Privacy Policy

1. Introduction

Surround Think ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Think Board of Advisors service and related products.

2. Information We Collect

2.1 Personal Information

When you use our OAuth authentication system, we collect:

• Identity Information: OpenID, name, email address
• Login Method: OAuth provider (Google, Apple, etc.)
• Account Data: Account creation date, last sign-in date

2.2 Usage Data

We automatically collect certain information when you use our services:

• Think Board Sessions: Advisor personas created, conversation messages, session context
• Activity Logs: Service usage, feature interactions, timestamps
• Technical Data: Browser type, device information, IP address (for security)

3. How We Use Your Information

We use your information for the following purposes:

• Service Provision: To provide and maintain Think Board functionality
• Account Management: To manage your account and authentication
• Session Persistence: To save and restore your Think Board sessions
• Security: To detect and prevent fraud, abuse, and security incidents
• Improvements: To analyze usage patterns and improve our services
• Communications: To send service-related notifications and updates

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for collecting and using your information depends on the data and context:

• Contract Performance: Processing necessary to provide our services
• Consent: You have given explicit consent via OAuth authorization
• Legitimate Interests: For security, fraud prevention, and service improvement

5. Data Sharing and Third-Party Processors

We share your information with the following third-party processors:

• OAuth Providers: Google, Apple (for authentication)
• Manus Platform: OAuth portal and infrastructure provider
• Database Provider: MySQL/TiDB hosting service
• AI Services: Google Gemini API (for persona generation and conversations)

We do not sell your personal information to third parties.

6. Your Rights (GDPR)

If you are in the EEA, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your account and data
• Right to Portability: Export your data in machine-readable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, visit your Dashboard and use the "Download My Data" or "Delete My Account" features, or contact us at [email protected].

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide services. We will delete or anonymize your data after 2 years of account inactivity, unless we are required to retain it for legal or regulatory purposes.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• HTTPS encryption for data in transit
• Secure session tokens with HttpOnly cookies
• Database access controls and authentication
• Regular security audits and updates

9. Cookies and Tracking

We use essential cookies for authentication and session management. These cookies are necessary for the service to function and cannot be disabled. We do not use third-party tracking or advertising cookies.

10. International Data Transfers

Your information may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place for such transfers in compliance with GDPR.

11. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on our website. Your continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

14. Supervisory Authority

If you are in the EEA and believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.