Information we collect
SurgeAI collects information necessary to deliver our AI Receptionist services and operate our website. The types of information we collect depend on how you interact with us.
Information you provide directly
- Client onboarding data: Business name, owner or operator name, email address, phone number, NMLS number, service area, AI Persona preferences, and call routing configuration details.
- Payment information: Credit card numbers, billing addresses, and bank account details (processed and stored by our third-party payment processors — SurgeAI does not store raw payment credentials on its own servers).
- Communications: Emails, phone call recordings (where permitted by law and with notice), chat messages, and any other correspondence between you and SurgeAI.
- Call and engagement data: Inbound call details (borrower name, phone, email, inquiry message), call recordings, AI transcripts, SMS logs, and engagement outcome data generated through the platform.
Information collected automatically
- Website analytics: IP address, browser type, device type, operating system, referring URL, pages visited, time spent on pages, and click patterns.
- Cookies and similar technologies: Session identifiers, preference tokens, and analytics cookies (see Section 07 for details).
Information from third parties
- Call data: Borrower names, phone numbers, email addresses, and inquiry details from inbound calls answered by the AI Receptionist and borrower inquiries received through the Client's configured channels. This data originates from the Client's own inbound call traffic, not sourced by SurgeAI.
How we use your information
SurgeAI uses collected information for the following purposes:
| Purpose | Data used |
|---|---|
| Service delivery | Client onboarding data, call data, and AI Persona configuration to answer inbound calls from mortgage borrowers and engage them via phone, SMS, and email on your behalf. |
| Payment processing | Billing information to process monthly Subscription charges and issue invoices. |
| Communication | Email and phone number to send engagement reports, billing notifications, platform updates, and service-related correspondence. |
| Service improvement | Aggregated analytics data and client feedback to improve our AI engagement quality, response times, and platform performance. |
| Legal compliance | All collected data as needed to comply with applicable laws, respond to legal process, or protect SurgeAI's legal rights. |
| Marketing | Email address to send occasional service updates or promotional offers. You may opt out at any time. |
We do not sell your personal information. SurgeAI has never sold client data to third parties and has no plans to do so. Your information is used solely to deliver and improve our services.
Information sharing and disclosure
SurgeAI does not sell, rent, or trade your personal or business information. We may share information only in the following limited circumstances:
- Service providers: We share information with third-party vendors who assist in delivering our services, including payment processors, calendar integration providers, CRM platforms, and cloud hosting providers. These vendors are contractually obligated to protect your data and use it only for the purposes we specify.
- Borrower engagement: When answering calls and engaging borrowers on your behalf, our AI Persona uses your business name, branding, and general service descriptions in phone calls, SMS, and emails. We do not share your personal contact information with borrowers — all initial communication flows through SurgeAI's AI platform.
- Legal requirements: We may disclose information if required by law, subpoena, court order, or government request. We may also disclose information to protect the rights, property, or safety of SurgeAI, our clients, or others.
- Business transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, client data may be transferred as part of that transaction. We will notify affected clients before their information becomes subject to a different privacy policy.
- With your consent: We may share information in other ways if you have given us explicit written consent to do so.
Call data and engagement
A core part of SurgeAI's service involves answering inbound calls from mortgage borrowers and processing call data on behalf of our mortgage broker clients. This section explains how we handle that data.
- Data sources: Borrower data is collected from inbound calls answered by the AI Receptionist and from the Client's configured intake channels. SurgeAI does not independently source or purchase consumer data. All borrower interactions originate from inbound inquiries initiated by the prospective borrower.
- Use of borrower data: Borrower information is used exclusively to answer inbound calls and engage prospective borrowers via AI-powered phone calls, SMS, and email on behalf of the Client. We do not use borrower data for any purpose unrelated to the Client's AI Receptionist service.
- Opt-out compliance: SurgeAI honors all opt-out requests received during borrower engagement. Borrowers who request to not be contacted are suppressed immediately and will not receive further communications. SurgeAI maintains internal suppression lists to prevent re-engagement.
- Borrower rights: Any individual who has been contacted by SurgeAI's AI on behalf of a Client may request to see what information we hold about them, request correction of inaccurate data, or request deletion of their data by contacting us at privacy@surgeai.net.
- TCPA compliance: All AI-initiated calls are made in compliance with the Telephone Consumer Protection Act. Because SurgeAI answers inbound calls initiated by the borrower, these engagements fall within the established business relationship exception. SurgeAI does not make unsolicited cold calls to consumers.
Data retention
SurgeAI retains information only as long as necessary to fulfill the purposes described in this policy or as required by law.
| Data type | Retention period |
|---|---|
| Client account data | Duration of the Subscription plus 3 years after cancellation or termination. |
| Payment records | 7 years from the transaction date, as required for tax and accounting compliance. |
| Call recordings | 90 days from the date of recording, unless a dispute is pending. |
| Borrower contact data | 18 months from last call or engagement attempt. Suppressed contacts are retained on the suppression list indefinitely. |
| Website analytics | 26 months from the date of collection. |
| Email correspondence | Duration of the business relationship plus 2 years. |
When the retention period expires, data is securely deleted or anonymized so that it can no longer be associated with a specific individual or business.
Data security
SurgeAI implements administrative, technical, and physical safeguards to protect the information we collect and store. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
- Access controls: Access to client and call data is restricted to authorized SurgeAI personnel on a need-to-know basis. All staff accounts require multi-factor authentication.
- Vendor security: Third-party service providers are vetted for security practices and required to maintain industry-standard protections.
- Incident response: In the event of a data breach that affects your personal information, SurgeAI will notify affected individuals within 72 hours of discovering the breach, as required by applicable law.
No system is perfectly secure. While we take reasonable precautions to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and calendar integration tokens.
Cookies and tracking
The SurgeAI website uses cookies and similar technologies to improve your browsing experience and understand how visitors interact with our site.
Types of cookies we use
- Essential cookies: Required for the website to function correctly. These cannot be disabled. They handle session management, security tokens, and basic site functionality.
- Analytics cookies: Help us understand how visitors navigate our site, which pages are visited most frequently, and where visitors come from. This data is aggregated and anonymized.
- Marketing cookies: Used to measure the effectiveness of our advertising and to deliver relevant information to returning visitors. These cookies may be set by third-party advertising partners.
Managing cookies
You can control or delete cookies through your browser settings. Most browsers allow you to block all cookies, accept all cookies, or be notified when a cookie is set. Disabling essential cookies may affect site functionality.
SurgeAI does not respond to Do Not Track (DNT) browser signals at this time, as there is no industry-wide standard for DNT compliance.
Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request that we delete your personal information, subject to legal retention requirements.
- Portability: Request that we provide your data in a structured, machine-readable format.
- Opt-out of marketing: Unsubscribe from promotional emails at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.
- Restrict processing: Request that we limit how we use your data in certain circumstances.
To exercise any of these rights, contact us at privacy@surgeai.net. We will respond to verified requests within 30 days. We may ask for additional information to verify your identity before processing the request.
California residents
Under the California Consumer Privacy Act (CCPA), California residents have additional rights including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. As stated above, SurgeAI does not sell personal information. California residents may submit requests to privacy@surgeai.net.
Third-party services
SurgeAI uses the following categories of third-party services to operate our business. Each provider has its own privacy policy governing how it handles data:
- Payment processing: Credit card and bank transactions are processed by PCI-compliant payment processors. SurgeAI does not store full credit card numbers or CVV codes.
- Cloud hosting: Our website and data are hosted on infrastructure provided by reputable cloud service providers with SOC 2 certification.
- CRM and communication tools: We use customer relationship management platforms to track client accounts, calls, and engagement activity.
- Analytics: We use web analytics tools to understand site traffic and user behavior. Data collected by these tools is aggregated and does not identify individual visitors.
- Voice and messaging: We use third-party AI voice (Vapi), SMS (VoIP.ms), and email delivery services to answer calls and engage borrowers on behalf of Clients.
SurgeAI is not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party service you interact with through our platform.
Children's privacy
SurgeAI's services are designed for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will delete that information promptly. If you believe we have inadvertently collected data from a minor, contact us at privacy@surgeai.net.
Changes to this policy
SurgeAI may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Effective" date at the top of this page.
- Notify active clients by email at least 14 days before the changes take effect.
- Post the revised policy on our website.
Your continued use of SurgeAI's services after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with the revised policy, you should discontinue use of our services and contact us to discuss your options.
Contact
If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how your information is being handled, contact us:
- Email: privacy@surgeai.net
- General inquiries: info@surgeai.net
SurgeAI is operated by Fintier LLC, a Wyoming limited liability company. We aim to respond to all privacy-related inquiries within 5 business days.