Legal

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy describes how Superstellar LLC, operating as Serge, collects, uses, discloses, and protects personal data when you visit serge.ai or use our platform. It applies to all users worldwide. If anything is unclear, contact us at privacy@serge.ai.

01

Who we are

  • Serge is operated by Superstellar LLC (“we”, “us”, “our”), registered office at Baarerstrasse 52, 6300 Zug, Switzerland, registered in the Commercial Register of the Canton of Zug.
  • Controller — For your account information and your direct use of www.serge.ai (including the scanner, the workspace dashboard, and Investigate Mode), Superstellar LLC is the data controller.
  • Processor — When a Customer installs the Serge tracking snippet on a Customer-owned site, the Customer is the data controller for the resulting visitor data and Superstellar acts as the data processor on the Customer's behalf. A Customer Data Processing Agreement, compliant with GDPR Art. 28 and the Swiss Federal Act on Data Protection (nFADP), is available on request to legal@serge.ai.
  • For all privacy inquiries, contact us at privacy@serge.ai.
02

Information we collect

  • Scan data — When you scan a domain, we crawl publicly-available resources (homepage, robots.txt, sitemap.xml, llms.txt, OpenAPI specs, structured data on the page) and store the resulting check results, scores, and domain.
  • Account data — When you sign up for a Serge account (via Auth0), we receive your email address, name, and any additional OAuth claims you authorise from your chosen identity provider. We use this to bind the account to a workspace.
  • Workspace data — Workspaces hold the sites you register, snippet site IDs, invited members, billing state, and per-workspace configuration. We process this to operate the Service.
  • Snippet event data — When you install Serge's tracking snippet (serge.js) on a Customer-owned site, the snippet emits agent-detection events to our ingestion API. The snippet is designed to be free of personal data by default: it does not set cookies, does not transmit form values, does not collect device identifiers usable for cross-site tracking, and processes raw behavioural signals client-side, sending only the resulting classification scores to the server.
  • Replay session data — When you dispatch an active replay under Investigate Mode against a URL under your direction, we capture the agent's reasoning, navigation steps, DOM snapshots, screenshots, accessibility-tree snapshots, and network metadata for that single session. Replays do not capture data from sessions other than the one you initiated.
  • Email addresses — When you request a full scan report or sign up for a Serge account, we collect your email address. This is PII.
  • Billing data — When you subscribe to a paid plan, Stripe processes your payment instrument; we receive only the metadata needed to operate billing (customer ID, subscription state, invoice records). We never receive or store full payment-card numbers.
  • Technical and usage data — IP addresses for rate limiting (not persistently stored), browser and device information, and error data for debugging via Sentry (with personally-identifiable information scrubbed before transmission).
  • Customer-directed processing — When a Customer submits a domain or URL as a scan target or as a replay target via Investigate Mode, the Customer directs us to crawl publicly-available resources at that target. Any personal data incidentally present in those resources (visitor reviews, agent reasoning that quotes target content, third-party page content) is processed under the Customer's direction; the Customer remains the controller for any further use of that data and is responsible for the lawfulness of the target submission under our Acceptable Use Policy.
  • Snippet URL hygiene — The Customer is responsible for ensuring that pages where the Customer installs the Serge tracking snippet do not expose personal data in URL paths or query parameters, and for stripping sensitive parameters before snippet events are emitted. The Customer remains the controller of its visitors' personal data and is responsible for lawful collection, including any cookie / consent disclosure required on the Customer's own site.
03

How we use your information

  • Service delivery — We use scan data to provide Serge scores, findings, and fix recommendations; snippet event data to power your workspace dashboard; and replay-session artifacts to render the replay you dispatched. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
  • Communication — We send the full scan report to the email address you provide, transactional account messages (trial expiry, billing receipts, sub-processor changes), and other notices tied to your subscription. We do not send marketing emails unless you separately opt in. Legal basis: performance of contract (Art. 6(1)(b)).
  • Billing — Stripe processes your payment instrument and issues invoices; we process the minimum metadata needed to operate the subscription. Legal basis: performance of contract (Art. 6(1)(b)) and legal obligation for accounting records (Art. 6(1)(c)).
  • Security and abuse prevention — We use IP-based rate limiting, audit logging, and replay-safety scanning to protect the platform, your data, and the third-party sites we crawl on your behalf. Legal basis: legitimate interest in platform security (Art. 6(1)(f)).
  • Product improvement — We use anonymized, aggregated usage analytics to understand how people use Serge and to improve the product. Legal basis: legitimate interest (Art. 6(1)(f)), balanced against your privacy through strict anonymization.
  • Legal compliance — We may process data to comply with applicable laws, respond to lawful requests from public authorities, or establish, exercise, or defend legal claims. Legal basis: legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f)).
04

Data sharing and sub-processors

  • We do not sell your personal data. We do not share your data for advertising or cross-context behavioural targeting. We share data only with sub-processors strictly for the purposes of operating and maintaining the Serge service.
  • The current list of sub-processors that handle Customer data on our behalf — together with each sub-processor's role, location, and certifications — is published at https://www.serge.ai/subprocessors. As of this version it includes Vercel (application hosting), Neon (PostgreSQL database), Auth0 / Okta (authentication), Anthropic (LLM API for replay reasoning and content moderation), Browserbase (managed headless browsers for replays), Fly.io (replay worker compute), Stripe (billing), Upstash (rate limiting and ephemeral caching), Sentry (error monitoring), and Resend (transactional email).
  • Each sub-processor processes the minimum data necessary for its function and is bound by a data-processing agreement appropriate to its role.
  • We will notify active customers at least 30 days before engaging a new sub-processor that processes personal data, giving you the opportunity to object before processing begins.
  • Right to object — If you object to a new sub-processor that processes your personal data, notify us at privacy@serge.ai within the 30-day notice period. We will work with you in good faith to identify alternative arrangements. If we cannot accommodate your objection, you may terminate your paid subscription with effect at the end of the current billing period and receive a pro-rata refund of any prepaid fees for the remainder of that period.
  • Business transfers — In the event of a merger, acquisition, reorganisation, sale of substantially all of our assets, or insolvency, personal data may be transferred to the successor or acquiring entity, subject to this Privacy Policy or an equivalent updated policy. Where required by applicable law, we will notify affected users in advance and they will retain their rights described in this Policy.
05

International data transfers

  • Hosting and processing — The Service is primarily hosted on infrastructure located in the United States. Sub-processors operate from the United States, the European Union, the United Kingdom, and other jurisdictions; the current list together with each sub-processor's location and certifications is published at https://www.serge.ai/subprocessors.
  • EU and EEA transfers — Where a sub-processor is certified under the EU-US Data Privacy Framework (DPF) adopted by Commission Decision (EU) 2023/1795, we rely on its DPF certification as the primary transfer mechanism. For sub-processors not DPF-certified, or for transfers to other third countries, we rely on the European Commission's Standard Contractual Clauses (SCCs, Decision (EU) 2021/914).
  • United Kingdom transfers — For transfers from the United Kingdom we rely on the UK Extension to the EU-US Data Privacy Framework for DPF-certified sub-processors, and the UK International Data Transfer Addendum to the EU SCCs (ICO IDTA) otherwise.
  • Switzerland transfers — For transfers from Switzerland we rely on the Swiss-US Data Privacy Framework for DPF-certified sub-processors, and on the Swiss Federal Data Protection and Information Commissioner (FDPIC)-approved Standard Contractual Clauses otherwise.
  • Supplementary safeguards — In addition to the legal-transfer mechanisms above, we apply technical and organisational measures appropriate to the data being transferred, including encryption in transit (TLS 1.2 or higher) and at rest, role-based access controls, audit logging, and Data Processing Agreements that flow GDPR Article 28 obligations to each sub-processor.
  • Transfer Impact Assessment — Following Schrems II (CJEU Case C-311/18) we have assessed, and periodically reassess, whether the legal framework of each destination country provides protection essentially equivalent to that under the GDPR and Swiss nFADP. Where a residual risk cannot be sufficiently mitigated, we either avoid the transfer or apply additional contractual or technical safeguards. A summary of our Transfer Impact Assessment is available on request to privacy@serge.ai.
  • Copies of the applicable transfer mechanisms are available upon request at privacy@serge.ai.
06

Data retention

  • Scan results — Scan scores, findings, and the submitted domain are retained indefinitely for benchmarking. Scans are associated with domains, not individuals. You may request deletion of scans you initiated by contacting privacy@serge.ai.
  • Account and workspace data — Retained while your account is active and for up to 90 days after deletion to support reversal and audit.
  • Snippet event data — Analytics events are retained for 24 hours on free workspaces, 12 months on Pro, and up to 24 months when the extended-retention PAYG add-on is active.
  • Replay session data — Replay artifacts (screenshots, DOM snapshots, accessibility-tree snapshots, agent reasoning, network metadata) are retained for 90 days on Pro, and up to 180 days when the extended-retention PAYG add-on is active.
  • Email addresses — Retained for report delivery and account follow-up. You may request deletion at any time by contacting privacy@serge.ai.
  • Billing records — Stripe-stored billing data is retained per Stripe's own policy and our statutory accounting-record obligations (Swiss Code of Obligations art. 957a — typically 10 years).
  • Audit and abuse logs — Replay-safety events and platform audit logs are retained for up to 12 months as described in our Acceptable Use Policy.
  • Error-tracking data — Retained for 90 days via Sentry.
07

Security measures

  • Encryption — All data in transit is protected by TLS 1.2 or higher. Database storage is encrypted at rest via Neon’s managed encryption.
  • Application security — Security headers (Content Security Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options) are enforced on all responses. Server-side input validation is applied at every boundary using Zod schemas. Rate limiting is enforced per endpoint.
08

Security incidents and breach notification

  • Incident response — We maintain an incident-response process to identify, contain, investigate, and remediate security incidents affecting personal data.
  • Notification to supervisory authorities — In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in accordance with GDPR Art. 33, UK GDPR Art. 33, and Swiss nFADP Art. 24.
  • Notification to data subjects — Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify affected data subjects without undue delay (GDPR Art. 34).
  • Notification to Customers acting as controllers — Where Superstellar acts as processor on a Customer's behalf and a breach affects Customer-controlled data, we will notify the Customer without undue delay so that the Customer can comply with its own notification obligations.
09

Your privacy rights

  • Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. We honor these rights for all users regardless of location, to the extent permitted by applicable law.
  • Right of access — You may request confirmation of whether we process your personal data and, if so, receive a copy of that data in a structured, commonly used format.
  • Right to rectification — You may request correction of inaccurate personal data.
  • Right to erasure — You may request deletion of your personal data.
  • Right to restrict processing — You may request that we limit how we use your data while a dispute or request is being resolved.
  • Right to data portability — You may request your data in a machine-readable format (JSON) for transfer to another service.
  • Right to object — You may object to processing based on our legitimate interest.
  • To exercise any of these rights, email privacy@serge.ai with your request. We will respond within 30 days.
  • If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
10

Additional rights for California residents

  • If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
  • We do not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
  • To exercise your California privacy rights, email privacy@serge.ai.
11

Provisions for Swiss residents

  • For residents of Switzerland, we process personal data in compliance with the Swiss Federal Act on Data Protection (nFADP).
  • The competent supervisory authority for data protection matters in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
12

International representatives

  • We have not appointed a representative in the European Union under GDPR Art. 27, in the United Kingdom under UK GDPR Art. 27, or in Switzerland under nFADP Art. 14, because our processing of personal data of subjects in those regions is occasional, does not involve large-scale processing of special-category personal data under Art. 9 GDPR, and is unlikely to result in a risk to the rights and freedoms of data subjects (Art. 27(2)(a) GDPR exemption and equivalent provisions).
  • EU, UK, and Swiss data subjects retain all rights described in this Policy and may exercise them directly with us at privacy@serge.ai or by post to Superstellar LLC, Baarerstrasse 52, 6300 Zug, Switzerland.
  • Should our processing reach a scale or risk level that triggers a mandatory representative appointment, we will appoint one and update this Policy accordingly.
13

Cookies and similar technologies

  • We do not use advertising cookies, retargeting pixels, social media tracking pixels, or any third-party tracking cookies on serge.ai. We do not participate in any advertising network.
  • Essential cookies — When you sign in to a Serge account, our authentication provider (Auth0) sets a session cookie scoped to www.serge.ai. The cookie is HttpOnly, Secure, and SameSite-Lax. Removing it logs you out. Under the ePrivacy Directive this cookie is strictly necessary to deliver the service you requested and does not require consent.
  • Analytics — Serge does not use third-party analytics tools on serge.ai. The product itself is an analytics tool for our customers; for our own internal observability we read directly from operational database tables (no external SDK, no client-side tracker on serge.ai).
14

Children’s privacy

  • Serge is a business-to-business service designed for professional use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at privacy@serge.ai.
15

Changes to this policy

  • We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
  • Material changes — We will notify you at least 30 days before the changes take effect via email and in-app notification.
  • Your continued use of Serge after the updated policy takes effect constitutes acceptance of the changes.
16

Contact and supervisory authorities

  • Privacy inquiries and rights requests — privacy@serge.ai
  • General legal inquiries — legal@serge.ai
  • Postal address — Superstellar LLC, Baarerstrasse 52, 6300 Zug, Switzerland
  • Serge is operated by Superstellar LLC, registered in the Commercial Register of the Canton of Zug, Switzerland.