Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.

Consumer: A natural person who is a California resident, as defined by California law, regardless of temporary absence from the state.

Sensitive Personal Information: Specific categories of personal information granted additional protections under CPRA, including government identifiers, precise geolocation, biometric data, health information, and other specified categories.

Sale/Sharing: Exchange of personal information for monetary or other valuable consideration, or sharing for cross-context behavioral advertising purposes.

Covered Activities: This notice applies to all personal information collected from California residents through our website and related online services.

Excluded Information: This notice does not cover information exempt under CCPA, including:

• Publicly available information from government records
• De-identified or aggregated consumer information that cannot reasonably identify individuals
• Information collected in certain business-to-business contexts (subject to specific CCPA timelines)

In the 12 months preceding the effective date of this notice, SureFlow has collected only very limited categories of personal information from California residents. We maintain a minimal data collection approach focused exclusively on website functionality, security, and performance optimization.

Category A - Identifiers: We do not collect real names, aliases, postal addresses, email addresses, account names, Social Security numbers, driver's license numbers, passport numbers, or other similar direct identifiers.

Category B - Personal Information Categories: We do not collect telephone numbers, education records, employment history, bank account numbers, credit card numbers, or other financial information.

Category C - Protected Classification Characteristics: We do not collect information about age, race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex, sexual orientation, veteran status, or genetic information.

Category D - Commercial Information: We do not collect records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies.

Category E - Biometric Information: We do not collect genetic, physiological, behavioral, or biological characteristics, or activity patterns used for identification purposes.

Category H - Sensory Data: We do not collect audio, electronic, visual, thermal, olfactory, or similar sensory information.

Category I - Professional/Employment Information: We do not collect current or past job history or performance evaluations.

Category J - Non-Public Education Information: We do not collect education records directly related to students maintained by educational institutions.

Category K - Inferences: We do not create profiles reflecting consumer preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.

Direct Collection: All personal information is collected directly from California residents' devices when they visit and interact with our website through:

• Automated Systems: Server logs and analytics systems that automatically capture technical information
• Cookies and Similar Technologies: Essential cookies for website functionality and optional analytics cookies
• User Interactions: Information generated through normal website browsing and navigation

No External Data Sources: We explicitly do not obtain personal information from:

• Data Brokers: Commercial data compilation services or information resellers
• Advertising Networks: Third-party advertising platforms or behavioral targeting services
• Social Media Platforms: Facebook, LinkedIn, Twitter, Instagram, or other social networks
• Government or Public Records: Publicly available databases or official records
• Other Third-Party Sources: Marketing companies, analytics providers, or data aggregators

Website Analytics and Performance Optimization:

• Traffic Analysis: Understanding visitor patterns, popular content, and user engagement levels
• Performance Monitoring: Measuring page load times, error rates, and system availability
• User Experience Research: Identifying navigation issues, usability problems, and improvement opportunities
• Content Optimization: Determining most effective content types and presentation methods

Security Monitoring and Protection:

• Threat Detection: Identifying unusual traffic patterns that may indicate malicious activity
• Fraud Prevention: Detecting and preventing unauthorized access attempts and security breaches
• System Integrity: Monitoring for attacks, malware, or other security threats
• Incident Response: Investigating and responding to security incidents and vulnerabilities

Technical Support and System Maintenance:

• Compatibility Assurance: Ensuring website functionality across different browsers, devices, and operating systems
• Error Diagnosis: Identifying and resolving technical issues, broken links, and system malfunctions
• Capacity Planning: Understanding usage patterns for infrastructure scaling and resource allocation
• Quality Assurance: Testing new features and ensuring consistent user experience

Business Intelligence and Development:

• Market Research: Understanding general demographic patterns and regional preferences at aggregate level
• Strategic Planning: Informing business decisions about content, services, and geographic focus
• Compliance Monitoring: Ensuring adherence to accessibility standards and regulatory requirements
• Performance Benchmarking: Comparing website performance against industry standards and best practices

No Prohibited Uses: We do not use collected information for:

• Individual Profiling: Creating detailed personal profiles or behavioral analyses of individual consumers
• Behavioral Targeting: Targeting specific advertisements or content based on individual behavior patterns
• Cross-Context Tracking: Following consumers across different websites or applications
• Automated Decision-Making: Making automated decisions that significantly affect individual consumers
• Data Sales: Selling or licensing personal information to third parties for any purpose

No Third-Party Sharing: SureFlow does not share personal information with any external parties, including:

• Service Providers: All analytics and processing conducted internally without external service providers
• Business Partners: No sharing with affiliates, joint venture partners, or business associates
• Advertising Networks: No integration with advertising platforms or behavioral targeting services
• Data Brokers: No sales, licensing, or transfers to commercial data compilation services

No Sales in Past 12 Months: SureFlow has not sold personal information of California residents in the preceding 12 months and has no intention of selling personal information in the future.

No Sharing for Advertising: SureFlow has not shared personal information for cross-context behavioral advertising in the preceding 12 months.

Formal "Do Not Sell" Disclosure: This notice serves as SureFlow's required disclosure that we do not sell or share personal information as defined under CCPA/CPRA.

Potential Future Arrangements: Should we engage third-party service providers in the future for technical operations (hosting, cybersecurity, system maintenance), such arrangements would include:

• Contractual Protections: Written agreements limiting data processing to documented instructions
• Security Requirements: Implementation of appropriate technical and organizational safeguards
• Confidentiality Obligations: Binding confidentiality requirements for all personnel with data access
• Regulatory Compliance: Full adherence to CCPA/CPRA and other applicable privacy regulations

Notification Commitment: We will update this CCPA Notice and provide appropriate notification before engaging any third-party service providers with access to California resident personal information.

Visitor Identification Hashes:

• Retention Period: Maximum 24 hours from creation
• Deletion Method: Automatic, permanent deletion using secure erasure protocols
• Purpose: Enable unique visitor counting without persistent individual tracking
• Technical Details: Cryptographic hashes that cannot be reversed to identify individuals

Aggregated Analytics Data:

• Retention Period: Maximum 25 months from collection date
• Data Format: Fully aggregated and anonymized statistical summaries
• Purpose: Long-term trend analysis, performance benchmarking, and strategic planning
• Privacy Protection: Cannot be traced back to individual consumers or households

Technical Server Logs:

• Retention Period: Maximum 12 months from creation date
• Purpose: Security monitoring, system troubleshooting, and regulatory compliance
• Content: Technical metadata including timestamps, response codes, and system performance metrics
• Privacy Safeguards: No direct identifiers retained; IP addresses aggregated to regional level only

Security and Error Logs:

• Retention Period: Maximum 6 months from incident date
• Purpose: Security incident investigation, error resolution, and system improvement
• Access Restrictions: Limited to authorized technical personnel for specific operational purposes

Deletion Standards: All data deletion conducted using industry-standard secure deletion protocols ensuring information cannot be recovered or reconstructed.

Verification Process: Regular audits to verify deletion procedures are properly implemented and retention periods are not exceeded.

You have the right to request detailed information about our personal information practices, including:

Categories of Information: Specific categories of personal information collected, with detailed descriptions of data types and collection methods.

Information Sources: Detailed explanation of all sources from which personal information was collected, including direct collection methods and any third-party sources (none in SureFlow's case).

Business Purposes: Comprehensive description of business or commercial purposes for collecting and using personal information.

Third-Party Disclosure: Complete list of categories of third parties to whom personal information was disclosed, if any (none in SureFlow's case).

Specific Data Access: Right to receive copies of specific pieces of personal information we maintain about you, subject to verification and technical limitations.

Response Format: Information provided in readily accessible format with clear explanations of technical terms and data processing activities.

Deletion Scope: Request deletion of personal information collected from you, subject to specific legal exceptions including:

Legal Exceptions: Retention required for:

• Security Purposes: Detection and protection against security incidents, malicious activities, or fraudulent behavior
• Debugging Services: Identification and repair of errors that impair website functionality or user experience
• Legal Compliance: Compliance with federal, state, or local laws, regulations, or legal obligations
• Research Activities: Internal research for technological development and demonstration, subject to privacy safeguards
• System Operations: Maintaining or servicing systems, providing customer service, or processing transactions

Deletion Process:

• Verification Requirements: Identity verification to ensure requests are made by authorized individuals
• Technical Implementation: Secure deletion using industry-standard data destruction methods
• Confirmation Provided: Written confirmation of deletion actions taken and any exceptions applied
• Third-Party Notification: Where applicable, notification to service providers about deletion requirements

Correction Scope: Request correction of inaccurate personal information we maintain about you, including:

• Factual Corrections: Correction of demonstrably inaccurate factual information
• Completeness Updates: Addition of missing information relevant to processing purposes
• Documentation Requirements: Provision of supporting evidence for requested corrections

Implementation Process:

• Accuracy Assessment: Evaluation of correction requests and supporting documentation
• Technical Feasibility: Assessment of technical ability to implement requested corrections
• Third-Party Updates: Communication of corrections to relevant parties where applicable
• Verification Procedures: Confirmation that corrections have been properly implemented

Current Status: SureFlow does not sell personal information or share it for cross-context behavioral advertising, making this right currently inapplicable to our operations.

Future Protection: Should our practices change in the future to include sales or sharing activities:

• Clear Notification: Prominent notice of any changes to sale or sharing practices
• Opt-Out Mechanisms: Easy-to-use methods for opting out of sales or sharing
• Ongoing Protection: Continued respect for opt-out preferences and regular confirmation of choices

Global Privacy Control: We honor Global Privacy Control (GPC) browser signals as an opt-out mechanism, though current lack of sales/sharing activities makes this functionally neutral.

Protected Activities: You have the right to exercise CCPA rights without facing discriminatory treatment, including:

• Service Access: Continued access to website and all available services
• Pricing Protection: No different prices, rates, charges, or penalties for exercising rights
• Service Quality: Same level and quality of services regardless of rights exercise
• Feature Access: No denial of access to specific features or functionality

Positive Incentives: While we may offer financial incentives or price differences related to personal information collection or retention, such programs must:

• Voluntary Participation: Be completely voluntary with clear opt-in requirements
• Reasonable Relationship: Have reasonable relationship to value provided by personal information
• Transparent Terms: Include clear explanation of material terms and conditions
• Easy Withdrawal: Allow easy withdrawal from incentive programs without penalty

Current Applicability: SureFlow does not collect or process sensitive personal information as defined under CCPA/CPRA, including:

• Government Identifiers: Social Security numbers, driver's license numbers, or passport numbers
• Financial Information: Account log-in credentials, payment card numbers, or financial account access
• Precise Geolocation: GPS coordinates or location tracking more precise than geofence of 1,850 feet
• Biometric Identifiers: Fingerprints, faceprints, voiceprints, or other biometric data
• Health Information: Medical records, health insurance information, or genetic data
• Personal Characteristics: Information about race, ethnicity, religious beliefs, or union membership

Future Applicability: Should we begin collecting sensitive personal information in the future, this right would allow limitation of use to specific purposes defined under CPRA.

Primary Contact Methods:

• Email: privacy@sureflow.com
• Subject Line: "California Privacy Rights Request - [Specify Right Type]"
• Postal Mail: SureFlow Ltd, 1 Old Street Yard, London EC1Y 8AF, United Kingdom, Attention: Privacy Officer
• Telephone: +447449457293 (specify California privacy rights during business hours)

Essential Information for Processing:

• Full Legal Name: Complete name as it appears on government identification
• Current Contact Information: Valid email address and telephone number for verification
• Specific Right Request: Clear identification of which CCPA right you wish to exercise (access, delete, correct, opt-out)
• Relationship Description: Your relationship with SureFlow (typically "website visitor")
• Timeframe Information: Approximate dates or periods of website visits if known
• Supporting Documentation: Any additional information that may help locate relevant data

Identity Verification Standards:

Standard Verification: For most requests, verification through:

• Contact Information Matching: Verification using provided email address or telephone number
• Timeframe Confirmation: Matching of reported website visit periods with available technical logs
• Device Information: Confirmation of browser or device information where technically feasible

Enhanced Verification: For sensitive requests or high-value information:

• Government Identification: Acceptable forms of government-issued photo identification
• Additional Documentation: Supporting documents that establish identity and relationship to requested information
• Multi-Step Verification: Combination of multiple verification methods for enhanced security

Technical Limitations: Due to our anonymized data collection practices using cryptographic hashes:

• Limited Individual Identification: We may have restricted ability to identify specific individuals in our analytics data
• Aggregate Data Only: Much of our processing involves aggregate analysis that cannot be traced to specific consumers
• Verification Challenges: Anonymous data collection may limit our ability to verify identity for certain requests

Acknowledgment and Initial Response:

• Receipt Confirmation: Acknowledgment of all requests within 10 business days of receipt
• Preliminary Assessment: Initial evaluation of request feasibility and verification requirements
• Communication Schedule: Regular updates on request processing status for complex cases

Substantive Response Commitments:

• Standard Timeline: Comprehensive response within 45 calendar days of verified request receipt
• Complex Request Extensions: Up to 90 days total for unusually complex requests with detailed explanation of delay
• Interim Updates: Regular communication about processing status for extended timeline cases

Response Quality Standards:

• Comprehensive Information: Complete response to all aspects of rights requests
• Plain Language: Clear, understandable explanations without excessive technical jargon
• Supporting Documentation: Detailed documentation of actions taken and any limitations encountered
• Follow-Up Support: Availability for clarification questions and additional assistance

Acceptable Authorization Methods:

• Written Authorization: Signed written permission from the consumer authorizing the agent to act on their behalf
• Power of Attorney: Valid power of attorney document providing authority for privacy rights exercise
• Legal Guardianship: Court-appointed guardianship with authority over privacy matters

Agent Verification Requirements:

• Agent Identity Verification: Proof of agent's identity through acceptable identification methods
• Authorization Verification: Confirmation that authorization documentation is valid and current
• Scope Verification: Confirmation that agent authority extends to specific rights being exercised

Consumer Verification: Even with authorized agent representation, we may require:

• Direct Consumer Contact: Direct communication with consumer to confirm authorization
• Consumer Identity Verification: Independent verification of consumer identity through established methods
• Authorization Confirmation: Consumer confirmation of specific rights exercise and agent authority

Agent Communication: All communications regarding rights requests will be conducted with authorized agent while maintaining appropriate consumer verification and consent.

Accurate Representation: Authorized agents must provide accurate information and truthful representation of consumer interests.

Documentation Maintenance: Agents must maintain appropriate documentation of authorization and be prepared to provide verification upon request.

Ongoing Authority: Agents must ensure continued validity of authorization and notify SureFlow of any changes to representation status.

Sensitive Personal Information Categories: Under CCPA/CPRA, sensitive personal information includes:

• Government Identifiers: Social Security numbers, driver's license numbers, state identification card numbers, or passport numbers
• Financial Account Information: Account log-in credentials, financial account numbers, debit card numbers, or credit card numbers in combination with access codes
• Precise Geolocation: Location information accurate to within a radius of 1,750 feet
• Biometric Identifiers: Genetic data, unique biometric identifiers, biometric templates, or biometric information
• Health Information: Personal information related to health conditions, medical treatment, or health insurance
• Personal Characteristics: Information about race, ethnicity, religious or philosophical beliefs, or union membership
• Private Communications: Mail, email, and text message contents (not applicable to website visits)

No Sensitive Data Collection: SureFlow explicitly does not collect, process, or maintain any sensitive personal information as defined under CCPA/CPRA.

System Design: Our website and analytics systems are specifically designed to avoid collecting sensitive information through:

• Technical Limitations: System configurations that prevent sensitive data capture
• Data Filtering: Automated filtering to exclude any accidentally collected sensitive information
• Regular Audits: Periodic review of data collection practices to ensure no sensitive information is captured

Future Commitments: Should our practices change to include sensitive personal information collection:

• Explicit Notice: Clear notification of sensitive information collection with detailed explanations
• Consent Mechanisms: Implementation of appropriate consent procedures where required
• Limiting Rights: Full implementation of CCPA rights to limit use and disclosure of sensitive information
• Enhanced Security: Additional security measures for sensitive information protection

Age Restrictions: Our website is not directed toward or intended for use by individuals under 16 years of age, consistent with CCPA requirements for minor protection.

No Knowing Collection: SureFlow does not knowingly collect personal information from minors under 16 years of age without appropriate parental consent.

Enhanced Protections: In accordance with CCPA provisions:

• No Sales of Minor Information: We do not sell personal information of consumers under 16 years of age
• No Sharing of Minor Information: We do not share personal information of minors for cross-context behavioral advertising
• Parental Consent: Any processing of information from consumers under 16 would require verifiable parental consent

Parental Notification: Parents or legal guardians who believe their child under 16 has provided personal information should immediately contact privacy@sureflow.com.

Immediate Response Actions: Upon notification or discovery of minor information collection:

• Processing Cessation: Immediate halt of all processing activities related to minor's information
• Data Deletion: Prompt and complete deletion of all collected minor information using secure deletion methods
• Verification Enhancement: Implementation of enhanced age verification measures where appropriate
• Parental Communication: Clear communication with parents regarding actions taken and preventive measures implemented

Multi-Jurisdictional Requirements: Our practices align with applicable minor privacy protection laws including:

• CCPA/CPRA: Enhanced protections for consumers under 16
• COPPA: Children's Online Privacy Protection Act requirements for under-13 consumers
• State Laws: Additional state-specific requirements for minor privacy protection

Automatic Recognition: SureFlow's systems automatically recognize and respect Global Privacy Control (GPC) browser signals from California residents.

Signal Processing: When GPC signals are detected:

• Automatic Opt-Out: Automatic implementation of opt-out preferences where applicable
• System Configuration: Technical systems configured to honor GPC preferences without manual intervention
• Preference Persistence: GPC preferences maintained across browsing sessions and website visits

Limited Current Impact: Since SureFlow does not sell or share personal information, enabling GPC currently has no material impact on data processing activities.

Future Relevance: Should our practices change to include activities subject to GPC opt-out rights, all existing GPC preferences would be immediately honored.

Technical Implementation: GPC signal processing implemented through:

• Browser Detection: Automatic detection of GPC signals in HTTP headers
• System Integration: Integration with internal systems to implement opt-out preferences
• Preference Management: Maintenance of GPC preference records and application across all relevant processing

Minor Administrative Updates: Changes including contact information corrections, formatting improvements, or clarifications that do not affect substantive rights:

• Implementation: Posted immediately with revised "Last Updated" date
• Notification: Website posting constitutes sufficient notification for administrative changes

Material Changes: Significant modifications affecting data collection practices, use purposes, sharing arrangements, or consumer rights:

• Advanced Notice: Minimum 30 days advance notice through multiple communication channels
• Notification Methods: Email notification where available, prominent website banners, social media announcements, and other appropriate channels
• Consent Requirements: Explicit opt-in consent required where legally mandated for material changes

Consumer Impact Analysis: Comprehensive assessment of how changes may affect California residents with appropriate mitigation measures.

Legal Compliance Review: Verification that all changes maintain full compliance with CCPA, CPRA, and other applicable California privacy laws.

Rights Protection: Ensuring that any changes do not diminish existing consumer privacy rights without appropriate legal basis and notification.

SureFlow Ltd Privacy Team

• Primary Email: privacy@sureflow.com
• Subject Line Format: "CCPA Request - [Specify Request Type]"
• Postal Address: SureFlow Ltd, 1 Old Street Yard, London EC1Y 8AF, United Kingdom, Attention: Privacy Officer
• Telephone: +447449457293 (specify California privacy rights during business hours)
• Business Hours: 09:00–17:00 (GMT), Monday to Friday GMT

• Rights Requests: privacy@sureflow.com with subject line "California Privacy Rights Request"
• General CCPA Questions: privacy@sureflow.com with subject line "CCPA General Inquiry"
• Complaints: privacy@sureflow.com with subject line "California Privacy Complaint"
• Technical Issues: privacy@sureflow.com with subject line "CCPA Technical Issue"

Acknowledgment Timeline: All CCPA inquiries acknowledged within 2 business days of receipt

Response Quality: Comprehensive, plain-language responses addressing all aspects of inquiries

Escalation Procedures: Complex issues escalated to appropriate legal and technical specialists

Follow-Up Support: Continued availability for clarification questions and additional assistance.

For complete operational details about our data practices, security measures, international transfers, and retention policies, please refer to our Privacy Statement.

This notice complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and reflects our commitment to California residents' privacy rights and data protection.