Introduction
This Privacy Policy explains how Surely collects, uses, stores, and protects your information when you use the app. By using Surely, you agree to the collection and use of information in accordance with this policy.
Information We Collect
We collect the following categories of information to operate, secure, and improve the app:
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Email address, username | Authentication, account management |
| Profile Data | Profile picture (if provided) | Personalisation |
| Push Notification Token | Device-issued push token (FCM / APNs) | Delivering push notifications |
| Device Identifier | A persistent unique identifier generated at first registration on your device (X-Device-Id) |
Device binding, session security, account protection |
| Device Metadata | Platform (iOS / Android), app version, last seen timestamp, device registration timestamp | Device management, security monitoring |
| User Content | Comments, prediction interactions | Community features |
| Usage Data | Feature interactions, session events | Performance and product improvement |
| Advertising Identifiers | IDFA (iOS), GAID (Android) | Ad serving and measurement (free tier only) |
How We Use Your Information
We use collected information exclusively to:
Operate and maintain core app functionality · Authenticate users and manage account sessions · Enforce device binding limits and protect accounts against unauthorised access · Send relevant push notifications · Manage subscription status and unlock Pro features · Improve app performance and user experience · Serve and measure third-party advertisements (free tier users only)
We do not use your information for automated profiling, scoring, or any purpose beyond those described above.
Device Binding & Management
To protect your account and prevent unauthorised sharing of credentials, Surely implements a device binding system. This section describes how it works and what data it involves.
When you register or log in, a unique device identifier is generated and permanently associated with your account on our servers. This identifier — referred to internally as
X-Device-Id — is transmitted with every authenticated API request to verify that requests originate from a device you have authorised.
Data collected for device binding:
For each registered device we store: the device identifier, the platform (iOS or Android), the app version at the time of registration, the timestamp of first registration, and the timestamp of the most recent authenticated request from that device.
Device limit: Each account may have a maximum of two simultaneously bound devices. If you attempt to bind a third device, you will be prompted to remove an existing device from the Manage Devices screen before proceeding.
Behaviour on logout: When you log out, your local authentication token is cleared. Your device identifier and its binding to your account are intentionally retained on our servers. This means that when you log back in on the same device, the existing binding is recognised and no new device slot is consumed. If you wish to permanently remove a device binding, you may do so from the Manage Devices screen in your account settings.
Device removal cooldown: To prevent abuse, a seven-day cooldown period applies after removing a device. During this period, no further devices may be removed from your account. The date on which the cooldown expires is stored locally on your device solely to display the correct date in the app interface; it is not transmitted to third parties.
Local persistence: Your device identifier and the cooldown expiry timestamp (when applicable) are stored in your device's local secure preferences. This data is not cleared when you log out, as it is required for device recognition upon your next login. It is cleared only when you uninstall the application or explicitly delete your account.
Subscriptions
Subscription purchases are processed entirely by Apple. We do not store or have access to your payment card details.
We receive a confirmation of your subscription status (active or expired) to unlock Surely Pro features. We do not receive your full payment details, card number, or billing address.
You can manage or cancel your subscription at any time in your Apple ID account settings → Subscriptions.
For subscription pricing, billing frequency, and auto-renewal details, please refer to our Terms of Service.
Advertising & Analytics
Surely uses the following third-party services for advertising and analytics. These services operate under their own privacy policies and data processing agreements.
| Service | Purpose | Data Collected |
|---|---|---|
| IronSource | Rewarded and interstitial ads | Device identifier, ad interactions |
| Unity Ads | Ad serving | Device identifier, ad interactions |
| Google Firebase | Analytics, crash reporting | App usage events, device information |
Subscribing to Surely Pro disables all third-party advertising. Advertising identifiers are not collected from Pro subscribers.
You may opt out of personalised ads at any time through your device settings (iOS: Settings → Privacy & Security → Tracking).
Data Sharing
Data is shared only with service providers that are strictly necessary for app functionality, analytics, or advertising. All third-party providers are contractually required to handle data in compliance with applicable privacy laws and are prohibited from using your data for their own independent purposes.
Device binding data (device identifier and metadata) is stored exclusively on our own servers and is not shared with any third-party advertising or analytics services.
We may disclose information if required by law or in response to valid legal requests from public authorities, to the extent required and permitted by applicable law.
Data Retention
We retain your personal data for as long as your account remains active or as necessary to provide the services. Specific retention periods by data type:
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion is requested |
| Device binding records | Until the device is removed via Manage Devices, or until account deletion |
| Push notification token | Until you disable notifications or uninstall the app |
| Usage and analytics data | Up to 24 months in aggregated or anonymised form |
| User-generated content | Until deleted by you or removed for policy violations |
Upon account deletion, all personal data associated with your account is permanently removed from our servers within 30 days, except where retention is required by applicable law.
Data Security
We implement reasonable technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encrypted data transmission via HTTPS/TLS for all client-server communication · Authenticated API requests requiring both a valid bearer token and a verified device identifier · Secure server infrastructure with access controls and monitoring · Local storage of device identifiers in platform-native secure preferences (Android EncryptedSharedPreferences / iOS Keychain-backed storage)
No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you, including your registered devices |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of your account and all associated data, including device binding records |
| Device Management | View and remove your bound devices at any time via Profile → Manage Devices |
| Opt-out of Personalised Ads | Opt out of personalised advertising via your device settings or by subscribing to Surely Pro |
To exercise any of these rights, contact us at help@mertscript.com. We will respond within 30 days.
Children's Privacy
If we become aware that we have inadvertently collected personal information from a minor, we will take immediate steps to delete that information from our records and terminate the associated account.
Policy Updates
We may update this Privacy Policy periodically to reflect changes in our practices or for operational, legal, or regulatory reasons. The "Last updated" date at the top of this page will always reflect the most recent revision.
For material changes — particularly those affecting how device data is collected or used — we will make reasonable efforts to notify you via in-app notification prior to the change taking effect. Continued use of the app following any update constitutes acceptance of the revised policy.
Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or the handling of your personal data, please contact us:
In-app: Profile → Contact Us