GDPR Compliance

Last updated: June 12, 2026

1. Data Controller

LabasLabas is the data controller for personal data processed through Surface. You can reach us at [email protected].

2. Legal Basis for Processing

We process personal data under the following GDPR lawful bases:

  • Consent (Art. 6(1)(a)) — You consent to processing when you create an account and submit a job search prompt.
  • Legitimate interest (Art. 6(1)(f)) — We process usage data and rate-limit counters to operate and protect the service.

3. Personal Data We Process

  • Identity data — Email address, Clerk user ID.
  • Usage data — Search prompts, search timestamps, daily search counts, viewed results.
  • Technical data — IP address, user agent (processed by Cloudflare and Clerk; not stored by us).

We do not process special categories of personal data (Art. 9).

4. Data Subject Rights

Under the GDPR you have the right to:

  • Access (Art. 15) — Request a copy of your personal data.
  • Rectification (Art. 16) — Correct inaccurate or incomplete data.
  • Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
  • Restriction (Art. 18) — Limit how we process your data.
  • Portability (Art. 20) — Receive your data in a structured, machine-readable format.
  • Objection (Art. 21) — Object to processing based on legitimate interest.
  • Withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days and may ask you to verify your identity.

5. International Data Transfers

Your data is processed and stored in the EU (via Cloudflare's European data centers). Our third-party processors (Clerk, LLM providers) may process data in the US. These transfers are governed by:

  • Standard Contractual Clauses (SCCs) — Cloudflare and Clerk provide SCCs for EU-US data transfers.
  • Adequacy decisions — Where applicable, we rely on the EU-US Data Privacy Framework.

6. Data Retention

  • Account data — Retained until account deletion.
  • Search prompts and results — Retained until account deletion or upon request.
  • Rate limit counters — Reset daily at midnight UTC.
  • Scoring cache — Hashed prompt fingerprints stored indefinitely for efficiency. Raw prompts are not stored in the cache.

7. Cookies & Tracking

Surface does not use cookies for tracking, analytics, or advertising. The only cookies present are:

  • Authentication cookies — Set by Clerk to maintain your sign-in session (strictly necessary).

No consent banner is required as we set no non-essential cookies.

8. Data Processors

  • Clerk, Inc. — Authentication and user management. Privacy policy.
  • Cloudflare, Inc. — Infrastructure hosting (Workers, Pages, D1). Privacy policy.
  • LLM providers — Your prompt text is sent to third-party AI providers for job scoring. Prompts are sent without any identifier linking them to you.

We have Data Processing Agreements (DPAs) in place with all processors where required.

9. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by Art. 33 and 34 of the GDPR.

10. Automated Decision-Making

Surface uses AI to score and rank job postings based on your prompt. This does not constitute automated decision-making that produces legal effects or significantly affects you (Art. 22). The scoring is a recommendation tool — you make the final decision about which jobs to pursue.

11. Right to Complain

If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority in your EU member state. We encourage you to contact us first at [email protected] so we can address your concerns directly.

12. Contact

For GDPR-related inquiries or to exercise your data subject rights, contact us at [email protected].