Privacy Policy

Privacy Policy

Effective date: May 2026

Last updated: May 2026

1. Data Controller

Surface is a creative studio operated by Amin Gabbani as a sole trader (enskild firma) registered in Sweden.

Ehrensvärdsgatan 2B 212 13 Malmö, Sweden

Org. Nr:‍ 950112-7535

VAT/USt-IdNr: SE950112753501

For any questions regarding this policy or your personal data, contact us at hello@surfacestudio.xyz.

2. Information We Collect

We collect personal information that you voluntarily provide to us when you enquire about our services or engage with us professionally. This includes your name, company name, email address, phone number, service interest, preferred project start date, and project details as submitted through our contact form.

We do not collect sensitive personal data. We do not purchase, harvest, or otherwise obtain personal data from third party sources.

3. How We Use Your Information

We use the information we collect to respond to your enquiry and communicate with you about your project, to provide, deliver, and improve our services, to comply with applicable legal obligations, and to protect our rights, property, or safety and that of our clients.

We will never use your information for automated decision-making or profiling.

4. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data on the following lawful bases: legitimate interest in responding to your enquiry and managing our business relationship, performance of a contract when we are engaged to deliver services, and compliance with legal obligations where applicable.

5. How We Share Your Information

We do not sell, rent, trade, or otherwise disclose your personal information to third parties for their own purposes. We may share your information with service providers who assist in operating our website and delivering our services, such as our website platform provider Squarespace, and with professional advisors, legal authorities, or regulatory bodies where required by law or to protect our legal rights.

All third party service providers are required to process your data in accordance with applicable data protection laws.

6. International Data Transfers

We operate globally and serve clients across multiple jurisdictions. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place, including standard contractual clauses approved by the European Commission or equivalent mechanisms, to protect your data in accordance with GDPR and UK GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal, accounting, or reporting obligations, or to resolve disputes and enforce our agreements. When your data is no longer required, it will be securely deleted or anonymised.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

9. Cookies and Analytics

Our website uses cookies managed by our platform provider, Squarespace. For details on what cookies are used and how to manage your preferences, please refer to the cookie notice displayed on our website.

We may use Google Analytics or similar tools to collect anonymised data about how visitors interact with our website. This information is used solely to improve our website and does not personally identify you. You may opt out of analytics tracking through your browser settings or by using the Google Analytics opt-out browser add-on.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data.

Under the EU GDPR and UK GDPR, you have the right to access the personal data we hold about you, to rectify inaccurate or incomplete data, to request erasure of your data, to restrict or object to processing, to data portability, and to lodge a complaint with a supervisory authority. The relevant supervisory authority in Sweden is Integritetsskyddsmyndigheten (IMY).

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the right to know what personal information is collected, to request deletion, to opt out of the sale or sharing of personal information, and to non-discrimination for exercising these rights. We do not sell or share personal information as defined under the CCPA.

To exercise any of these rights, contact us at hello@surfacestudio.xyz. We will respond within 30 days or within the timeframe required by applicable law.

11. Third Party Links

Our website may contain links to third party websites or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policy of any website you visit.

12. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate consent, we will take steps to delete that information.

13. Changes to This Policy

We reserve the right to update this privacy policy at any time. Any changes will be posted on this page with a revised effective date. Continued use of our website or services after changes are posted constitutes acceptance of the updated policy.

14. Governing Law

This privacy policy is governed by the laws of Sweden, without regard to conflict of law principles. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Malmö, Sweden, except where mandatory consumer protection laws of your jurisdiction provide otherwise.

Thank you,

Team Surface