Privacy Policy

Last updated: February 2026

1. Who We Are

Surely is operated by Spark Collective BV, a company registered in Belgium.

We act as the data controller for the personal data processed through Surely, in accordance with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

2. What Data We Collect

We collect and process the following categories of personal data:

Account Information

  • Email address (required for account creation)
  • Phone number (optional, for WhatsApp communication)
  • Password (securely hashed, never stored in plain text)

Insurance Documents

  • PDF documents of your insurance policies that you upload
  • Extracted policy information (coverage amounts, deductibles, premiums, dates)
  • Analysis results and recommendations

Communication Data

  • Messages exchanged via WhatsApp (if you use this feature)
  • Chat history and conversation context

3. How We Process Your Data

We process your data for the following purposes:

AI-Powered Policy Analysis

Your insurance documents are analyzed using Google Gemini, an artificial intelligence service. This analysis extracts key policy information and generates insights about coverage gaps and savings opportunities.

Legal basis: Contract performance (Article 6(1)(b) GDPR) — this processing is necessary to provide you with our service.

WhatsApp Communication

If you choose to connect your phone number, we facilitate communication via WhatsApp to answer questions about your policies.

Legal basis: Consent (Article 6(1)(a) GDPR) — you explicitly opt-in by providing your phone number.

4. Data Storage and Security

Where We Store Your Data

Your data is stored on Convex, a cloud database service. Data is stored in the EU region to ensure compliance with GDPR requirements.

Security Measures

  • All data transmission is encrypted using TLS/HTTPS
  • Passwords are securely hashed using industry-standard algorithms
  • Access to production data is restricted and logged
  • Regular security reviews and updates

5. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account data: Retained until you delete your account
  • Insurance documents and analysis: Retained until you delete them or your account
  • Conversation history: Retained for 12 months after the last interaction

Upon account deletion, your data will be permanently removed within 30 days.

6. Your Rights Under GDPR

Under the GDPR, you have the following rights:

  • Right of access (Article 15): Request a copy of your personal data
  • Right to rectification (Article 16): Correct inaccurate personal data
  • Right to erasure (Article 17): Request deletion of your personal data
  • Right to data portability (Article 20): Receive your data in a machine-readable format
  • Right to restrict processing (Article 18): Limit how we use your data
  • Right to object (Article 21): Object to certain types of processing
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@meet-surely.com. We will respond within 30 days as required by GDPR.

7. Third-Party Services

We use the following third-party services to operate Surely:

  • Convex: Database and backend infrastructure (EU region)
  • Google Gemini: AI analysis of insurance documents
  • WhatsApp Business API: Communication (if you opt-in)
  • Vercel: Website hosting

Each of these services has their own privacy policy and GDPR compliance measures.

8. Cookies

We use essential cookies only for authentication and session management. We do not use tracking cookies or third-party analytics cookies.

9. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes via email or through the application. The "Last updated" date at the top of this page indicates when this policy was last revised.

10. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us:

You also have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) if you believe your rights have been violated.