Legal
Privacy Policy
Last updated: 24 June 2026
AniSurge (anisurge.com) is operated by an independent developer based in Western Australia, Australia ("we", "us", "our"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and your rights regarding it — regardless of where in the world you are located.
We are committed to handling personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Privacy and Other Legislation Amendment Act 2024, the EU and UK General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act 2023 (DPDP Act) and DPDP Rules 2025, and applicable privacy laws in other jurisdictions where our users are located.
By creating an account or using AniSurge, you agree to this Privacy Policy. If you do not agree, please do not use the service.
Who We Are (Data Controller / Data Fiduciary)
For the purposes of applicable privacy laws, AniSurge acts as:
- Data Controller under the EU/UK GDPR
- Data Fiduciaryunder India's DPDP Act 2023
- Organisation under the Australian Privacy Act 1988
Operator: AniSurge (independent operator)
Location: Western Australia, Australia
Contact: anisurge.team@gmail.com
We do not currently have a Data Protection Officer (DPO) or EU/UK Representative appointed, as we are a small independent operator. Users in the EU/UK/India may contact us directly at the email above to exercise their rights.
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data on the following legal bases under Article 6 of the GDPR:
- Contract (Art. 6(1)(b)): Processing your account information, tracking data, and profile content is necessary to provide the AniSurge service you signed up for.
- Legitimate interests (Art. 6(1)(f)): We use anonymised analytics to improve the platform. Our legitimate interest in improving our service does not override your rights.
- Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable legal requirements.
- Consent (Art. 6(1)(a)): Where we rely on consent (such as optional profile fields), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
What Personal Information We Collect
We collect the following categories of personal information:
Account and identity information:your email address, username, display name, and password (stored as a secure hash — we cannot retrieve your password)
Profile information (optional, provided by you):biography, avatar image, banner image, profile quote, favourite genres, anime podium picks, decade preferences, currently-obsessed pin, website URL, location (free text, not GPS), and other identity fields you choose to fill in
Anime tracking data:anime titles you add to your list, watch statuses (Watching, Watched, Watchlist, On Hold, Dropped), episode progress, ratings (1–10 scale), per-episode ratings, reviews and written opinions, notes, rewatch counts, and series groupings
Authentication data:if you sign in with Google OAuth, we receive your Google account email address and display name. We do not receive your Google password, payment methods, or other Google account data.
Usage and analytics data:pages you visit, features you interact with, and aggregate behavioural patterns, collected via Vercel Analytics. This data is anonymised and does not include your name, email, or any directly identifying information.
Technical data:IP address (processed briefly by Cloudflare for DDoS protection; not stored by us), browser type (via Vercel infrastructure logs), and session tokens (stored in browser cookies for authentication).
Payment information (future):AniSurge is currently free. When we introduce paid features, payment processing will be handled entirely by Stripe, Inc. We will not store your card number, CVV, or full payment details on our servers. Stripe's privacy policy will apply to payment data. We will update this policy before any paid features launch.
We do not collect: government ID numbers, financial account details (beyond future Stripe-processed payment method tokens), biometric data, health data, precise geolocation data (GPS), or sensitive personal information beyond what is listed above.
Consent (India DPDP Act)
For users in India, we process your personal data on the basis of your free, specific, informed, unconditional, and unambiguous consent, given when you create an account and agree to this Privacy Policy. You may withdraw consent at any time by deleting your account (contact us at anisurge.team@gmail.com). Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
How We Use Your Information
We use your personal information for the following specific purposes:
- To create, authenticate, and maintain your AniSurge account
- To display your anime tracking data, stats, and identity profile to you and, where you choose, to other users
- To calculate your anime personality type, taste compatibility scores, achievement unlocks, XP, and account rank based on your tracking activity
- To send transactional emails: account confirmation, password reset, and (where applicable) platform notifications via Resend
- To improve the platform using anonymised, aggregated usage patterns
- To detect and prevent fraud, abuse, and violations of our Terms of Service
- To respond to support and privacy requests you send us
- To comply with applicable legal obligations
We do not:use your information for behavioural advertising, sell your personal data to any third party, share your data with data brokers, or use your data to train external AI models.
Data Retention
We retain your personal information for as long as your account is active.
- Active accounts: data retained until you request deletion
- Inactive accounts: if you have not logged in for 24 months, we will send a reactivation notice to your registered email. If you do not respond within 30 days, your account and associated data will be scheduled for deletion.
- Deleted accounts: upon receiving a deletion request, we will permanently delete your account and all associated personal data within 30 days. Backups may retain data for up to a further 30 days before permanent purge.
- Anonymised analytics data:Vercel Analytics data has no personal identifiers and is retained per Vercel's data retention policy.
You may request deletion of your account at any time by contacting anisurge.team@gmail.com. We will confirm deletion within 5 business days of receiving the request.
Data Storage and Security
Your personal data is stored using Supabase (supabase.com), hosted in the Asia Pacific (ap-southeast-2 — Sydney, Australia) AWS region. Supabase applies:
- Encryption in transit (TLS 1.2+) for all data transfers
- Encryption at rest using AES-256 for stored data
- Role-based access controls limiting which parts of the system can access which data
- Row-Level Security (RLS) policies ensuring users can only access their own data
Anime metadata (titles, cover images, episode counts, scores) is sourced from the AniList GraphQL API and is not stored on our servers — it is fetched in real time and cached briefly. Cover images are served directly from AniList's CDN.
We implement reasonable technical and organisational security measures appropriate to the size and nature of our operation, including:
- Server-side validation and Zod schema enforcement at all API boundaries
- Cloudflare Turnstile anti-bot protection on authentication forms
- Service-role database access restricted to server-side code only
- No client-side exposure of database credentials or service keys
We cannot guarantee absolute security. If you become aware of a security vulnerability in AniSurge, please report it to anisurge.team@gmail.com.
Data Breach Notification
In the event of a personal data breach that is likely to result in serious harm to your personal information, we will:
- Notify affected users as soon as practicable, and within 72 hours of becoming aware of the breach where technically feasible
- Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme
- Notify the Data Protection Board of India (DPBI) as required under the DPDP Act 2023 if Indian users are affected
- Notify relevant EU/UK supervisory authorities as required under the GDPR if EU/UK users are affected
Breach notifications to affected users will be sent to your registered email address and may also be posted on anisurge.com.
Who We Share Your Data With
We share your personal data with the following third-party service providers solely to operate AniSurge. Each is bound by data processing agreements or equivalent contractual protections:
| Service | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | US (data hosted Sydney AU) | supabase.com/privacy |
| Vercel, Inc. | Website hosting and deployment | US | vercel.com/legal/privacy-policy |
| Resend, Inc. | Transactional email delivery | US | resend.com/legal/privacy-policy |
| AniList | Anime metadata API | — | anilist.co |
| Cloudflare, Inc. | DNS, DDoS protection, Turnstile | US | cloudflare.com/privacypolicy |
| Google LLC | OAuth authentication (optional) | US | policies.google.com/privacy |
| Stripe, Inc. (future) | Payment processing (not yet live) | US | stripe.com/privacy |
We do not share your data with any other third parties. We do not sell your data.
Note on overseas transfers: most of our service providers are based in the United States. By using AniSurge, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, including Australia and the United States. We take reasonable contractual and technical steps to ensure these providers maintain privacy protections comparable to those required under applicable law.
For EU/EEA/UK users: transfers to US-based providers rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms under GDPR Chapter V where required.
Public Profile Data
AniSurge profiles are public by default. If your profile is public, the following are visible to anyone — including people who are not logged in:
your username, display name, avatar, bio, anime tracking list (excluding entries you mark as private), ratings, reviews, achievements, XP rank, and identity profile fields you choose to fill in.
You can:
- Make your entire profile private in your account settings (visible only to you when logged in)
- Mark individual list entries as private regardless of overall profile visibility
- Hide specific profile sections (achievements, reviews, recent activity, signature quote) via visibility toggles in settings
Your email address is never displayed publicly.
Children's Privacy
AniSurge is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, do not create an account.
For users in India: under the DPDP Act 2023 and DPDP Rules 2025, a "child" is defined as anyone under 18 years of age. We do not knowingly collect personal data from children under 18 in India without verifiable parental consent. If you are under 18 and located in India, you must obtain parental consent before using AniSurge.
In line with Australia's forthcoming Children's Online Privacy Code (due December 2026) and the US Children's Online Privacy Protection Act (COPPA), if we become aware that a user is under 13 (or under 18 for Indian users), we will promptly delete their account and all associated data.
If you believe a child has created an account without appropriate consent, please contact us at anisurge.team@gmail.com.
Your Rights
Depending on your location, you have the following rights regarding your personal data.
All users:
- Access: view all your tracking data, ratings, reviews, and profile information in your account at any time
- Export: download your full anime list and ratings as CSV or JSON via the Export feature in your account settings
- Correction: edit your profile, entries, and reviews at any time
- Deletion: request permanent deletion of your account and all associated data by contacting anisurge.team@gmail.com. We will complete deletion within 30 days.
- Withdrawal: stop using AniSurge at any time
EU/EEA/UK users (GDPR rights):
- Right to access (Art. 15) — request a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure / "right to be forgotten" (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (available via our CSV/JSON export feature)
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right not to be subject to solely automated decision-making (Art. 22) — we do not make any legally significant automated decisions about you
Indian users (DPDP Act rights):
- Right to access — obtain a summary of personal data processed about you
- Right to correction and erasure — request correction or deletion of your data
- Right to grievance redressal — raise concerns with us; we will respond within 30 days (as required by Rule 14 of the DPDP Rules 2025)
- Right to nominate — nominate another person to exercise your rights in the event of your death or incapacity
California users (CCPA/CPRA — informational):AniSurge does not currently meet the thresholds that make the CCPA/CPRA legally applicable (we are a free service with no revenue from California residents and process fewer than 100,000 California residents' data). We do not sell or share personal information. We disclose this proactively and will update this section if our status changes.
To exercise any of these rights, contact anisurge.team@gmail.com. We will respond within the timeframes required by applicable law (generally 30 days).
Cookies and Local Storage
AniSurge uses cookies and browser local storage solely to:
- Maintain your login session (authentication cookies set by Supabase Auth)
- Remember UI preferences
We do not use tracking cookies, advertising cookies, or third-party analytics cookies that identify you personally.
Vercel Analytics collects anonymised, aggregate page-view data with no personal identifiers and does not use cookies.
You may clear cookies via your browser settings. Clearing authentication cookies will log you out of AniSurge.
Automated Decision-Making
AniSurge uses automated processes to calculate:
- Your anime personality type (based on your genre and rating patterns)
- Taste compatibility percentages (based on overlap between your list and other users)
- Achievement unlocks and XP (based on your tracking activity)
- Account rank (based on XP thresholds)
These calculations are informational and cosmetic. None of them have legal, financial, employment, or other significant effects on you. You may hide your personality type from your public profile at any time in your account settings.
In line with Australia's automated decision-making transparency requirements commencing 10 December 2026, we disclose that these automated processes exist and describe how they work above.
Third-Party Links
AniSurge may display links to third-party websites (such as AniList, MyAnimeList, or streaming services). This Privacy Policy applies only to AniSurge. We are not responsible for the privacy practices of third-party sites. We encourage you to read their privacy policies before providing them with personal information.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via the email address associated with your account and/or via a notice on anisurge.com. Continued use of AniSurge after updated Terms are posted constitutes your acceptance of the changes.
Copyright and Content Notices
AniSurge displays anime artwork sourced from the AniList API (anilist.co). This artwork is served directly from AniList's CDN and remains the property of its respective copyright holders.
AniSurge does not store, reproduce, or redistribute copyrighted anime artwork. If you believe content displayed on AniSurge infringes your copyright, please contact us at anisurge.team@gmail.com with:
- A description of the copyrighted work you believe has been infringed
- The specific URL(s) on AniSurge where the content appears
- Your contact information
- A statement that you have a good-faith belief that the use is not authorised by the copyright owner, its agent, or applicable law
We will investigate and respond within 10 business days. Note that as we do not host or control the artwork directly (it is served from AniList's infrastructure), we may direct you to AniList for resolution of artwork-specific concerns.
Complaints and Regulatory Contacts
Contact us first: anisurge.team@gmail.com — we aim to respond within 5 business days.
If you are unsatisfied with our response, you may contact the relevant authority for your location:
- Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992
- EU/EEA: Your local EU Data Protection Authority (find yours at edpb.europa.eu)
- UK:Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- India: Data Protection Board of India (DPBI) — once operational (expected 2026–27)
- Other jurisdictions: contact your local data protection or consumer protection authority
For privacy questions, data requests, account deletion, or to exercise your rights:
We aim to respond within 5 business days.
