Surfact Privacy Policy
Effective Date: Jul 29, 2025
Last Updated: July 29, 2025
1. Introduction
Surfact AS (“Surfact,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the data we process. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with your use of Surfact Products and Services, including Emma Smart Trackers, Emma Software Dashboard, and Emma Cloud (API flow) (collectively, the “Products and Services”).
As a B2B provider of cold-chain monitoring solutions for the pharmaceutical, food & beverage, logistics & supply chain and asset tracking industries, we understand the critical importance of data integrity and privacy. This policy is designed to comply with the European Union General Data Protection Regulation (GDPR) and other applicable data protection laws, ensuring transparency and control over your data.
By accessing or using our Products and Services, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller Information
Surfact AS acts as the data controller for the personal data processed in connection with your use of our Products and Services. This means we determine the purposes and means of processing your personal data.
Our contact details are:
Surfact AS
Kjelsåsveien 141, 0491 Oslo, Norway
Email: support@surfact.com
For any questions or concerns regarding this Privacy Policy or your data, please contact us at the email address provided above.
3. Data Collection
In connection with the Surfact Products and Services, we collect data to provide our cold-chain monitoring and business intelligence solutions. The types of data collected depend on the specific Product or Service you are using:
a. Emma Smart Trackers:
When you utilize Emma Smart Trackers for cold-chain monitoring, the trackers collect environmental and location data. This may include:
Temperature Data: Readings from sensors monitoring the temperature of the environment where the tracker is placed.
Location Data: Geographical location information of the tracker, often collected via GPS or other location services.
Timestamps: Date and time information associated with temperature and location readings.
Event Data: Information related to specific events or conditions detected by the tracker (e.g., temperature excursions).
This data is collected automatically by the Smart Trackers’ sensors and transmitted to our systems for processing and analysis.
b. Emma Software Dashboard and Emma Cloud (API flow):
When you access and use the Emma Software Dashboard or interact with the Emma Cloud via API flow, we may collect data related to your usage and account. This may include:
User Account Information: Data provided when you set up and manage your account, which may include business contact details.
Usage Data: Information about how you interact with the Dashboard and Cloud, such as login times, features used, and the types of reports generated.
Analytical Data: Data generated through your use of the Dashboard’s analytics features.
Data Submitted via API: Data that your systems transmit to the Emma Cloud through the provided API interfaces.
This data is primarily collected through your direct interaction with the Software Dashboard and Cloud, as well as through the API integrations you configure.
We collect this data through various methods, including:
Automated sensors and data transmission from Emma Smart Trackers.
User input and interaction with the Emma Software Dashboard.
Data exchange via the Emma Cloud API flow.
Potentially through cookies and other tracking technologies on the Software Dashboard web interface (we will detail this in a separate section if applicable).
4. Data Processing and Purpose
Surfact processes the data collected from Emma Smart Trackers, Emma Software Dashboard, and Emma Cloud (API flow) for specific, legitimate purposes, and always with a valid legal basis under the General Data Protection Regulation (GDPR).
a. Legal Basis for Processing:
We rely on the following legal bases for processing your data:
Performance of a Contract: The processing is necessary for the performance of the contract between Surfact and you, the Customer, for the provision of the Products and Services (e.g., to deliver cold-chain monitoring data, provide access to the Dashboard, manage your account).
Legitimate Interests: We may process data where it is necessary for our legitimate interests or those of a third party, provided these interests do not override your fundamental rights and freedoms. Such legitimate interests include:
Improving and optimizing the functionality and performance of our Products and Services.
Ensuring the security and integrity of our systems.
Conducting internal analytics and business intelligence to enhance our offerings.
Complying with legal obligations and responding to legal requests.
b. Purposes of Processing:
The data we collect is processed for the following purposes:
To Provide and Manage Products and Services:
To enable the core functionality of Emma Smart Trackers for real-time cold-chain monitoring (e.g., tracking temperature, location, and events of your cargo).
To provide access to and maintain the Emma Software Dashboard for analytics and data insights related to your cold-chain operations.
To facilitate data flow and integration via Emma Cloud (API flow) for seamless operation with your systems.
To manage your Customer account, including billing, support, and service delivery.
To Improve and Optimize Our Products and Services:
To understand how our Products and Services are used, allowing us to identify areas for improvement, develop new features, and enhance user experience.
To monitor system performance, diagnose technical issues, and ensure the stability and security of our infrastructure.
To conduct research and development for future enhancements of our cold-chain monitoring and business intelligence solutions.
For Analytics and Business Intelligence:
To generate aggregated and anonymized insights into cold-chain performance trends across industries, which may be used for internal reporting, product development, or industry analysis.
To provide you with customized reports and analytics within the Emma Software Dashboard based on your collected data.
For Security and Compliance:
To detect, prevent, and address technical issues, fraud, or other illegal activities.
To ensure compliance with relevant laws and regulations, including those related to data security and privacy.
To enforce our “Surfact Terms of Use” and other policies.
5. Data Sharing and Disclosure
Surfact understands the importance of maintaining the confidentiality and security of your data. We do not sell your personal data to third parties. However, in order to provide our Products and Services effectively, we may need to share data with certain third parties under specific circumstances, always ensuring that appropriate safeguards are in place in accordance with GDPR.
a. Sharing with Third-Party Service Providers:
We may share data with trusted third-party service providers who perform services on our behalf. These services may include:
Cloud hosting and infrastructure providers (e.g., for storing and processing data from Smart Trackers and the Software Dashboard).
Analytics and business intelligence tools (used to process data within the Software Dashboard).
Customer support and communication platforms.
Providers of security services to protect our systems and your data.
When we share data with these service providers, we ensure that they are contractually obligated to process the data only for the purposes for which it was shared and to implement appropriate technical and organizational measures to protect the data. We enter into Data Processing Agreements (DPAs) with these providers where required by GDPR.
b. Sharing for Legal and Regulatory Compliance:
We may disclose data if required to do so by law or in response to valid requests by public authorities (e’g., a court or a government agency). This includes complying with legal obligations, enforcing our “Surfact Terms of Use,” and protecting the rights, property, or safety of Surfact, our users, or others.
c. Potential Data Transfers Outside of the EU:
In some cases, our third-party service providers or our own operations may involve the transfer of data outside of the European Union. When such transfers occur, we take steps to ensure that the data is protected to the same extent as within the EU, in accordance with GDPR. These safeguards may include:
Using Standard Contractual Clauses (SCCs) approved by the European Commission.
Transferring data to countries that have been deemed to have an adequate level of data protection by the European Commission.
Implementing Binding Corporate Rules (BCRs) if applicable.
We will only transfer data outside the EU if there is a valid legal basis and appropriate safeguards are in place.
d. Aggregated and Anonymized Data:
We may share aggregated and anonymized data with third parties for various purposes, such as industry analysis, research, or marketing. This data does not identify individual customers or contain personal data, and therefore is not subject to GDPR’s requirements regarding personal data sharing.
6. Data Retention
Surfact retains data collected from the Products and Services for no longer than is necessary for the purposes for which it was collected, or as required by applicable laws and regulations. The specific retention periods depend on the type of data and the purpose of processing.
a. Criteria for Determining Retention Periods:
We determine data retention periods based on the following criteria:
The purpose for which the data was collected: Data is retained as long as necessary to fulfill the specific purpose for which it was initially processed (e.g., providing cold-chain monitoring data, maintaining user accounts, generating analytics).
Legal and regulatory requirements: We retain data for periods mandated by applicable laws, regulations, or industry standards (e.g., tax, accounting, or specific data protection laws).
Contractual obligations: Retention periods may be influenced by contractual agreements with our customers.
Business needs: We may retain data for legitimate business purposes, such as for resolving disputes, enforcing our Terms of Use, or for historical analysis and reporting, provided that these purposes are compatible with the original reasons for collection and do not infringe on user rights.
User consent: If data is processed based on user consent, it is retained until the user withdraws their consent, unless there is another legal basis for continued retention.
b. Specific Data Retention Examples (Illustrative):
While specific retention periods may vary, here are some illustrative examples:
Cold-chain monitoring data (Temperature, Location, Timestamps): This data is typically retained for the duration of the customer’s contract and potentially for a limited period thereafter for historical analysis or compliance purposes, as agreed upon with the customer.
User Account Information: This data is retained as long as the user maintains an active account with Surfact and for a period after account closure to comply with legal obligations or for legitimate business interests.
Usage and Analytical Data (Aggregated and Anonymized): Aggregated and anonymized data, which does not identify individuals, may be retained for longer periods for ongoing business analysis and service improvement.
We periodically review our data retention practices to ensure they align with GDPR and other relevant data protection requirements. When data is no longer required, we securely delete or anonymize it.
7. User Rights
As a data subject under the General Data Protection Regulation (GDPR), you have certain rights concerning your personal data that we process. Surfact is committed to facilitating the exercise of these rights.
a. Your GDPR Rights:
Subject to certain conditions and exceptions, you have the following rights:
Right of Access (Article 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and certain information about the processing.
Right to Rectification (Article 16 GDPR): You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure (‘Right to be Forgotten’) (Article 17 GDPR): You have the right to obtain the erasure of personal data concerning you without undue delay when certain grounds apply (e.g., the data is no longer necessary for the purposes for which it was collected, or you withdraw consent and there is no other legal ground for processing).
Right to Restriction of Processing (Article 18 GDPR): You have the right to obtain restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) Surfact no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims; or (iv) you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of Surfact override yours.
Right to Data Portability (Article 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to Surfact, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from Surfact, where the processing is based on consent or on a contract and is carried out by automated means.
Right to Object (Article 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on legitimate interests or the performance of a task carried out in the public interest.
Right to Withdraw Consent (Article 7(3) GDPR): Where the processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.
b. How to Exercise Your Rights:
To exercise any of your rights listed above, please contact us by sending an email to support@surfact.com.
To protect your privacy and security, we may need to verify your identity before responding to your request. We will respond to your request without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
8. Data Security Measures
Surfact is committed to protecting the data you entrust to us. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are designed to protect data from unauthorized access, loss, destruction, or alteration.
a. Technical Measures:
Our technical security measures include, but are not limited to:
Encryption: We use encryption to protect data both in transit (when it is being transmitted) and at rest (when it is stored on our systems or those of our cloud hosting providers).
Access Control: We implement strict access control mechanisms to ensure that only authorized personnel can access data, based on the principle of least privilege.
Monitoring and Logging: Our systems are monitored to detect and respond to potential security incidents. Activity logs are maintained to track access and changes to data.
Network Security: We employ firewalls, intrusion detection systems, and other network security measures to protect our infrastructure.
Secure Development Practices: Our software development follows secure coding practices to minimize vulnerabilities.
b. Organizational Measures:
Our organizational security measures include, but are not limited to:
Internal Policies and Procedures: We have internal data protection and security policies and procedures that all employees must follow.
Employee Training: Our employees receive regular training on data protection, privacy, and security best practices.
Data Processing Agreements (DPAs): As mentioned in the Data Sharing section, we enter into DPAs with third-party service providers to ensure they meet our data protection standards.
Regular Security Assessments: We conduct regular assessments of our security measures to identify and address potential weaknesses.
Incident Response Plan: We have a plan in place to respond to data security incidents promptly and effectively, including notifying affected parties and relevant supervisory authorities where required by GDPR.
We continuously review and update our security measures in light of new technologies and evolving security threats to maintain a high level of data protection.
9. Cookies and Other Technologies
The Emma Software Dashboard web interface may use cookies and other similar technologies to enhance user experience, provide analytics, and ensure the proper functioning of the service. Cookies are small text files stored on your device when you visit a website.
We use the following types of cookies:
Essential Cookies: These cookies are necessary for the basic functionality of the Emma Software Dashboard. They enable core features such as secure login and session management. The Dashboard cannot operate properly without these cookies.
Analytical Cookies: These cookies collect information about how you use the Emma Software Dashboard, such such as which pages you visit, how long you spend on the Dashboard, and any errors encountered. This information is used to improve the performance and design of the Dashboard and to understand user behavior. These cookies typically collect anonymized data.
Functional Cookies: These cookies allow the Emma Software Dashboard to remember your preferences and settings, such as language preferences or customized views. They provide a more personalized and convenient user experience.
Managing Cookies:
Most web browsers allow you to control cookies through their settings. You can choose to block or delete cookies, but please note that doing so may affect your ability to use the Emma Software Dashboard, particularly the essential cookies.
For more information on how to manage cookies in your specific browser, please refer to your browser’s documentation.
10. Changes to the Privacy Policy
Surfact reserves the right to update and modify this Privacy Policy from time to time in response to changing legal, regulatory, or operational requirements. Any changes will be posted on our website or the Emma Software Dashboard, and the “Last Updated” date at the top of this policy will be revised. We may also notify you of significant changes through email or other means.
Your continued use of the Products and Services after any changes to this Privacy Policy have been posted constitutes your acceptance of the revised policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, your data, or your GDPR rights, please contact us at:
Surfact AS
Kjelsåsveien 141, 0491 Oslo, Norway
Email: support@surfact.com
We are committed to working with you to resolve any issues regarding your data privacy.
