SurroSync — The OS for Modern Family Building

1. Overview

SurroSync Inc. ("SurroSync," "we," "our," or "us") operates the SurroSync platform, a technology-assisted surrogacy coordination service. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our website and services.

By using our services, you agree to the practices described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

Identity & Contact: Name, email address, phone number, date of birth, government-issued ID scans (for KYC/KYB verification).
Medical & Reproductive: Health history, fertility records, embryo grading reports, lab cycle data submitted through Clinic Portal. Classified as PHI under HIPAA.
Financial: Bank account details (held by our escrow partner), escrow transaction history, invoice records. Payment card data is never stored on SurroSync servers.
Usage & Device: IP address, browser type, pages visited, click events, session duration, referral URLs. Collected via server logs and first-party analytics.
Communications: Messages, notes, and documents exchanged through the SurroSync platform. All channel messages are encrypted in transit and at rest (AES-256).

3. How We Use Your Information

Service Delivery: Matching intended parents with qualified surrogates, coordinating IVF clinic workflows, processing escrow milestones, and issuing legal documentation.
Safety & Verification: Background checks, identity verification, medical eligibility screening.
Legal Compliance: Retaining records required by U.S. federal law (HIPAA, COPPA) and applicable state law. Responding to lawful government requests.
Product Improvement: Aggregated, de-identified usage analytics to improve matching algorithms and platform UX.
Marketing: Only with explicit opt-in consent. You may withdraw consent at any time via Account Settings or by emailing privacy@surrosync.com.

4. CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by CPRA:

Right to Know

Request disclosure of the categories and specific pieces of personal information we have collected about you.

Right to Delete

Request deletion of personal information we hold about you, subject to certain exceptions.

Right to Correct

Request correction of inaccurate personal information.

Right to Opt-Out

Opt out of the sale or sharing of personal information. SurroSync does not sell personal data.

Right to Limit Sensitive PI Use

Restrict our use of sensitive personal information to what is necessary for the service.

Right to Non-Discrimination

We will not discriminate against you for exercising any of the above rights.

5. GDPR Rights (EEA / UK Residents)

If you are located in the European Economic Area or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the right to access, rectify, erase, restrict processing, port your data, and object to processing. Our legal bases for processing are: contract performance, legitimate interests, legal obligation, and consent.

To exercise GDPR rights, use the DSAR portal below or contact our Data Protection Officer at dpo@surrosync.com.

6. Cookies & Tracking

We use the following cookie categories:

Strictly Necessary — Session authentication, CSRF protection, load-balancing. Cannot be disabled.

Functional — Language preference, UI state. Stored locally; no third-party sharing.

Analytics (opt-in) — First-party event counts, funnel analysis. No cross-site tracking. Opt in via cookie banner.

Marketing (opt-in) — Interest-based ads only with explicit consent. Third parties: none currently.

You can modify cookie preferences at any time from Account Settings → Privacy & Cookies or by clicking "Manage Cookies" in the site footer.

7. Data Retention

We retain personal data only as long as necessary for the purposes described above or as required by law:

Data Category	Retention Period
Account & Identity	Duration of account + 7 years post-closure
Medical / PHI	10 years per HIPAA Safe Harbor minimum
Financial / Escrow	7 years per IRS recordkeeping requirements
Communications	3 years post-journey completion
Server Logs	90 days rolling
Analytics Events	26 months

8. Third-Party Sharing

We do not sell your personal information. We share data only with:

IVF clinics and maternity hospitals you select via Clinic Directory — limited to treatment-relevant information
Licensed surrogacy agencies coordinating your match
Escrow servicers (background-checked financial institutions) for fund disbursement
Identity verification providers (Persona, Onfido) — data retained per their sub-processor agreements
Law enforcement or courts when required by binding legal process

9. Security

SurroSync implements the following technical and organizational measures to protect your data:

AES-256 encryption at rest

TLS 1.3 in transit

SOC 2 Type II (in progress)

HIPAA Business Associate Agreements

Role-based access controls

PHI_Access_Logs audit trail

15-minute auto-logout for PHI screens

Annual penetration testing

Bug bounty program

10. Contact

Privacy questions: privacy@surrosync.com

Mailing address: SurroSync Inc., 100 Wilshire Blvd, Suite 1000, Santa Monica, CA 90401

DSAR Portal

Data Subject Access Request

Submit a request under CCPA, GDPR, or CPRA. We respond within 30 days.