Privacy Policy

This Privacy Policy explains how Vine and Twig Technologies Inc., doing business as "Surf Payroll" ("Surf," "we," "us," or "our"), collects, uses, stores, and discloses personal information when you use the Surf Payroll platform, website runsurf.co, and related services (collectively, the "Services"). It applies to all users, including employer clients, employees using the self-service portal, and accounting professionals using the CPA & Accountant Portal. 

This Policy is prepared in compliance with the Florida Information Protection Act (FIPA), Florida Statutes § 501.171; the Florida Deceptive and Unfair Trade Practices Act (FDUTPA); the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA) where applicable; and all other applicable federal and state data protection laws, including applicable state comprehensive privacy statutes in the jurisdictions where our clients' employees are located. By using the Services, you confirm that you have read and understood this Policy. 

1.Who We Are We?

Vine and Twig Technologies Inc. is a company organized under the laws of the State of Florida, with its registered office at Linden Depot Rd, San Antonio, FL 33576. We operate the Surf Payroll platform under the trade name "Surf Payroll." In respect of employee personal data submitted by employer clients, Surf acts as a data processor operating on the employer's instructions. In respect of data collected for our own operational and security purposes, Surf acts as an independent data controller. The full framework governing Surf's processing obligations as a processor is set out in the Data Processing Agreement (DPA), which is incorporated into the Surf Payroll Terms of Service. For all privacy-related queries, contact us at support@runsurf.co. 

2. Information We Collect 

We collect personal information across three channels. 

2.1  Information You Provide Directly 

Business and entity details: company legal name, DBA, EIN, federal, state, and local tax account numbers, banking and ACH funding account details, business address, and authorized signatory information. Employee and payroll data: employee legal names, Social Security Numbers (SSNs) and ITINs, dates of birth, home addresses, phone numbers, personal email addresses, emergency contacts, pay rates, compensation structures, tax withholding elections (federal W-4 and state equivalents), direct deposit bank routing and account numbers, and benefit enrollment information. Government-issued identification and work authorization data: Form I-9 employment eligibility verification data, including document type, document number, and expiration date, as required under the Immigration Reform and Control Act (IRCA). Where the employer uses E-Verify, E-Verify case numbers are also collected. EEO and demographic data (voluntary): where collected for EEO-1, VETS-4212, or OFCCP compliance reporting purposes, we may collect gender, race or ethnicity, veteran status, and disability status. This information is collected on a strictly voluntary basis, stored separately from core payroll records, used solely for regulatory compliance reporting, and is never used for any employment, compensation, or benefits determination. Account credentials and communications: usernames, passwords (stored in hashed form), and correspondence submitted through support channels or email. 

2.2  Information Collected Automatically 

When you use the platform, we automatically collect IP address, browser type, device identifiers, session and usage data, platform access logs, performance and error diagnostics, and natural language prompts submitted to the Surf AI Copilot. 

2.3  Information Received from Third Parties 

We receive information from third parties including identity and EIN verification results, banking and ACH network confirmations, tax filing acknowledgments from the IRS and applicable state and local tax authorities, and data imported through third-party integrations you authorize. 

Sensitive data handling: Social Security Numbers, bank account details, health and insurance data, Form I-9 data, and demographic EEO information are processed with heightened access controls, data masking, and encryption, and are used only for the specific purposes for which they were collected. 

3. How We Use Your Information 

We use the personal information we collect to: Deliver and operate the Services: process payroll runs; calculate and file federal, state, and local payroll taxes and year-end forms (W-2s, 1099s, and ACA forms); administer employee benefits and deductions; process expense reimbursements; and operate the employee self-service portal and CPA & Accountant Portal. Manage accounts and authenticate users: verify identity, manage access controls, and enforce multi-factor authentication requirements. Comply with applicable law: fulfill obligations under FLSA, ERISA, HIPAA where applicable, IRS regulations, NACHA Operating Rules, and all applicable federal, state, and local employment, tax, and privacy laws. Maintain security and prevent fraud: detect, investigate, and prevent unauthorized access, fraudulent transactions, and security threats; maintain audit trails of all platform actions. Improve the platform: analyze aggregated, de-identified usage data for product development and analytics. We do not use identifiable employee data for product improvement purposes. Communicate with you: send transactional communications required for service delivery (which cannot be opted out of while subscribed); service-related notices such as policy and maintenance updates; and marketing communications where you have provided consent or where permitted by applicable law. We do not sell your personal information or use it for targeted advertising. 

4. AI Features and Data 

The Surf AI Copilot processes natural language prompts and related payroll data to generate actionable workflow outputs. Surf does not use your Client Content including employee names, Social Security Numbers, payroll figures, or any other personal data to train generalized AI models for third-party use. All AI Copilot outputs are recommendations that must be reviewed and approved by an authorized human user before execution; Surf does not deploy fully autonomous AI decision-making for payroll runs, tax filings, or employee record changes. AI interaction logs are retained for twelve months for security monitoring and audit purposes, then permanently deleted. The AI Copilot is a productivity tool only and does not provide legal, tax, or compliance advice. 

5. Legal Basis for Processing

Where applicable law requires a legal basis for processing, Surf relies on the following grounds: Contractual necessity: to perform our obligations under the Terms of Service and deliver the Services. Legal obligation: to comply with IRS regulations, applicable state and local tax authority requirements, FIPA, applicable state privacy laws, FLSA, ERISA, HIPAA where applicable, NACHA Operating Rules, and all other applicable federal and state laws. Legitimate interest: for fraud prevention, platform security, and audit trail maintenance, where our interests do not override your rights. Consent: for optional marketing communications and certain analytics, which may be withdrawn at any time without affecting prior processing. 

6. How We Share Your Information

We do not sell personal information or share it with third parties for their own marketing purposes. 

6.1  Service Providers and Subprocessors 

We share information with trusted service providers who process data on our behalf and under our instructions, including: MasterTax which is our integrated tax calculation, filing, and remittance partner. MasterTax receives employer tax account data, employee identifiers, and wage and tax data to generate and file federal, state, and local payroll tax returns on your behalf. NatPay (National Payment Corporation) which is our ACH payment processing partner. NatPay receives bank routing and account numbers, payee names, payment amounts, and remittance metadata to originate ACH payroll disbursements, tax remittances, garnishment payments, and benefit contribution payments. Amazon Web Services (AWS) which provides cloud infrastructure and hosting, operating exclusively within United States data centers. KYB, EIN, and bank verification providers for identity and account verification services used during employer onboarding. Email and SMS communications providers for transactional notification services that receive employee and employer names and contact information for platform notifications. AI model providers  third-party providers supporting the Surf AI Copilot, operating under binding data processing agreements that prohibit use of your data for their own model training. Customer support platforms  platforms used to manage support requests and communications. A current list of approved subprocessors is maintained on Surf's trust page and is available upon written request to support@runsurf.co. 

6.2  Government Authorities and Legal Disclosures 

We disclose information to government authorities as required by applicable law, including the IRS and applicable federal agencies, and state and local tax, revenue, labor, and regulatory authorities in the jurisdictions where your employees work. Where a breach affects Florida residents, we may disclose information to the Florida Department of Legal Affairs as required under FIPA. 

6.3  Garnishment Recipients 

We disclose employee personal data, including payroll and financial information, to courts, State Disbursement Units, federal and state tax authorities, bankruptcy trustees, and other agencies or creditors as required by legally valid garnishment orders, income withholding orders, tax levies, and other court or regulatory orders. Such disclosures are made solely on the employer's instruction and pursuant to applicable law. 

6.4  Benefit Carriers and Plan Administrators 

We transmit employee benefit enrollment and contribution data to health insurers, retirement plan administrators, FSA/HSA custodians, and transit benefit providers at the employer's direction. Those carriers and plan administrators are independent data controllers once data is transmitted, and their data practices are governed by their own privacy policies. 

6.5  CPA Portal and Authorized Integrations 

We share data with accounting professionals or payroll bureaus authorized by you through the CPA Portal, and with third-party integrations you authorize. You are responsible for ensuring that those authorizations are valid and current. 

6.6  Corporate Transactions 

In the event of a corporate merger, acquisition, or asset sale, your information may be transferred subject to the acquirer assuming the obligations of this Policy. 

6.7  Aggregated and De-identified Data 

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual for research, benchmarking, or product improvement purposes. 

7. Data Retention

We retain personal data for as long as necessary to deliver the Services and to meet applicable legal retention obligations, which vary by record type. The following minimum retention periods apply, subject to longer periods required by applicable state law: Payroll records (hours, wages, deductions): minimum 3 years under FLSA, 29 C.F.R. § 516. Employment tax records: minimum 4 years after the tax is due or paid, under IRC § 6001 and IRS Publication 583. ERISA plan records: minimum 6 years under ERISA § 107; certain records permanently. Form I-9 records: 3 years from date of hire or 1 year following termination, whichever is later, under 8 C.F.R. § 274a.2. W-4 and state withholding certificates: 4 years after the due or paid date of the last return, per IRS Publication 15. Direct deposit authorizations: 2 years following revocation of authorization, per NACHA Operating Rules. Garnishment orders and remittance records: minimum 3 years from final remittance, as best practice; longer where required by the issuing order or applicable state law. Audit logs and access records: minimum 3 years for security monitoring and compliance verification. AI interaction logs: 12 months, then permanently deleted. Security incident records: minimum 5 years. Marketing and communications data: deleted within 30 days of opt-out. Account credentials and session data: deleted within 90 days following account cancellation. Upon account termination, you may request export of your Client Content within ninety (90) days, after which it will be permanently deleted subject to applicable legal retention obligations as described above. 

8. Your Privacy Rights

Surf maintains a comprehensive security program aligned with SOC 2 Type II standards and designed to protect personal data from unauthorized access, use, disclosure, modification, loss, and destruction. Technical measures include: AES-256 encryption of all personal data at rest; TLS 1.2 or higher for all data in transit; role-based access controls (RBAC); multi-factor authentication (MFA) required for all administrator access; data masking of sensitive fields including SSNs, bank account numbers, and health-related data; and continuous 24/7 intrusion detection and monitoring on AWS infrastructure. Organizational measures include: mandatory annual security training for all personnel with data access; quarterly access recertification; background checks for personnel handling sensitive data; binding confidentiality and security obligations for all third-party service providers; and formal incident response procedures reviewed and tested at least annually. Surf conducts third-party penetration testing and vulnerability assessments at least annually, with findings remediated on a risk-prioritized basis. Surf maintains encrypted daily backups with geographic redundancy and disaster recovery procedures targeting a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of twenty-four hours for critical data. If you believe your account has been compromised, contact us immediately at support@runsurf.co. 

9. Breach Notification

9.1  Surf's Notification to Employer Clients 

In the event of a confirmed breach of security involving personal data processed on behalf of an employer client, Surf will notify the affected employer client within seventy-two (72) hours of confirming that a breach has occurred. Notification will describe the nature of the breach, the categories and approximate number of affected individuals, the personal data involved, and the remediation steps being taken. 

9.2  Employer Client Obligations 

Employer clients, as data controllers, are responsible for assessing each breach notification from Surf and determining which state breach notification laws apply to their affected employees. Applicable notification timelines and regulatory reporting requirements vary by state. Under FIPA (Florida), notification to affected Florida residents must occur within thirty (30) days of determination of the breach; where a breach affects more than 500 Florida residents, notification to the Florida Department of Legal Affairs is also required. Other state breach notification laws may impose different timelines, content requirements, or regulatory reporting obligations. 

Surf will provide full documentation, incident timelines, and technical information to support employer clients in preparing required notifications to employees and regulators under all applicable state breach notification laws. Surf will cooperate fully with any regulatory investigation arising from a breach. 

9.3  Records 

Surf maintains records of all security incidents and breach notifications, including incidents that did not ultimately require regulatory notification, for a minimum of five years. 

10. Your Privacy Rights 

Depending on your location and applicable law, you may have rights with respect to your personal information. These may include the right to access, correct, delete, or obtain a portable copy of the personal information we hold about you; to restrict or object to certain processing; and to withdraw consent where processing is based on consent. Surf will not discriminate against any person who exercises their privacy rights. 

10.1  Florida Residents 

Florida residents have rights under FIPA including the right to access and correct their personal information and to receive notification in the event of a breach affecting their personal data. 

10.2  California Residents 

California residents have rights under the CCPA/CPRA including the right to know what personal information is collected and how it is used, the right to delete, the right to correct, the right to opt out of the sale of personal information, and the right to non-discrimination. Surf does not sell personal information. 

10.3  Residents of Other States 

Residents of other US states with comprehensive privacy laws including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states that have enacted or may enact consumer privacy legislation may have similar rights under their applicable state law. Surf supports the exercise of these rights to the extent required by applicable law. Surf does not sell personal data and does not engage in cross-context behavioral advertising regardless of where you are located. 

10.4  How to Exercise Your Rights 

To exercise any privacy right, contact us at support@runsurf.co with your name, account email, and the specific right you wish to exercise. We will respond within thirty (30) days. 

10.5  Employee Rights 

Employees whose payroll data is processed through the platform may access their own pay statements, year-end tax forms (W-2s and 1099s), withholding elections, and direct deposit details at any time through the Surf Payroll employee self-service portal without requiring employer intervention. Requests to correct, delete, or obtain a portable copy of personal data held within the platform should be directed to your employer as the data controller, who will coordinate with Surf as necessary to fulfill the request. 

11. Cookies and Tracking 

The Surf Payroll platform uses cookies for: Session management and authentication (strictly necessary  cannot be disabled while using the platform) User preferences and settings (functional) Anonymized usage analytics (analytics  data collected in aggregated, de-identified form only) Surf does not use cookies for targeted advertising or behavioral profiling. You may manage cookies through your browser settings; disabling strictly necessary cookies will prevent platform login. Full details are provided in the Surf Payroll Cookie Policy, available at https://runsurf.co. 

12. Children, Third-Party Links, and International Transfers 

The Services are not directed at individuals under the age of eighteen, and Surf does not knowingly collect personal information from minors. 

The platform may contain links to third-party websites and integrations not controlled by Surf. Those services are governed by their own privacy policies and Surf is not responsible for their data practices. 

The Surf Payroll platform is hosted and operated entirely within the United States on AWS infrastructure. If you are accessing the Services from outside the United States, your personal information will be processed in the United States, where data protection laws may differ from those in your jurisdiction. Use of the Services constitutes consent to such transfer and processing. 

13. Changes to This Policy

Surf may update this Privacy Policy at any time. For material changes, we will: post the updated Policy on our website with a revised effective date; send an email notice to the registered account administrator at least thirty (30) days before changes take effect; and display a prominent platform notice for thirty days following the update. Continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy. 

14. Contact Us

For questions, privacy rights requests, or to report a suspected security incident, contact the Surf Payroll Privacy Team at: 

Email: support@runsurf.co 

Mail: Vine and Twig Technologies Inc., Linden Depot Rd, San Antonio, FL 33576 

We are committed to responding to all privacy inquiries within fifteen (15) business days. 

If you are not satisfied with our response, you may lodge a complaint with the relevant supervisory authority for your jurisdiction.