session Storage: Temporary storage that expires when you close your browser

Analytics Tags: Code snippets that collect usage data for analytics platforms

8.2 Categories of Cookies

Strictly Necessary Cookies

Essential for the operation of our Services
Enable core functionality like authentication and security
Cannot be disabled without breaking core features

Functional Cookies

Remember your preferences and settings
Provide enhanced features and personalization
Store language, theme, and dashboard configurations

Performance and Analytics Cookies

Measure website traffic and user behavior
Help us understand how users interact with our Services
Improve platform performance and user experience
Examples: Google Analytics, Mixpanel

Marketing and Advertising Cookies

Track your browsing across websites
Deliver targeted advertising and measure campaign effectiveness
Used only with your consent
Examples: Google Ads, LinkedIn Ads

8.3 Managing Cookies

You can control cookies through:

Our cookie banner displayed when you first visit our website
Your account settings for logged-in users
Your browser settings to block or delete cookies

Note: Disabling certain cookies may limit functionality and affect your user experience. Strictly necessary cookies cannot be disabled through our cookie banner but can be blocked through browser settings.

Do Not Track: Our Services do not currently respond to Do Not Track (DNT) signals. We will update this Policy if we implement DNT support in the future.

8.4 Third-Party Analytics and Advertising

We use third-party analytics and advertising services that may collect information about your online activities over time and across different websites. These services are subject to their own privacy policies:

Google Analytics: policies.google.com/privacy
Mixpanel: mixpanel.com/legal/privacy-policy

You may opt-out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

9. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, and services that are not operated by us. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices.

We encourage you to review the privacy policies of any third-party services before providing them with your personal information. The inclusion of links does not imply our endorsement of those services.

Examples of Third-Party Services:

SSO providers (Google, Microsoft, Okta)
Payment processors (Stripe)
AI model providers (OpenAI, Anthropic)
Cloud infrastructure (AWS)

10. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or under 13 in the United States, or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@occamai.com. We will promptly investigate and delete such information from our systems.

If we learn that we have collected personal information from a child without appropriate consent, we will take steps to delete that information as quickly as possible.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Material Changes:

We will notify you of material changes by email (to the address associated with your account) and/or by posting a prominent notice on our website
Material changes will take effect 30 days after notice is provided
Your continued use of our Services after the effective date constitutes acceptance of the updated Policy

Notice of Non-Material Changes:

We will update the "Last Updated" date at the top of this Policy
Non-material changes (such as clarifications or administrative updates) take effect immediately upon posting

We encourage you to review this Privacy Policy periodically. You can see the history of changes and previous versions at occamai.com/privacy-history.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Surface Layer AI Inc.
Attn: Privacy Team
123 Innovation Drive, Suite 500
San Francisco, CA 94105
United States

Email: privacy@occamai.com
Privacy Request Form: occamai.com/privacy-request
Phone: +1 (415) 555-0100

Data Protection Officer (EEA/UK):
For users in the EEA or UK, you may contact our Data Protection Officer at: dpo@occamai.com

Response Time: We aim to respond to all privacy inquiries within 5 business days and will resolve requests within the timeframe required by applicable law.

Your privacy matters to us. Thank you for trusting Surface Layer AI with your information.