REGULATORY COMPLIANCE // GDPR COMPLIANTDOC-REF: PP-2026-V2

Privacy Policy

Effective Implementation Date: June 5, 2026

1. Scope, Scope of Application & Definitions

This Privacy Policy details the data architectures, storage patterns, and processing frameworks maintained by Surge Systems ("we," "our," or "us"). This policy governs data captured via our public portfolio website, business development portals, quote engine modules, and the background analytics used to assess project viability.

Under the mandates of the **European Union General Data Protection Regulation (GDPR) (EU) 2016/679**, we operate as a **Data Controller** when processing business inquiries, enterprise lead details, and marketing interactions generated directly on this portfolio.

2. Legal Entity & Data Protection Officer (DPO)

The legal entity responsible for processing data gathered across this ecosystem is Surge Systems, based in Gujar Khan, Rawalpindi District, Punjab, Pakistan. To ensure adherence to digital privacy laws, we maintain a dedicated Data Protection Desk:

Data Protection Officer: Zain Imran

Corporate Compliance Desk: privacy@surgesystems.com

Core Competence: Software Engineering Frameworks, Cloud CRM & Cloud Restaurant POS Hosting

3. Granular Typology of Collected Data & Processing Pursuits

We minimize our processing footprints. Data collection occurs across two clear operational categories:

A. Information Provided Actively via Business Channels

When you initiate project queries, build custom website scopes, or request price tables for our Restaurant POS systems or custom CRMs, our forms request and store:

  • Identity Markers: Full Legal Name, Company Name, and Corporate Role.
  • Contact Matrices: Active Business Email Addresses and Direct Phone Lines.
  • Project Schematics: Estimated budget parameters, required feature metrics, and operational goals.

B. Passive Device Logs & Telemetry Data

To guarantee application security, defend against distributed denial-of-service (DDoS) attempts, and build fluid layouts, our cloud servers process:

  • Network Identifiers: Fully anonymized/masked Internet Protocol (IP) addresses.
  • System Configurations: Browser builds, operating systems, and viewport scale values.
  • Behavioral Routing: Localized timestamps, entry nodes, and clicks on custom portfolio items.

4. Legal Frameworks for Processing Operations

We process your personal information exclusively under recognized lawful grounds outlined in GDPR Article 6(1):

GDPR AuthorityOperational PurposeData Applied
Art. 6(1)(a) [Consent]Fulfillment of specific queries, contact submission feedback, and marketing newsletters.Name, email, and tracking cookies.
Art. 6(1)(b) [Contract Execution]Drafting commercial pricing sheets for custom CRMs, restaurant POS deployments, or web apps.Corporate business metrics and contact vectors.
Art. 6(1)(f) [Legitimate Interest]Securing web firewalls, evaluating software platform performance, and profiling interface bugs.Device metadata, server access signatures, and browser logs.

5. Sub-Processors & Data Routing Infrastructure

To preserve a lightweight portfolio presentation and manage database calls safely, we rely on third-party cloud infrastructure sub-processors. These external vendors are vetted through Data Processing Agreements (DPAs) to ensure strict compliance:

  • Cloud Hosting & Assets: Vercel Inc. and Amazon Web Services (AWS) for hosting content delivery networks (CDNs).
  • Database Core Systems: Neon Serverless PostgreSQL and Supabase for handling inquiries and secure structural logging.
  • Traffic Diagnostics: Vercel Web Analytics for privacy-centric visitor maps (operating on fully anonymized IP data arrays).

6. Integrated Cookie Breakdown Directory

Our platform splits browser tracking mechanics into two operational profiles. We do not use intrusive cross-site ad-tech mechanisms.

Category: Technically Critical Storage (Strictly Necessary)

Required for primary operations. These do not require user consent under GDPR guidelines.

Cookies: `theme-preference` (dark/light persist), `csrf-token-verification` (form protection).

Category: Performance Analytics Tracking (Consent Dependent)

Used to analyze portfolio interaction rates and verify which UI elements work best. This track runs only if explicitly allowed via our cookie banner.

Cookies: `_vercel_share_metrics`, `va_telemetry_id`.

7. International Cross-Border Transfers & Security Shields

Surge Systems operates development nodes outside the European Economic Area (EEA), including infrastructure managed in Pakistan. To uphold an equivalent level of digital safety, all cross-border infrastructure routing relies heavily on European Commission-approved **Standard Contractual Clauses (SCCs)**.

Furthermore, active text files and database components are locked behind production-grade AES-256 encryption at rest, and transport layers are structured via HTTPS/TLS 1.3 protocol configurations.

8. Automated System Data Breach Action Sequences

In the event of an unexpected cloud database compromise or server infrastructure failure that affects your submitted business info, Surge Systems follows strict GDPR protocols. We will report the details of any data breach to the appropriate European Supervisory Authorities within 72 hours of discovery. If the breach presents a high risk to your operational privacy, we will notify you directly at your recorded business email address without delay.

9. Definitive Data Retention Timelines

We adhere to strict data minimization timelines. Inquiry data sent to our business development desk is kept for a maximum processing window of 180 days from the date of submission if it does not lead to a formal software agreement. If a commercial partnership is formed, data storage shifts to matching service-level agreements (SLAs). Raw system analytics and web firewall logging metrics are automatically scrubbed from active storage environments within 14 days.

10. Verification of Your Statutory Rights Under the GDPR

If you interact with this portfolio from the EU or EEA, you hold clear, enforceable statutory rights under Chapter 3 of the GDPR:

  • Art. 15 Right of Access: Obtain clear copies of all operational datasets, identity records, and logs stored under your name.
  • Art. 16 Right to Rectification: Force corrections of broken inputs, old business addresses, or incorrect project scopes.
  • Art. 17 Right to Erasure ("To Be Forgotten"): Demand the immediate and permanent deletion of your customer files from our live systems.
  • Art. 18 Right to Restrict Processing: Freeze active data handling pipelines while keeping the records stored safely in place.
  • Art. 20 Right to Data Portability: Export your platform profiles in standard, machine-readable JSON or CSV formats.

To invoke these options, submit an authorized request to privacy@surgesystems.com. If you feel our response does not resolve your privacy concerns, you have the right to lodge an appeal with your local Data Protection Authority (DPA).