Legal Documents
- Effective Date:
- June 3, 2025
- Operator:
- SurgePoint, Inc.
- Contact:
- dane@thesurgepoint.com
- Website:
- thesurgepoint.com
Privacy Policy
This Privacy Policy describes how SurgePoint, Inc. ("SurgePoint," "we," "us," or "our") collects, uses, and handles information when you or your customers interact with our platform, including our AI-assisted messaging and appointment management services.
1. Who This Policy Covers
This policy applies to:
- Business clients ("Clients") who subscribe to SurgePoint and connect their Instagram professional accounts to our platform.
- End users ("Customers") who send direct messages to a Client's Instagram account and interact with our messaging system.
2. Information We Collect
From Business Clients:
- Business name, contact information, and billing details provided during account registration.
- Instagram account credentials and permissions granted through Meta's secure OAuth authentication flow. We never store Instagram passwords.
- Service configuration preferences, business hours, booking rules, and other settings provided to operate the platform.
From Customer Interactions (Instagram DMs):
- Instagram sender username, display name, and profile picture as provided by the Instagram Messaging API.
- Message content exchanged within the Direct Message conversation.
- Ad identifier (ad_id) for messages initiated through Instagram ads, used solely for attribution reporting to the Client.
- Contact information (such as phone number or email address) voluntarily provided by the Customer during the conversation for appointment confirmation purposes.
What We Do Not Collect:
- We do not collect Instagram passwords, login credentials, or authentication tokens beyond what is required by Meta's OAuth standard.
- We do not collect data from Instagram accounts that have not sent a direct message to a connected Client account.
- We do not access or store Instagram media CDN content beyond the immediate message delivery window. Media URLs are not cached or retained.
3. How We Use Information
We use collected information solely to provide and improve the SurgePoint service:
- To receive inbound Direct Messages sent by Customers to a Client's Instagram professional account and deliver automated responses on behalf of the Client.
- To facilitate lead qualification conversations and appointment booking as configured by the Client.
- To route conversations to the correct Client location or team member based on the receiving account.
- To provide Clients with message history and conversation summaries within the SurgePoint dashboard.
- To attribute inbound messages to specific ad campaigns where ad_id data is available.
We do not use Customer data for advertising, profiling, or any purpose unrelated to delivering the service to the Client whose account received the message.
We do not sell, rent, or share Customer data with third parties for their own marketing purposes.
4. Third-Party Service Providers
To deliver the platform, SurgePoint shares limited data with trusted service providers operating under confidentiality obligations:
- AI infrastructure providers: Conversation content is processed by our AI response engine to generate replies. These providers process data on our behalf and are contractually prohibited from using it for their own purposes.
- Appointment scheduling systems: When a Customer books an appointment, relevant booking details are passed to the Client's connected scheduling platform (such as Mindbody, Zenoti, or Boulevard).
- Cloud infrastructure: Our platform operates on secure, industry-standard cloud hosting providers.
We do not permit any third-party service provider to retain, use, or disclose Customer data beyond what is necessary to perform services for SurgePoint.
5. Meta Platform Data
SurgePoint accesses Instagram messaging data through Meta's official Graph API under permissions granted by the Client. Our use of this data is governed by Meta's Platform Terms and our Data Processing Agreement with Meta. We comply with all applicable Meta Platform Policies, including:
- We access only the minimum permissions necessary to provide the messaging service (instagram_manage_messages and related permissions).
- We do not use Instagram data to create independent user profiles or for any purpose inconsistent with what the user would reasonably expect given their interaction with the Client's account.
- Customers may request deletion of their conversation data at any time by contacting the Client or by emailing dane@thesurgepoint.com.
6. Google User Data
When a Client connects their Google account, SurgePoint accesses Google data through Google's official OAuth consent flow, limited to the scopes the Client grants. We request only the minimum scopes required for the following features:
- Google Business Profile (business.manage) — to read and manage the Client's Google business reviews and respond to reviewers on the Client's behalf.
- Google Calendar availability (calendar.readonly) — to read the Client's calendars and free/busy times so our AI front desk offers clients only genuinely available appointment slots and avoids double-booking.
- Google Calendar bookings (calendar.events) — to create, reschedule, and cancel appointment events on the Client's calendar when a booking is made or changed.
- Google account email (userinfo.email) — to identify the connected Google account.
SurgePoint's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google user data solely to provide the features described above.
AI and Google data: SurgePoint uses third-party AI providers (for inference only) to power its messaging and scheduling features. We do not use Google user data to develop, improve, train, or fine-tune any generalized or foundational AI/ML model, and our AI providers are contractually prohibited from doing so. Google user data is never used for advertising and is never sold to third parties.
7. Data Retention
- Conversation message content is retained for up to 90 days to provide Clients with conversation history, after which it is automatically deleted from our systems.
- Appointment booking data is retained for the duration of the Client's subscription plus 30 days following termination.
- Instagram media CDN URLs (images, audio, video) are not stored or cached beyond the immediate message processing window.
- Upon written request, we will delete a Customer's data within 30 days.
8. Automated Messaging Disclosure
SurgePoint's platform enables Clients to respond to inbound Instagram Direct Messages using an automated messaging system. When a Customer sends a Direct Message to a Client account that uses SurgePoint:
- The initial response and qualifying conversation may be handled by an automated system acting on behalf of the Client.
- Customers will be notified at the start of the conversation that they are interacting with an automated messaging assistant.
- Customers may request to speak with a human agent at any time during the conversation.
This disclosure is made in compliance with California's Bolstering Online Transparency (B.O.T.) Act (SB 1001) and applicable platform policies.
9. California Privacy Rights (CCPA)
California residents have the right to:
- Know what personal information we collect, use, disclose, or sell.
- Request deletion of their personal information.
- Opt out of the sale of their personal information. SurgePoint does not sell personal information.
- Non-discrimination for exercising their privacy rights.
To exercise these rights, contact us at dane@thesurgepoint.com.
10. Security
SurgePoint implements industry-standard security measures including encryption in transit (TLS), access controls, and regular security reviews. No system is perfectly secure; we encourage Clients to maintain strong account credentials and enable two-factor authentication on connected Meta accounts.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Clients of material changes via email or platform notification. Continued use of the platform following notice of changes constitutes acceptance of the updated policy.
12. Contact
For privacy questions or data requests:
- Email: dane@thesurgepoint.com
- Website: v2.thesurgepoint.com/privacy
© 2026 SurgePoint, Inc. All rights reserved.