Privacy Policy

Effective date: June 22, 2026  ¬∑  Last updated: June 22, 2026

We review this Privacy Policy at least once every 12 months and update it when our practices or applicable law change.

1. Introduction & scope

Surface Agency ("Surface," "we," "us," or "our") is a U.S.-based creative, media, and advertising agency with operations in California. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our website at https://surfaceagency.co (the "Site") and our own business and marketing activities.

This policy describes information we handle as a business/controller — primarily information about Site visitors and our business contacts. It does not govern personal information we process on behalf of our clients when delivering advertising and media services; see Section 2.

2. Our role: service provider/processor vs. business/controller

We operate in two distinct capacities:

  • Service provider / processor (for our clients). When we deliver advertising and media services, we handle data belonging to our clients and data obtained from advertising platforms on our clients' behalf. We process that data only to perform the services our clients engage us to provide, under our written contracts, and we do not retain, use, sell, or disclose it for any other purpose, or combine it across clients, except as permitted by law. If you are a customer of one of our clients and wish to exercise privacy rights over data we process for that client, please contact that client (the business that collected your information); we will assist the client as required by law.
  • Business / controller (for our own Site and marketing). When you visit our Site, contact us, or otherwise interact with Surface directly, we act as the "business" under California law and the "controller" under the EU/UK GDPR.

3. Personal information we collect

The categories below use the categories of personal information defined in the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), and reflect what we may have collected in the preceding 12 months.

A. Identifiers

Examples: Name, email, postal address, phone, IP address, online/device identifiers, account names, platform app-scoped user IDs.

Sources: You; the Site automatically; clients; advertising platforms.

Purpose: Respond to inquiries; provide and optimize advertising services (incl. via the Meta Marketing API); operate and secure the Site; business development.

Disclosed to: Service providers; advertising platforms; the relevant client; legal/government recipients.

Sold: No  ¬∑  Shared for cross-context ads: Yes*

B. California customer records (Civ. Code §1798.80(e))

Examples: Name, contact details, professional/employment info for business contacts.

Sources: You; clients.

Purpose: Provide services; communications; contracting.

Disclosed to: Service providers; the relevant client.

Sold: No  ¬∑  Shared for cross-context ads: No

C. Commercial information

Examples: Services inquired about or purchased; engagement and account records.

Sources: You; clients.

Purpose: Provide services; business development; recordkeeping.

Disclosed to: Service providers; the relevant client.

Sold: No  ¬∑  Shared for cross-context ads: No

D. Internet/network activity

Examples: Browsing and Site usage; interactions with the Site and ads; cookie/pixel data; analytics; ad performance metrics.

Sources: The Site automatically; analytics/ad providers; platforms.

Purpose: Operate and improve the Site; measure and optimize advertising; security.

Disclosed to: Service providers; advertising platforms.

Sold: No  ¬∑  Shared for cross-context ads: Yes*

E. Geolocation data

Examples: Approximate/coarse location derived from IP address (not precise geolocation).

Sources: The Site automatically.

Purpose: Site analytics; security; ad measurement.

Disclosed to: Service providers; advertising platforms.

Sold: No  ¬∑  Shared for cross-context ads: Yes*

F. Professional/employment info

Examples: Business-contact role/company; job-applicant information.

Sources: You; clients.

Purpose: Provide services; recruiting.

Disclosed to: Service providers.

Sold: No  ¬∑  Shared for cross-context ads: No

G. Inferences

Examples: Profiles reflecting preferences/behavior used for audience creation and ad optimization.

Sources: Derived from the above.

Purpose: Optimize advertising.

Disclosed to: Service providers; advertising platforms.

Sold: No  ¬∑  Shared for cross-context ads: Yes*

* "Sharing" under the CCPA includes disclosing personal information for cross-context behavioral advertising, even with no money exchanged. To the extent our Site uses advertising cookies or pixels, those disclosures may be a "share." See Sections 8 and 11 for your opt-out.

4. Sensitive personal information

We do not collect "sensitive personal information" (as defined in Civ. Code §1798.140(ae)) from Site visitors for purposes beyond those permitted under Civ. Code §1798.121(a) and 11 CCR §7027, and we do not use it to infer characteristics about you. Accordingly, the right to Limit the Use and Disclosure of Sensitive Personal Information does not apply to our handling of Site-visitor information. (Login credentials and API tokens used to operate our advertising tools are company credentials used solely for the permitted purpose of operating those tools.)

5. How we use personal information

We use personal information to: deliver, manage, measure, and optimize advertising and media campaigns for our clients (including via the Meta Marketing API); operate, secure, and improve our Site; respond to your inquiries; conduct business development and our own marketing; perform analytics; and comply with legal obligations. Where the law requires consent (for example, certain cookies or profile building), we obtain it.

6. Cookies and tracking technologies

Our Site uses cookies and similar technologies (pixels/web beacons, SDKs, device identifiers, server logs):

  • Strictly necessary ‚Äî required for the Site to function (session, security).
  • Analytics/performance ‚Äî help us understand Site usage (e.g., Google Analytics).
  • Advertising ‚Äî measure and serve advertising, including our own retargeting (e.g., the Meta Pixel/Conversions API and Google advertising tags, as applicable).

Cookies may be first- or third-party and session- or persistent. Third parties may use them to collect information about your online activities across different websites and over time. You can manage cookies through our cookie preferences tool (where available), your browser settings, and industry opt-outs at the DAA (https://optout.aboutads.info) and NAI (https://optout.networkadvertising.org). You can also manage advertising preferences directly with the platforms — for example, Google Ads Settings (https://adssettings.google.com) and your Meta ad preferences (https://www.facebook.com/adpreferences).

7. Do Not Track and opt-out preference signals

Do Not Track (DNT). Some browsers send a "Do Not Track" signal. Because there is no common industry standard for DNT, our Site does not currently respond differently to DNT signals. Third parties may collect personal information about your online activities over time and across different websites when you use our Site.

Global Privacy Control (GPC). We honor opt-out preference signals, including the Global Privacy Control (GPC). When we detect a valid GPC signal, we treat it as a request to opt out of the sale/sharing of personal information for that browser or device.

8. How we disclose personal information; sale and sharing

Categories of recipients. We may disclose personal information to: service providers and sub-processors that support our business and tools (e.g., website hosting (Squarespace), analytics, security); advertising platforms (e.g., Meta, Google) acting as independent businesses for their own purposes; the relevant client; legal, regulatory, or government recipients where required; and parties to a corporate transaction (e.g., merger or acquisition).

Sale. We do not sell personal information for monetary consideration.

Sharing (cross-context behavioral advertising). To the extent our Site uses advertising cookies/pixels, we may "share" certain personal information for cross-context behavioral advertising as defined by the CCPA. You can opt out — see Section 11.

Preceding 12 months.

  • Categories of personal information sold: None.
  • Categories shared for cross-context behavioral advertising: Identifiers; Internet/network activity; Geolocation; Inferences (Categories A, D, E, G).
  • Categories disclosed for a business purpose: Categories A‚ÄìG, to the recipient categories listed above.

Minors. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

9. Meta/Facebook Platform data

We operate an internal application that uses the Meta Marketing API to manage advertising. Through it we obtain data from Meta's platforms — including ad accounts, campaign and audience data, Facebook Page assets, advertising performance metrics, and app-scoped user identifiers — only for accounts, Pages, and assets that Surface or our clients own or are authorized to manage. We use this data solely to create, manage, measure, and optimize advertising campaigns for our clients.

We process Meta platform data only as described in this policy and in compliance with Meta's Platform Terms and Developer Policies. This policy does not supersede, modify, or weaken Meta's terms or policies. We share platform data only with the relevant client, Meta, and our named sub-processors, and we do not sell it. We build or augment audience profiles from Meta platform data only with the consent required by applicable law and Meta's policies. We delete platform data without undue delay upon a valid request, when it is no longer needed for the services, when Meta requests it, or when required by law.

10. Your California privacy rights

California residents have the following rights under the CCPA:

  • Right to know/access ‚Äî the categories and specific pieces of personal information we collected, the sources, the business/commercial purposes, and the categories of third parties to whom we disclosed it.
  • Right to data portability ‚Äî to receive that information in a portable, readily usable format.
  • Right to delete ‚Äî to request deletion of personal information we collected, subject to legal exceptions.
  • Right to correct ‚Äî to request correction of inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information (see Section 11).
  • Right to limit the use and disclosure of sensitive personal information ‚Äî not applicable here (see Section 4).
  • Right to non-discrimination ‚Äî we will not deny you goods or services, charge you different prices or rates, or provide a different level or quality of service because you exercised your privacy rights.

You may also designate an authorized agent to make a request on your behalf. Although California law does not require it, we also offer an appeal process if we deny a request (see Section 12).

11. Your privacy choices (Do Not Sell or Share)

Because we may share personal information for cross-context behavioral advertising, you can opt out at any time by:

  1. Using the "Your Privacy Choices" (or "Do Not Sell or Share My Personal Information") link on our Site and our cookie preferences tool;
  2. Enabling the Global Privacy Control (GPC) in your browser — we honor it (Section 7); or
  3. Emailing privacy@surfaceagency.co with the subject "Opt Out of Sale/Sharing."

Opt-outs are specific to the browser/device and account from which they are made; you may need to renew them if you clear cookies or use another device.

12. How to submit a privacy request

Methods. Submit requests to know, delete, correct, or opt out by email at privacy@surfaceagency.co or through our online form at https://surfaceagency.co/contact. Surface operates exclusively online and has a direct relationship with Site visitors; under the CCPA we therefore designate these methods for submitting requests.

Verification. To protect your information, we will take reasonable steps to verify your identity (for example, by confirming information you provide against information we hold, or via email confirmation) before fulfilling a request to know, delete, or correct.

Authorized agents. An authorized agent may submit a request with your written permission; we may require the agent to provide proof of authorization and may verify your identity directly.

Timing. We will acknowledge your request within 10 business days and respond within 45 calendar days. If we need more time, we may extend once by an additional 45 days (90 days total) and will notify you.

Appeals. If we deny your request, you may appeal by emailing privacy@surfaceagency.co with the subject "Privacy Appeal."

13. Data deletion & correction (Meta Data Deletion Instructions)

All users may request correction or deletion of personal information, including data obtained through our Meta-connected application. To do so, email privacy@surfaceagency.co with the subject "Data Deletion Request" or "Correction Request" and a description of the information at issue. We will verify the request, process it, and provide a confirmation/status reference. This section serves as our Data Deletion Instructions for purposes of the Meta App Dashboard. California residents may also use the request methods in Section 12.

14. Data retention

We retain each category of personal information only as long as necessary for the purposes described in this policy, then delete or de-identify it. Our intended retention periods/criteria:

Category / data typeRetention
Inquiry & contact-form data (A, B)Up to 24 months after your last contact, unless an ongoing relationship requires longer
Client & campaign records (A–D, G)Duration of the engagement plus up to 7 years for legal, tax, and accounting requirements
Site analytics & advertising data (D, E)Up to 26 months
Job-applicant data (F)Up to 24 months after a hiring decision
Meta/platform data (Section 9)Only as long as needed to provide the services, or as Meta or law requires; deleted without undue delay thereafter

Where a fixed period is impractical, we determine retention based on the nature and sensitivity of the data, the purpose, our legal and contractual obligations, and dispute-resolution needs.

15. Data security

We maintain reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, or misuse — including encryption in transit, access controls on a least-privilege basis, and secure storage of credentials and API tokens. No method of transmission or storage is 100% secure. Where we handle any children's data, we maintain a written information security program consistent with applicable law.

16. Children's privacy

Our Site and services are intended for businesses and are not directed to children under 13. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act (COPPA) and its amended Rule. If we learn we have collected such information, we will delete it; a parent or guardian may contact us at privacy@surfaceagency.co. Separately, under California law we do not knowingly sell or share the personal information of consumers under 16 without opt-in consent.

17. International data transfers

We are based in the United States and process information in the U.S. and other countries. Where we handle personal data from the EU/EEA, the UK, or Switzerland, we rely on appropriate safeguards for cross-border transfers, such as the EU-U.S. Data Privacy Framework (and its UK and Swiss extensions) and/or the European Commission's Standard Contractual Clauses.

18. Your rights in the EEA/UK (GDPR)

If the GDPR applies to our processing, you have the rights to access, rectify, erase, restrict, and port your personal data; to object to processing (including profiling and automated decision-making); and to withdraw consent. You may also lodge a complaint with your supervisory authority. To exercise these rights, contact us using Section 12. The GDPR can apply where we offer services to, or monitor, individuals in the EEA/UK.

19. Your California privacy rights — "Shine the Light"

Under California Civil Code §1798.83, California residents may request information about our disclosure of personal information to third parties for those third parties' own direct-marketing purposes. We do not disclose personal information to third parties for their own direct marketing without your consent; you may also opt out by emailing privacy@surfaceagency.co.

20. Changes to this policy

We may update this policy from time to time. When we make material changes, we will revise the "Last updated" date above and, where appropriate, provide additional notice through the Site or by email. Changes take effect when posted.

21. Contact us

Surface Agency
Email: info@surfaceagency.co
Mailing address: 1501 Tappahannock Trail Marietta, GA 30062
Website: https://surfaceagency.co

For California or GDPR rights requests, please use the methods in Section 12.