Surreal Experiments is operated by Surreal Digital LTD, a company registered in England and Wales, with offices at 85 Great Portland Street, W1W 7LT, London, UK. For the purposes of UK GDPR and EU GDPR, Surreal Digital LTD is the data controller responsible for your personal data.
Your email address (to send you your report and, if you opt in, our newsletter)
Your quiz responses (sentence completions you submit)
AI-generated analysis of your responses
Payment information (processed securely by Stripe, we do not store card numbers)
Basic account information if you create an account (e.g. password hash, login timestamps)
Limited technical information your browser sends automatically (IP address, browser type, referring page) for security and to keep the site working
We do not ask for, and we do not want, any special-category data such as information about your physical or mental health, racial or ethnic origin, religious or political beliefs, sexual orientation, or trade union membership. Our questions are sentence completions about general life and business themes (work, money, relationships, expression, etc.) and do not solicit any of these categories. See the section on free-text responses below.
How We Use Your Data, and Our Legal Basis
Under UK GDPR and EU GDPR, we must tell you the lawful basis we rely on for each use of your personal data. Here's the breakdown:
Generating your personalised analysis and delivering your report. Lawful basis: performance of a contract (Article 6(1)(b)) — you ask us to analyse your responses, and we deliver the report.
Processing payment for premium reports. Lawful basis: performance of a contract (Article 6(1)(b)).
Sending you newsletters and marketing emails. Lawful basis: your consent (Article 6(1)(a)), which you can withdraw at any time by clicking unsubscribe in any email.
Improving our service and AI analysis quality. Lawful basis: our legitimate interests (Article 6(1)(f)) in providing a better product. We only use pseudonymised or aggregated data for this purpose, never your identifying information.
Security, fraud prevention, and keeping the site running. Lawful basis: our legitimate interests (Article 6(1)(f)) in protecting our users and our service.
Measuring ad performance and advertising attribution (Meta Pixel, Meta Conversions API, Google Ads, Google Analytics, Hotjar). Lawful basis: your consent (Article 6(1)(a)) given through the cookie banner. You can withdraw it at any time on the privacy page.
Meeting legal obligations (such as keeping payment records for tax purposes). Lawful basis: legal obligation (Article 6(1)(c)).
We never sell your personal information. Your quiz responses and analysis are confidential.
AI Analysis and Profiling
The reports you receive are generated by AI models (currently provided by Anthropic and OpenAI) based on the sentence completions you submit. This is a form of profiling under UK GDPR: we use automated processing to assess personal patterns and produce a personalised reflection.
We do not use this profiling to make decisions that produce legal or similarly significant effects about you. The reports are reflective tools intended for personal insight. They are not clinical diagnoses, and they do not determine your access to services, employment, credit, insurance, or anything else.
You have the right to object to this profiling. If you'd prefer not to receive AI-generated analysis, simply don't submit a quiz, or contact us at surreal@surrealexperiments.com and we'll delete any responses already submitted.
Free-Text Responses
Our quizzes invite open-ended sentence completions. We don't ask about your health, religion, politics, sexual orientation, or any other sensitive category. Please don't include those details in your answers either, even if a prompt feels like it could go in that direction. Free-text fields are open by nature, and we'd rather you didn't share what you don't want stored or analysed.
If you do include sensitive information in a response, you can ask us to delete it at any time.
Third-Party Services
We use the following processors to operate Surreal Experiments:
Anthropic (United States): AI analysis of your responses. Anthropic processes data on our instructions and does not train their models on customer API data.
OpenAI (United States): AI analysis of your responses, used as a fallback or for specific analysis types. OpenAI processes API data on our instructions and does not train on it by default.
Supabase (EU, Ireland): Secure database storage of your responses, analysis, and account data. Our database is hosted in the EU (eu-west-1, Ireland).
Stripe (United States, Ireland): Payment processing. We don't store your card details.
Resend (United States): Email delivery of reports and transactional messages.
Kit / ConvertKit (United States): Newsletter delivery, if you opt in to our newsletter.
Vercel (United States): Hosting of the website. Vercel also provides anonymous performance and traffic analytics (no cookies, no personal data) which we use without your consent because it doesn't identify you.
Meta / Facebook (United States): If you consent to advertising cookies (see below), we use the Meta Pixel and Meta Conversions API to measure ad performance and attribution. Meta receives information about your visit and any purchase events.
Google (United States): If you consent to analytics cookies, we use Google Analytics 4 to understand how the site is used, and Google Ads conversion tracking to measure the performance of our ads.
Hotjar (Malta / United States): If you consent, we use Hotjar for session recordings and heatmaps to see where people get stuck on the site. Hotjar suppresses text input by default, but we'd still rather you knew.
Analytics, Advertising, and Tracking
With your consent, we load third-party scripts that help us understand how the site is used and measure the performance of our ads. These do not load until you accept in the cookie banner. If you reject, none of them fire.
The processors involved:
Meta Pixel and Meta Conversions API: tracks page views, sign-ups, and purchases so we can measure the performance of Meta (Facebook / Instagram) ads. The Conversions API sends purchase events from our server to Meta in addition to the browser pixel. Both share data with Meta for advertising attribution and audience building.
Google Analytics 4: aggregated usage analytics (page views, events, basic device and location info).
Google Ads conversion tracking: measures whether ads led to sign-ups or purchases.
Hotjar: records anonymised session replays and heatmaps. We use this to find where users get stuck on the site. Text input fields are suppressed by default, but please be aware of it.
Lawful basis for these is your consent under PECR and UK GDPR (Article 6(1)(a)). You can withdraw consent at any time, see "Managing your cookie preferences" below.
We also use Vercel Analytics and Speed Insights, which run without cookies and without collecting personal data. These run regardless of your consent because they don't identify you.
International Transfers
Some of the processors above are based outside the UK and the EEA, primarily in the United States. When we transfer your personal data outside the UK or EEA, we rely on appropriate safeguards as required by UK GDPR and EU GDPR. In practice this means:
UK International Data Transfer Agreements (IDTAs) and the UK Addendum to the EU Standard Contractual Clauses (SCCs), where the recipient has signed them with us
EU Standard Contractual Clauses (SCCs) for EU-origin data, where applicable
The UK-US Data Bridge and EU-US Data Privacy Framework, for recipients certified under those schemes
If you'd like a copy of the specific safeguard for a particular transfer, contact us and we'll share it.
Data Storage, Security, and Retention
Your data is stored in our Supabase database (hosted in Ireland) with industry-standard encryption in transit and at rest. Access to identifying data is limited to people who need it to operate the service.
We keep your data only as long as we have a reason to. Specific retention periods:
Quiz responses and AI analysis: kept while your account or report is active, then deleted within 24 months of account closure or your last login.
Email address for report delivery: kept for as long as you want access to your reports, then deleted on request or after 36 months of inactivity.
Newsletter subscriptions: kept until you unsubscribe.
Payment records (invoices, receipts): kept for 7 years from the transaction date, as required by UK tax law.
Support correspondence: kept for 36 months from your last contact.
Security and access logs: kept for 12 months.
You can ask us to delete your data sooner at any time (see Your Rights below).
Your Rights Under UK and EU GDPR
You have the right to:
Access: request a copy of the personal data we hold about you.
Rectification: correct any information that is inaccurate or incomplete.
Erasure: ask us to delete your personal data ("right to be forgotten").
Restriction: ask us to stop processing your data while keeping it on file.
Portability: receive your data in a structured, commonly used, machine-readable format.
Objection: object to processing based on our legitimate interests, or to the AI profiling described above.
Withdraw consent at any time, where we rely on your consent (for example, marketing emails).
To exercise any of these rights, email us at surreal@surrealexperiments.com. We respond within one month, and there's no fee in normal cases.
If you believe we've handled your data badly, you also have the right to complain to a data protection authority. In the UK, that's the Information Commissioner's Office (ICO) at ico.org.uk. If you're in the EU, you can contact your local supervisory authority.
Cookies and Browser Storage
We use two categories of cookies and similar technologies:
Strictly necessary: sessionStorage and localStorage to remember your quiz progress, keep you logged in, store your cookie consent choice, and deliver your report. These are required for the site to work, so under PECR we don't ask for consent for them.
Analytics and advertising (optional): the third-party services described in the section above (Meta Pixel, GA4, Google Ads, Hotjar). These only load if you accept in the cookie banner.
Managing Your Cookie Preferences
Your current preference: Loading...
You can change your mind at any time. Clicking the button below will reset your choice, and the cookie banner will appear again next time you visit any page.
Children's Privacy
Surreal Experiments is not intended for users under 18, and we do not knowingly collect information from children. If you believe a child has submitted data to us, contact us and we'll delete it.
Changes to This Policy
We may update this privacy policy from time to time as the service evolves or the law changes. We'll notify you of significant changes by email (if you have an account or are on our newsletter) or by posting a clear notice on this page. The "last updated" date at the top of this page always reflects the most recent revision.
Contact Us
If you have questions about this privacy policy or how we handle your data: