Data Processing Addendum

Last updated: 9 July 2026

This addendum is part of the API Terms between you and Surfy Ltd, a company registered in England and Wales (company number 15026168), registered office at 14-2e Docklands Business Centre, 10-16 Tiller Road, London, E14 8PX, United Kingdom. It applies whenever text you send to the Linguin API contains personal data. If you need a countersigned copy, ask on the contacts page.

Roles

For personal data in your API calls, you are the controller and Surfy Ltd is the processor. You decide what to send and why, we process it to serve your calls and for nothing else. Each API call is your documented instruction to process the data it carries.

What we process

The text you submit and the results we generate from it, together with request metadata (method, timing, cost) kept so you can retrieve results and audit your usage. The data subjects and the kinds of personal data involved are determined by what you send, which is under your control. Do not send special category data, and send personal data at all only when you have a lawful basis for it.

Our commitments

We process the data only to serve your calls. The people who can access it are bound by confidentiality. Data moves over encrypted connections, API keys are stored hashed, and access to production systems is restricted. We tell you without undue delay if we learn of a personal data breach affecting your data, and we give you the information we have about it.

We help you meet your own obligations where the data is in our hands: if a data subject request or a regulator concerns data you processed through the API, we provide reasonable assistance, and we answer reasonable questions needed to demonstrate this addendum is being kept, with audits on reasonable notice at your cost where the law entitles you to one.

Sub-processors

You authorise the sub-processors we use to run the service:

  • ReliableSite (United States), the hosting provider. Our servers run in its New York City metro data centre, so stored call data lives there.
  • Cerebras Systems (United States), the AI infrastructure that generates results from submitted text.
  • Stripe (United States), payment processing. Stripe handles billing data only and never sees API call content.

If we add or replace a sub-processor handling call content, we announce it in updates with reasonable notice. If you object, your remedy is to stop using the API, and the refund rules of the API Terms apply.

International transfers

We operate under UK GDPR. Processing happens in the United States, where both our servers and the AI infrastructure are, and the transfer rests on the UK International Data Transfer Addendum together with the EU Standard Contractual Clauses, or another mechanism the law recognises.

Retention and deletion

Call content and results are kept so you can retrieve and audit them, and go when your account goes. Ask on the contacts page to have your stored call data deleted earlier, and we will remove it unless the law requires keeping it. Billing records follow accounting law.

Liability

Liability under this addendum follows the API Terms, including its cap.

Look up word or phrase...