Privacy Policy

Last updated May 29, 2026

This is a plain-language draft for transparency and is pending review by qualified counsel. It is not legal advice. Where this summary and our final, lawyer-reviewed agreements differ, the final agreements govern.

This policy explains what personal data Foundr collects, why, and the rights you have over it.

1. Data we collect

  • Email address (used as your login identifier).
  • Country (coarse — not precise location).
  • Investor self-declared firm and ticket-size range.
  • OAuth access tokens for sources you connect (e.g. GitHub), encrypted at rest.
  • Product events needed to operate the service (submissions, approvals, interest signals, contact shares).

2. Data we deliberately do NOT collect

  • Government IDs, passports, SSNs, or national IDs.
  • Bank account or tax numbers.
  • Biometrics or facial images (founder photos are only ever uploaded by the founder).
  • Health data.
  • Precise geolocation.

3. How we use it

We use your data to operate the platform: to authenticate you, surface relevant startups, send the notifications and digests you opt into, and maintain an audit trail of material events.

We do not sell your personal data. We do not run third-party advertising trackers on authenticated pages.

4. AI processing

We generate descriptive summaries of startups using AI APIs (Anthropic, with OpenAI as a fallback). We do not send personal data to these models beyond information already published on a startup's public profile. Under our API terms, inputs are not used to train the providers' models.

5. Sub-processors

We rely on a small set of vendors to run Foundr, including Supabase (database and auth), Vercel (hosting), Resend (email), PostHog (product analytics), and the AI providers above. Each is bound by a data-processing agreement.

6. Your rights

Depending on where you live (including under GDPR, UK-GDPR, CCPA/CPRA, and applicable PDPA regimes), you may request access to, export of, correction of, or deletion of your personal data.

To exercise these rights, contact us; we will respond within the period required by your local law. Account deletion is a soft delete followed by a hard delete after a 30-day grace period.

7. Logging and retention

We keep personally identifying information out of our application logs. Material events are retained for audit purposes; email send logs are kept for twelve months. You can request earlier deletion subject to legal retention obligations.

8. Contact

For any privacy question or request, contact our support address.