Legal

Privacy Policy

Last updated: February 18, 2026

This Privacy Policy describes how Superstellar LLC, operating as Serge, collects, uses, discloses, and protects personal data when you visit serge.ai or use our platform. It applies to all users worldwide. If anything is unclear, contact us at privacy@serge.ai.

01

Who we are

  • Serge is operated by Superstellar LLC (“we”, “us”, “our”). We are the data controller for account information and usage data processed through the Serge platform.
  • For all privacy inquiries, contact us at privacy@serge.ai.
02

Information we collect

  • Scan data — When you scan a domain, we crawl publicly available resources (homepage, API docs, OpenAPI specs, llms.txt, structured data) and store the resulting check results, scores, and domain name.
  • Email addresses — When you request a full report, we collect your work email address. This is PII.
  • Technical and usage data — Anonymized page views and feature usage (via PostHog), IP addresses for rate limiting (not stored persistently), browser and device information for analytics, and error data for debugging (via Sentry, with personally identifiable information scrubbed before transmission).
03

How we use your information

  • Service delivery — We use scan data to provide agent readiness scores and reports. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)).
  • Communication — We send the full report to the email address you provide. We do not send marketing emails unless you separately opt in. Legal basis: performance of contract (Art. 6(1)(b)).
  • Security and abuse prevention — We use IP-based rate limiting and audit logging to protect the platform and your data. Legal basis: legitimate interest in platform security (Art. 6(1)(f)).
  • Product improvement — We use anonymized, aggregated usage analytics to understand how people use Serge and to improve the product. Legal basis: legitimate interest (Art. 6(1)(f)), balanced against your privacy through strict anonymization.
  • Legal compliance — We may process data to comply with applicable laws, respond to lawful requests from public authorities, or establish, exercise, or defend legal claims. Legal basis: legal obligation (Art. 6(1)(c)) or legitimate interest (Art. 6(1)(f)).
04

Data sharing and sub-processors

  • We do not sell your personal data. We do not share your data for advertising or cross-context behavioral targeting. We share data only with the sub-processors listed below, strictly for the purposes of operating and maintaining the Serge service.
  • Neon — PostgreSQL database hosting. United States and European Union. SOC 2 Type II certified. All data encrypted at rest.
  • Upstash — Redis caching and rate limiting. SOC 2 Type II certified. Used for ephemeral rate-limit counters only.
  • Vercel — Application hosting and global CDN. United States. SOC 2 Type II certified.
  • Sentry — Error tracking and monitoring. United States. All PII is scrubbed before data leaves your browser or our servers.
  • PostHog — Product analytics. European Union. Only anonymized, non-personally-identifiable usage data is transmitted.
  • We will notify you at least 30 days before engaging a new sub-processor that handles personal data, giving you the opportunity to object.
05

International data transfers

  • Serge is hosted primarily in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States.
  • For transfers from the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the primary transfer mechanism, supplemented by technical safeguards including encryption in transit (TLS 1.2+) and at rest.
  • For transfers from Switzerland, we rely on the Swiss Federal Data Protection and Information Commissioner (FDPIC)-approved Standard Contractual Clauses.
  • Copies of the applicable transfer mechanisms are available upon request at privacy@serge.ai.
06

Data retention

  • Scan results — Retained indefinitely for benchmarking purposes. Scans are associated with domains, not individuals.
  • Email addresses — Retained for report delivery and follow-up. You may request deletion at any time by contacting privacy@serge.ai.
  • Usage analytics — Anonymized data retained for 12 months via PostHog. Error tracking data retained for 90 days via Sentry.
07

Security measures

  • Encryption — All data in transit is protected by TLS 1.2 or higher. Database storage is encrypted at rest via Neon’s managed encryption.
  • Application security — Security headers (Content Security Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options) are enforced on all responses. Server-side input validation is applied at every boundary using Zod schemas. Rate limiting is enforced per endpoint.
08

Your privacy rights

  • Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data. We honor these rights for all users regardless of location, to the extent permitted by applicable law.
  • Right of access — You may request confirmation of whether we process your personal data and, if so, receive a copy of that data in a structured, commonly used format.
  • Right to rectification — You may request correction of inaccurate personal data.
  • Right to erasure — You may request deletion of your personal data.
  • Right to restrict processing — You may request that we limit how we use your data while a dispute or request is being resolved.
  • Right to data portability — You may request your data in a machine-readable format (JSON) for transfer to another service.
  • Right to object — You may object to processing based on our legitimate interest.
  • To exercise any of these rights, email privacy@serge.ai with your request. We will respond within 30 days.
  • If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.
09

Additional rights for California residents

  • If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
  • We do not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
  • To exercise your California privacy rights, email privacy@serge.ai.
10

Provisions for Swiss residents

  • For residents of Switzerland, we process personal data in compliance with the Swiss Federal Act on Data Protection (nFADP).
  • The competent supervisory authority for data protection matters in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
11

Cookies and similar technologies

  • We do not use advertising cookies, retargeting pixels, social media tracking pixels, or any third-party tracking cookies. We do not participate in any advertising networks.
  • Analytics — We use PostHog for anonymized product analytics. You may block analytics via your browser settings or a content blocker without affecting service functionality.
12

Children’s privacy

  • Serge is a business-to-business service designed for professional use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at privacy@serge.ai.
13

Changes to this policy

  • We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons.
  • Material changes — We will notify you at least 30 days before the changes take effect via email and in-app notification.
  • Your continued use of Serge after the updated policy takes effect constitutes acceptance of the changes.
14

Contact and supervisory authorities

  • Privacy inquiries and rights requests — privacy@serge.ai
  • General legal inquiries — legal@serge.ai
  • Serge is operated by Superstellar LLC.