We collect only anonymized, technical information necessary for website operation:

Analytics Data:

• Anonymized visitor counts using secure 24-hour temporary hashes that cannot identify individuals
• Pages viewed during your session and total session duration
• Bounce rate analysis (whether you leave after viewing one page)
• General geographic location derived from IP address at country/region level only

Technical Information:

• Browser type and version (Chrome, Safari, Firefox, Edge) for compatibility optimization
• Device category (desktop, mobile, tablet) for responsive design
• Operating system type (Windows, macOS, iOS, Android) for technical support
• Screen resolution ranges for layout optimization
• Referring website or search terms (how you found us)
• Visit timestamps for security monitoring and system availability

Privacy-by-Design Approach:

• All visitor identification uses cryptographic hashes that expire within 24 hours
• No direct identifiers (IP addresses, device IDs) are permanently stored
• Data aggregation prevents individual visitor tracking or profiling

We deliberately avoid collecting:

• Personal identifiers (names, email addresses, phone numbers, postal addresses)
• Financial information (payment details, bank accounts, credit information)
• Precise location data (GPS coordinates, street addresses, real-time location)
• Health information (medical records, biometric data, genetic information)
• Employment details (job history, salary information, performance records)
• Government identifiers (Social Security numbers, passport numbers, driver's licenses)
• Individual browsing history across other websites or applications

Internal Analytics System: All data collection uses our proprietary, secure internal system designed with privacy-first principles. We use anonymized cryptographic hashes that prevent individual identification while allowing aggregate analysis.

Essential Cookies Only: We deploy only technical cookies necessary for website functionality, security, and basic performance measurement. No advertising, marketing, or third-party tracking cookies are used.

No Third-Party Trackers: All analytics processing occurs internally within SureFlow systems. We do not use external analytics services, advertising networks, or data brokers.

• Website Performance Analysis: Understanding page popularity, user engagement patterns, and identifying areas for improvement
• Technical Optimization: Ensuring cross-browser compatibility, responsive design effectiveness, and resolving technical issues
• Security Monitoring: Detecting unusual traffic patterns, preventing malicious activities, and maintaining system integrity
• User Experience Enhancement: Improving navigation, reducing load times, and optimizing content presentation

• System Administration: Monitoring server performance, diagnosing errors, and maintaining website availability
• Business Intelligence: Understanding visitor demographics at aggregate level for strategic planning
• Compliance Monitoring: Ensuring website accessibility and legal requirement compliance

We never use collected information for:

• Individual user profiling or behavioral targeting
• Direct marketing campaigns or promotional communications
• Selling, licensing, or transferring data to third parties
• Cross-website tracking or advertising networks
• Automated decision-making that affects individual users
• Creating detailed personal profiles or psychographic analysis

We process personal data under Article 6(1)(f) GDPR - Legitimate Interests:

Legitimate Interests Identified:

• Operating a secure, functional, and continuously available website
• Improving user experience through technical optimization and performance enhancement
• Maintaining cybersecurity and preventing fraudulent or malicious activities
• Understanding aggregate usage patterns for business development and service improvement

Necessity Assessment:

• Data collection is limited to the minimum necessary for achieving stated purposes
• Anonymization techniques prevent individual identification while enabling aggregate analysis
• No alternative methods can achieve the same objectives with reduced privacy impact

Balancing Test Results:

• Minimal Privacy Impact: Data anonymization and aggregation prevent individual identification
• Short Retention Periods: Visitor identifiers automatically expire within 24 hours
• No Cross-Site Tracking: Data collection limited exclusively to our website
• Transparent Processing: Clear disclosure of all data practices and purposes
• User Control Options: Multiple opt-out mechanisms and rights exercisable at any time

Processing is conducted for legitimate business purposes as defined under California Consumer Privacy Act, specifically:

• Analytics and performance optimization
• Security monitoring and fraud prevention
• Technical support and system maintenance
• Business operations and service improvement

We maintain strict control over all collected data:

• No Third-Party Sharing: All visitor data remains exclusively within SureFlow systems
• Internal Processing Only: Analytics, security monitoring, and performance optimization conducted by SureFlow personnel
• No Commercial Data Sales: We have never sold, licensed, or transferred personal information to any third party
• No Advertising Networks: No integration with external advertising platforms or behavioral targeting systems

Should we engage third-party service providers for technical operations (hosting, cybersecurity, system maintenance), they would be subject to:

• Contractual Data Protection: Written agreements limiting data processing to documented instructions only
• Security Requirements: Implementation of technical and organizational measures meeting our security standards
• Confidentiality Obligations: Binding confidentiality requirements for all personnel with data access
• Regulatory Compliance: Full adherence to GDPR, UK GDPR, CCPA, and other applicable privacy regulations
• Regular Auditing: Ongoing compliance monitoring and security assessments

Notification Commitment: We will update this Privacy Statement and provide appropriate notice before engaging any third-party data processors.

• Visitor Identification Hashes: Automatic deletion within 24 hours of creation
• Aggregated Analytics Data: Maximum retention of 25 months for trend analysis and performance measurement
• Technical Server Logs: Retention up to 12 months for security monitoring, troubleshooting, and compliance purposes
• Error Logs: Retained for 6 months for technical support and system improvement

At the end of each retention period:

• Cryptographic Erasure: Secure deletion using industry-standard data destruction methods
• Anonymization Verification: Confirmation that remaining aggregated data cannot be reidentified
• Documentation: Detailed logging of all data deletion activities for compliance purposes

• Encryption in Transit: All data transmission protected using TLS 1.3 encryption protocols
• Encryption at Rest: Database and file storage encrypted using AES-256 encryption standards
• Access Controls: Role-based permissions with principle of least privilege implementation
• Network Security: Firewall protection, intrusion detection systems, and regular penetration testing
• System Monitoring: 24/7 automated monitoring for unusual activities and security incidents

• Staff Training: Regular privacy and security training for all personnel with data access
• Security Policies: Comprehensive internal policies governing data handling and system access
• Incident Response: Documented procedures for identifying, containing, and responding to security breaches
• Vendor Management: Security assessments and contractual requirements for all service providers
• Regular Audits: Annual security assessments and compliance reviews by qualified professionals

• Secure Facilities: Data centers with biometric access controls and 24/7 monitoring
• Equipment Protection: Secure disposal of hardware and storage media
• Environmental Controls: Fire suppression, climate control, and power backup systems

Data may be processed across multiple jurisdictions with appropriate safeguards:

Primary Locations: United Kingdom, European Union, United States

Transfer Safeguards:

• Adequacy Decisions: Reliance on European Commission and UK adequacy decisions where available
• Standard Contractual Clauses: Implementation of EU-approved SCCs and UK International Data Transfer Agreements
• Additional Measures: Supplementary technical safeguards including encryption, pseudonymization, and access restrictions

We regularly conduct transfer impact assessments to evaluate:

• Legal protections in destination countries
• Technical and organizational safeguards effectiveness
• Risk mitigation measures and ongoing monitoring requirements
• Compliance with evolving regulatory guidance

Right of Access (Article 15):

• Request confirmation whether we process your personal data
• Obtain copies of personal data we hold about you
• Receive information about processing purposes, data categories, and recipients
• Learn about retention periods and your other rights
• Understand the source of data if not collected directly from you
• Get details about any automated decision-making (not applicable to SureFlow)

Right to Rectification (Article 16):

• Request correction of inaccurate personal information
• Ask for completion of incomplete data relevant to processing purposes
• Provide supporting documentation for requested corrections
• Have corrections communicated to recipients where technically feasible
• Receive confirmation when corrections have been implemented

Right to Erasure/Right to be Forgotten (Article 17):

• Request deletion when data is no longer necessary for original purposes
• Seek erasure if you withdraw consent and no other legal basis exists
• Demand deletion if processing has been unlawful
• Request erasure for compliance with legal obligations
• Subject to exceptions for legal compliance, public interest, or legal claims

Right to Restrict Processing (Article 18):

• Limit processing while we verify accuracy of contested data
• Restrict processing when it's unlawful but you prefer restriction over deletion
• Request restriction when we no longer need data but you require it for legal claims
• Obtain limitation pending assessment of objection to legitimate interest processing
• Receive notification before restriction is lifted

Right to Data Portability (Article 20):

• Receive your data in structured, commonly used, machine-readable format
• Request direct transmission to another controller where technically feasible
• Applies when processing is based on consent or contract performance
• Only covers data you have provided to us through automated means
• Limited applicability due to our anonymized data collection methods

Right to Object (Article 21):

• Object to processing based on legitimate interests on grounds relating to your particular situation
• Absolute right to object to direct marketing (not applicable to SureFlow)
• We must stop processing unless we demonstrate compelling legitimate grounds
• Right to object to scientific research unless research serves public interest
• Object to processing for statistical purposes unless serving public interest

Right to Withdraw Consent (Article 7):

• Withdraw consent for any consent-based processing at any time
• Withdrawal must be as easy as giving consent
• Does not affect lawfulness of processing before withdrawal
• We will inform you of your right to withdraw before obtaining consent
• Applies primarily to cookie consent in our context

Right to Know (Access):

• Request categories of personal information collected about you
• Learn the sources from which information was collected
• Understand business or commercial purposes for collection
• Know categories of third parties with whom we share information (none in our case)
• Obtain specific pieces of personal information we have collected
• Receive information covering the 12 months preceding your request

Right to Delete:

• Request deletion of personal information we have collected from you
• Applies to information collected directly from you or about you
• Subject to exceptions for security, debugging, legal compliance, research, or internal operations
• We will notify service providers to delete your information (when applicable)
• Confirmation provided regarding deletion actions taken
• May be limited by our anonymized data collection practices

Right to Correct:

• Request correction of inaccurate personal information we maintain
• Provide evidence supporting the requested correction
• We will use commercially reasonable efforts to correct information
• Limited applicability given we don't collect direct identifiers
• Confirmation provided when corrections are implemented

Right to Opt-Out of Sale/Sharing:

• Direct us not to sell your personal information to third parties
• Request we don't share information for cross-context behavioral advertising
• Note: SureFlow does not sell or share personal information
• We honor Global Privacy Control (GPC) browser signals
• Preference applies to future collection and processing

Right to Limit Use of Sensitive Personal Information:

• Restrict use of sensitive personal information to specific purposes
• Not applicable to SureFlow as we don't collect sensitive information
• Would apply to government IDs, financial accounts, precise geolocation, biometrics, health data
• Includes right to limit use for inferring characteristics about you

Right to Non-Discrimination:

• Exercise privacy rights without facing discriminatory treatment
• No denial of goods or services for exercising rights
• No different prices, rates, or quality of services
• Protection against retaliation for rights exercise
• Right to participate in financial incentive programs voluntarily

Contact Methods:

• Email: privacy@sureflow.com with clear subject line indicating your request type
• Mail: SureFlow Ltd, 1 Old Street Yard, London EC1Y 8AF, United Kingdom, Attention: Privacy Officer
• Phone: +447449457293 during business hours

Response Commitments:

• GDPR Requests: Response within 30 days (extendable to 90 days for complex requests)
• CCPA Requests: Response within 45 days (extendable to 90 days with notice)
• All Requests: Free of charge unless excessive or manifestly unfounded

Important Limitation: Due to our anonymized data collection practices, we may have limited ability to identify specific individuals, which may affect fulfillment of certain personalized requests.

Essential Cookies: Required for basic website functionality, security, and user session management

• Session identifiers for secure browsing
• Security tokens for protection against malicious activities
• Basic functionality preferences for optimal user experience

Analytics Cookies: Optional cookies for website performance measurement

• Anonymous visitor counting and session analysis
• Page performance and user interaction measurement
• Technical compatibility and error tracking

User Controls:

• Browser-based cookie management through standard settings
• "Do Not Track" signal recognition for analytics cookies
• Opt-out mechanisms for non-essential cookies

Future Changes: Any introduction of non-essential cookies will include:

• Clear notification and explanation of purposes
• Appropriate consent mechanisms where legally required
• Granular control options for different cookie categories

• Court Orders: Response to valid subpoenas, court orders, or other legal processes
• Regulatory Requirements: Compliance with lawful requests from government authorities or regulatory bodies
• Legal Rights Protection: Defense of SureFlow's legal rights, property, or safety

• Public Safety: Protection of public health, safety, or security when immediate action is required
• Fraud Prevention: Investigation and prevention of fraudulent, illegal, or harmful activities

Disclosure Limitations: Given our minimal, anonymized data collection practices, any legally required disclosures would be extremely limited in scope and generally non-identifying.

Minor Changes: Administrative updates, clarifications, or non-material changes posted immediately with revised "Last Updated" date

Material Changes: Significant modifications affecting data collection, use, or your rights will include:

• Prominent website notification for reasonable period before implementation
• Email notification to registered users where contact information is available
• Additional notice methods as required by applicable law

Your continued use of our website after policy updates constitutes acceptance of the revised terms, except where law requires explicit consent for material changes.

SureFlow Ltd Privacy Team

• Email: privacy@sureflow.com
• Address: SureFlow Ltd, 1 Old Street Yard, London EC1Y 8AF, United Kingdom
• Phone: +447449457293
• Business Hours: 09:00–17:00 (GMT), Monday to Friday GMT

• Email: privacy@sureflow.com
• Responsibilities: Privacy compliance oversight, rights request processing, regulatory liaison

We are committed to:

• Acknowledging all privacy inquiries within 2 business days
• Providing substantive responses within applicable legal timeframes
• Maintaining detailed records of all privacy-related communications
• Escalating complex issues to appropriate legal and technical specialists

Information Commissioner's Office (ICO)

• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

National Data Protection Authorities

• Directory: https://edpb.europa.eu/about-edpb/board/members_en
• Contact your country's designated data protection authority

State Attorneys General

• Contact your state's Attorney General office for privacy complaint procedures
• California residents may also contact the California Privacy Protection Agency