Privacy Policy

This Privacy Policy explains how Suriyaa Inc. (Sheridan, Wyoming, USA), represented by its Managing Director, Suriyaa Sundararuban("we," "us," or "our") collect, use, disclose, and protect personal information when you visit suriyaa.co and related pages (the "Website").

We designed this policy to meet requirements under the EU General Data Protection Regulation (GDPR), the UK GDPR, the German Federal Data Protection Act (BDSG), the German Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) where it applies to cookies and similar technologies, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), other applicable U.S. state privacy laws, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.

This Website is primarily informational: company and project information, careers listings, news, and contact forms. We do not operate a consumer login or account system on this Website at this time.

Data controller
Suriyaa Inc.
30 N Gould St, Ste N
Sheridan, WY 82801, USA

Represented by
Suriyaa Sundararuban, Managing Director (Geschäftsführer)

Email: webmaster@suriyaa.co · inquiries@suriyaa.co

For privacy requests, use webmaster@suriyaa.co with the subject line "Privacy Request." We will respond within the timeframes required by applicable law (generally one month under the GDPR, extendable where permitted).

We are not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR for our current processing activities. Privacy inquiries may nonetheless be directed to the contact above.

Depending on how you use the Website, we may process:

• Contact and inquiry data: name, email, country, LinkedIn/GitHub URLs, messages, press or legal matter details, optional attachments, and similar fields you submit through our contact forms or email links.
• Careers-related data: information you voluntarily send to careers@suriyaa.co or via mailto links on the careers page (e.g., name, role interest, location, profile links).
• Technical and usage data: IP address, browser type, device type, operating system, referring URL, pages viewed, approximate location derived from IP, timestamps, and performance metrics (e.g., Core Web Vitals).
• Server and security logs: data processed by our hosting and CDN providers for delivery, abuse prevention, and reliability (e.g., request metadata, user agent).
• Co-founder form data: birthday, city, personality type, startup idea, startup description, GitHub profile, and optional attachments (PDF, images, Word documents up to 30MB).
• Press form data: media outlet, media type, publication name, article topic, and deadline.
• Legal inquiry data: matter description, case type, client type, jurisdiction, urgency, and optional attachments.

We do not intentionally collect sensitive categories of data (e.g., health, biometric, or government ID) through the Website. Please do not submit such data unless necessary and lawful for your inquiry.

• Directly from you (forms, email, mailto links).
• Automatically from your device and browser when you visit the Website.
• From service providers that host, deliver, measure, or secure the Website (see Section 8).

Where we rely on legitimate interests, you may object as described in Section 11. We balance our interests against your rights and expectations.

Cookies and similar technologies (e.g., local storage, pixels) may be set by us or third parties. Under the TDDDG and ePrivacy rules, non-essential cookies (including many analytics cookies) generally require your consent in Germany and the EU/EEA before they are placed, unless a narrow exemption applies.

Strictly necessary: required for security, load balancing, and basic site operation (e.g., through Cloudflare and Vercel infrastructure). These do not require consent under applicable EU rules.

Analytics and performance: we use Vercel Web Analytics and Vercel Speed Insights, which are designed to collect aggregated, privacy-oriented usage and performance data. Google Analytics (measurement ID G-4Q5D347D84) may also be used to understand traffic patterns. Where consent is required, we will obtain it before activating non-essential analytics for your device.

You can control cookies through your browser settings (block, delete, or limit cookies). Blocking cookies may affect site functionality. For Google Analytics, you may also use Google's opt-out add-on or industry tools where available.

• Provide and maintain the Website and its features.
• Process and respond to contact, press, legal, co-founder, and general inquiries.
• Route messages to the appropriate team mailbox (e.g., inquiries@, press@, legal@, ideas@).
• Display careers information and process unsolicited applications sent by email.
• Monitor performance, fix errors, and protect against fraud, abuse, and security incidents.
• Comply with legal obligations and enforce our Terms of Service.
• Create aggregated or de-identified statistics that do not identify you.

We do not sell your personal information. We do not use your data for automated decision-making that produces legal or similarly significant effects.

We use trusted providers who process data on our instructions. Key categories include:

• Vercel Inc. (USA / global edge): website hosting, serverless functions, deployment, Vercel Web Analytics, and Vercel Speed Insights.
• Cloudflare, Inc. (USA / global): DNS, CDN, DDoS protection, and related security and performance services in front of the Website.
• Resend, Inc. (USA): transactional email delivery for contact form submissions processed via our API.
• Google LLC (USA): Google Analytics, if active for your visit.
• Vercel Blob Storage: hosting of certain media assets linked from the Website.

Provider privacy policies: Vercel, Cloudflare, Resend, Google.

We require processors to protect personal data by contract (Art. 28 GDPR) or equivalent safeguards. We do not authorize them to use your data for their own marketing unrelated to our services.

Our providers may process data in the United States and other countries outside your home jurisdiction. Where the GDPR/UK GDPR applies, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or adequacy decisions where available. You may request more information about transfer safeguards by contacting us.

• Contact form and inquiry emails: typically up to 24 months after the inquiry is closed, unless a longer period is required for legal, tax, or dispute purposes.
• Server and security logs: generally up to 90 days, unless extended for incident investigation.
• Analytics data: retained according to each provider's settings (often aggregated and shorter-lived).

We delete or anonymize data when it is no longer needed for the purposes collected.

EU/EEA/UK/Germany (GDPR): you may have the right to access, rectify, erase, restrict processing, data portability, object to processing based on legitimate interests, and withdraw consent at any time (without affecting prior processing). You may lodge a complaint with a supervisory authority, e.g. the Bavarian State Office for Data Protection Supervision (BayLDA) for Bavaria, Germany: lda.bayern.de.

United States (including California): depending on your state, you may have rights to know, access, correct, delete, and obtain a portable copy of personal information. You may opt out of certain processing (such as "sale" or "sharing" for cross-context behavioral advertising, where applicable). We will not discriminate against you for exercising your rights. We do not sell personal information as defined under the CCPA/CPRA. To submit a request: webmaster@suriyaa.co. We will verify your request as required by law.

Canada (PIPEDA): you may request access to and correction of personal information we hold about you, and challenge our compliance with PIPEDA by contacting us or the Office of the Privacy Commissioner of Canada.

We implement technical and organizational measures appropriate to the risk, including:

• HTTPS (TLS) for data in transit.
• Security headers configured on the Website (e.g., Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy).
• Input validation and HTML escaping on contact form processing.
• File type and size limits on attachments (30MB per file. Email size limits enforced server-side).
• Restricted API keys and environment-based configuration for email and maintenance features.

No method of transmission or storage is 100% secure. Please use caution when sending sensitive attachments. Report suspected security issues to webmaster@suriyaa.co.

The Website links to external sites (e.g., LinkedIn, X/Twitter, GitHub, partner companies, status.suriyaa.co, and investment platforms). Those sites have their own privacy practices. We are not responsible for them.

The Website is not directed to children under 16 (or under 13 in the United States). We do not knowingly collect personal information from children. If you believe we have collected such data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. The effective date at the top will change when we do. Material changes will be posted on this page. Continued use of the Website after changes constitutes notice where permitted by law.

We do not send bulk marketing email solely because you visited the Website. If you contact us, we may respond about your inquiry. If we later offer newsletters or updates, we will ask for consent where required (e.g., double opt-in in the EU/EEA) and provide an unsubscribe mechanism.

We may disclose personal information to:

• Service providers listed in Section 8, under contractual confidentiality and data-processing terms.
• Affiliated portfolio companies or teams, only where needed to handle your inquiry (e.g., careers routed to a specific company).
• Professional advisers (lawyers, accountants) under confidentiality obligations.
• Authorities if required by law, court order, or to protect rights, safety, and security.
• A successor entity in connection with a merger, acquisition, or asset sale, with notice where required by law.

We do not disclose personal information to third parties for their independent marketing without your consent.

Email webmaster@suriyaa.co with:

• Your name and the email address used with us (if any).
• The right you wish to exercise (access, deletion, correction, objection, portability, withdrawal of consent).
• Your country/region of residence (helps us apply the correct law).

We may request reasonable verification (e.g., reply from the same email used in a form submission). Authorized agents may submit requests on your behalf where permitted by law with proof of authorization. We do not charge a fee unless permitted by law for manifestly unfounded or excessive requests.

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required by the GDPR, and notify affected individuals without undue delay when required by law.

We do not use profiling or solely automated decision-making that produces legal or similarly significant effects concerning you. Analytics tools may aggregate usage patterns without identifying you by name in reports we review.

Some browsers transmit "Do Not Track" (DNT) signals. There is no uniform industry standard for responding to DNT. Where legally required, we honor opt-out preference signals such as Global Privacy Control (GPC) for applicable "sale" or "sharing" of personal information, which we do not conduct in the CCPA sense. Analytics preferences should be managed via cookie settings and provider opt-outs as described in Section 6.

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and other states with comprehensive privacy laws may have rights similar to California residents (access, correction, deletion, opt-out of certain processing). Submit requests to webmaster@suriyaa.co. We will not discriminate against you for exercising privacy rights.

California Shine the Light: California residents may request information about disclosure of certain categories to third parties for direct marketing purposes. We do not share personal information for third-party direct marketing as defined under Cal. Civ. Code § 1798.83.

If you are in Switzerland, the Swiss Federal Act on Data Protection (FADP) may apply in addition to this Policy. You may contact us using the details in Section 2 or lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

The Website may display a maintenance page controlled by environment configuration. During maintenance, only limited technical data (e.g., IP address in server logs) may still be processed by our hosts to display the notice and protect the infrastructure.

Company details required under German law are in our Imprint. Website use is governed by our Terms of Service.