Privacy Policy

Suro ("Suro", "we", "us", "our") is an AI sales coaching platform currently operated in early access from Israel. This policy explains how we collect, use, and protect your personal data when you use Suro at getsuro.io.

For any privacy request, legal request, data request, or to receive a Data Processing Agreement (DPA), contact us at amiel@getsuro.io.

We collect the following categories of data:

• Account data — email address, name (optional), company name, and role (provided during sign-up).
• Sales workspace data — leads imported by you (names, emails, phone numbers, custom fields), call tickets, decision tree scripts, objection banks, coaching tips you author.
• Call data — text transcripts of calls (no audio recordings are stored — only the speech-to-text output), call outcomes, AI-generated summaries, manager feedback. Transcripts are tagged by role only ("Speaker 1 / Speaker 2"); the linked customer name lives separately in the Leads table and is referenced by ID.
• Usage data — interactions with the platform such as which AI features you trigger, how long calls last, training quiz attempts.
• Technical & diagnostic data — IP address (hashed with a salt for diagnostic submissions), browser type, device information, error logs, and session diagnostic data captured when an error occurs (used to debug crashes).
• Authentication cookies — strictly necessary cookies for session management and 2FA verification.
• Billing data — handled entirely by LemonSqueezy. We do not store credit card numbers, payment credentials, or full billing addresses.

We use your data exclusively to:

• Provide and improve the Suro platform and its AI coaching features.
• Generate personalized scripts, coaching tips, call analyses, and training quizzes for your team.
• Process billing and manage your subscription.
• Send transactional emails (account confirmation, password reset, billing receipts, performance digests).
• Respond to support requests and contact-form submissions.
• Diagnose technical issues and crashes (error tracking).

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not train third-party AI models on your data — see Section 4.

Suro relies on third-party Large Language Models (LLMs) and speech-to-text providers to power coaching, transcription, and analysis features. When your data is sent to these providers:

• It is transmitted via encrypted connections (TLS 1.2+).
• It is used solely to generate results for your account — not to train the providers' base models. Our agreements with Anthropic (Claude) and OpenAI (GPT, used as fallback only) explicitly opt out of training. Deepgram (transcription) similarly does not retain audio for training.
• AI requests are scoped to your tenant — no cross-tenant data is ever included in a prompt.

Call transcripts and the relevant context (your scripts, products, policies) are sent to the LLM at inference time to produce in-call suggestions, post-call summaries, or rewrites you trigger. You can see your AI credit usage live in the app.

• Application and database are hosted on Railway in the United States (us-west region, Oregon). We acknowledge this constitutes a transfer outside the EU/EEA for European users. The transfer is performed under the Standard Contractual Clauses (SCC) approved by the European Commission, supplemented by the EU-US Data Privacy Framework where applicable.
• A migration to an EU region (eu-west-1) is planned as Suro grows its European user base. We will update this policy and notify users when this happens.
• Data is encrypted in transit (TLS 1.2+) and at rest (Railway-managed PostgreSQL with disk encryption).
• Each tenant's data is logically isolated by tenantId scoping at the application layer — cross-tenant queries are blocked at the API layer.
• Access to production systems is restricted to the founder. Production access actions are logged.
• Authentication uses NextAuth.js with HTTP-only secure cookies, hashed passwords (bcrypt), and optional TOTP-based 2FA.
• A scrubbing layer removes PCI patterns (e.g. card numbers, CVV) from transcripts before storage.

• Your data is retained for as long as your account is active.
• If you cancel your account, we retain your data for 30 days as a buffer for accidental cancellation or restoration requests, after which it is deleted on a manual cleanup pass (no automated cron yet at this beta stage; deletions on request are handled within 30 days).
• You can request immediate deletion of your data at any time by emailing amiel@getsuro.io. We will action the request within 30 days and confirm by email.
• Audit logs (security events, login attempts) are retained for up to 12 months for security purposes.
• Diagnostic submissions on the public landing page are retained for 12 months and are linked only to a hashed IP, not to a user account.

Under applicable data protection laws (including GDPR if you are in the EU/EEA, CCPA if you are in California), you have the right to:

• Access — request a copy of your personal data.
• Rectification — correct inaccurate data.
• Deletion — request deletion of your data.
• Portability — receive your data in a structured, machine-readable format (JSON export available on request).
• Objection — object to certain processing activities.
• Restriction — request that we limit how we use your data.
• Withdraw consent — for processing based on consent (e.g. analytics cookies if any are added in the future).

To exercise any of these rights, email amiel@getsuro.io. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (in France: CNIL — cnil.fr; in Israel: PPA).

We rely on the following sub-processors to deliver our services:

• Railway (United States) — application hosting, PostgreSQL database, file storage. Data residency: us-west region. SCC signed.
• Anthropic (United States) — primary LLM (Claude) for coaching, summaries, analyses. Zero-data-retention configuration. SCC available.
• OpenAI (United States) — fallback LLM (GPT) used only when Claude is temporarily unavailable. Zero-data-retention configuration.
• Deepgram (United States) — speech-to-text transcription. Audio is processed in real-time; transcripts are returned to us, not retained on Deepgram side. SCC available.
• LemonSqueezy (United States) — payment processing and subscription billing (Merchant of Record). Their own privacy policy applies to payment data: lemonsqueezy.com/privacy.
• Resend (United States) — transactional email delivery. SCC available.
• Sentry (United States / EU regional option) — error tracking, performance monitoring, and session diagnostic data captured during errors to help us debug crashes. SCC available.
• Nango (United States) — secure proxy for third-party CRM connections (HubSpot, etc.) when you choose to connect a CRM. We never store CRM API tokens directly — Nango holds them encrypted.
• HubSpot (United States — only if you connect your account) — your CRM data flows through Nango when you opt-in to the CRM integration. You control which contacts and properties are synced.
• Namecheap (United States) — DNS provider for getsuro.io.

Sub-processors are added or changed only when necessary. Material changes are reflected in the "Last updated" date at the top.

If you are based in the EU/EEA, UK, or another jurisdiction with data export restrictions, please be aware that all sub-processors above are based in the United States.

Data transfers from the EU/EEA to the United States are governed by:

• The Standard Contractual Clauses (SCC) approved by the European Commission (Implementing Decision 2021/914 of 4 June 2021).
• The EU-US Data Privacy Framework where the receiving sub-processor is self-certified (Anthropic, Sentry, and others publish their certifications).

You can request a copy of the SCC executed with any specific sub-processor by emailing amiel@getsuro.io.

We use strictly necessary cookies for authentication, session management, locale preference (EN/FR), and 2FA verification. These cookies are essential and do not require consent under the GDPR ePrivacy directive.

We display a cookie consent banner to inform users of these essential cookies and to log explicit consent for any analytics cookies should we add them in the future. Currently, no analytics or tracking cookies are deployed.

Suro is a B2B product not intended for individuals under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete the data.

We may update this policy. Material changes (new sub-processors, retention changes, new categories of data) will be communicated by email and in-app notification at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

For any privacy question, data request, or to receive a Data Processing Agreement (DPA) for a Design Partner engagement, contact us at:

amiel@getsuro.io

We respond within 30 days, typically within 72 hours.