Privacy Policy | Founderise

This Privacy Policy ('Policy') explains how Founderise ('Founderise', 'we', 'us', or 'our') collects, uses, shares, and protects personal data when you use the Founderise platform. We are the data controller for the personal data described below. If you have questions about this Policy or how your data is handled, contact us at the address in Section 13.

1Scope & Controller

· This Policy applies to all personal data we process when you visit our website, register for an account, use the Founderise platform, communicate with us, or interact with emails we send.
· Founderise is operated from the United Kingdom. A separate registered legal entity is being established; this Policy will be updated to reflect the entity name and company number once registration completes.
· For privacy matters, contact contact@founderise.co.uk.

2What We Collect

· Account data: name, email address, phone number, and business name.
· Plan & business content: the objectives, tasks, business growth indicators, reviews, reflections, and supporting notes that you create inside the platform as part of your RISE plan.
· Authentication metadata: a Cognito user identifier, last-login timestamp, password reset events, and similar identity records used to keep your account secure. We never store your password ourselves — Amazon Cognito handles credential storage.
· Billing data: a Stripe customer reference, subscription identifier, billing cycle, and invoice history. Stripe collects billing-address information (including country and postcode) directly from you on our behalf to calculate any applicable sales tax; we do not store that address in our own database. We do not see or store your full card number, expiry, or CVC — that data stays inside Stripe's PCI-DSS compliant systems.
· AI conversation history: transcripts of conversations you have with Founderise in-product AI agents, retained while your subscription is active so the AI can refer back to earlier context.
· Email-delivery records: metadata for the scheduled emails we send you (weekly insights, review reminders, team task digests) — primarily timestamps and idempotency keys used to detect duplicate sends. We do not store the rendered email body.
· Technical data: standard server-side logs (such as IP address, user-agent, and request timing) generated by AWS Amplify Hosting and our application servers, used to operate and secure the service.
· Product-analytics data: usage events — page views, button clicks, and feature interactions — captured by PostHog (see Section 5) so we can understand how Founderise is used and improve it. Before you sign in these events are linked to a per-browser identifier; after sign-in they are linked to your account. You can disable this at any time via the cookie banner or the 'Cookie preferences' link in the footer.

3Legal Basis for Processing

· We rely on contractual necessity (UK GDPR Art. 6(1)(b)) to process the data needed to provide you with the Founderise platform you have subscribed to.
· We rely on legitimate interests (UK GDPR Art. 6(1)(f)) to operate, secure, debug, and improve the service, prevent fraud and abuse, and communicate with you about important service changes.
· We rely on consent (UK GDPR Art. 6(1)(a)) for any optional marketing emails. You can withdraw consent at any time using the unsubscribe link in those emails.
· We rely on legal obligation (UK GDPR Art. 6(1)(c)) where we are required to retain billing records or respond to lawful requests.

4How We Use Your Data

· Operate the platform: create your account, link co-founders, run scheduled jobs (weekly insights, review reminders, team task digests).
· Generate AI insights and agent responses tailored to your plan, business context, and previous reflections.
· Process payments, send invoices, and manage your subscription via Stripe.
· Communicate with you about transactional matters (welcome emails, password resets, billing notices, service status).
· Detect and prevent abuse, fraud, and security incidents.
· Understand how Founderise is used through product analytics (PostHog) so we can prioritise improvements. You can opt out at any time via the cookie banner or 'Cookie preferences' in the footer.
· Comply with our legal and regulatory obligations.

5Sub-processors & Sharing

We use carefully selected service providers to operate Founderise. Each of these acts as a processor on our behalf under appropriate data protection terms. We do not sell your personal data.

· Amazon Web Services (AWS): hosts the entire Founderise application via AWS Amplify Hosting (front-end and API routes) and Amplify gen2 backend services — Cognito for authentication, SES for email delivery, Lambda for scheduled jobs, SQS for background queues, and S3 for file uploads. Our AWS infrastructure runs in the `eu-west-1` region (Ireland, EU).
· AWS RDS: hosts our Postgres database, where your account, plan, business, task, review, and AI conversation records are stored. Encrypted at rest and in transit.
· Stripe: processes payments and stores billing data. Stripe is PCI-DSS certified; we never receive your raw card details.
· Google (Gemini API): powers the AI features inside Founderise (weekly insights, chat agents, planning assistants). Founderise uses the paid Gemini API tier; under Google's current Gemini API terms, Google does not use your prompts or the model's responses to improve Google's products.
· PostHog (PostHog Inc.): provides product analytics. We use PostHog Cloud EU (hosted in Frankfurt, Germany). PostHog receives usage events such as page views, button clicks, and feature interactions so we can understand how Founderise is used and improve it. Before sign-in those events are associated with a per-browser identifier; after sign-in they are linked to your account. You can disable PostHog tracking at any time via the cookie banner or 'Cookie preferences' in the footer.
· We may share data with professional advisors, regulators, or law-enforcement authorities where required by law.
· Additional sub-processors will be disclosed here before they go live (for example, an email-marketing platform once optional marketing communications are introduced).

6Data Retention

· Account, plan, and AI conversation data are retained while your subscription is active so the platform can refer back to your history.
· We are in the process of finalising formal retention, deletion, and anonymisation procedures for cancelled accounts and operational records (such as email-delivery logs and server logs). Until those procedures are published, you can request deletion of your personal data at any time by emailing contact@founderise.co.uk, and we will action your request promptly. Billing records may be retained longer where required by law.

7Your Rights

Under the UK GDPR you have the right to:

· Access the personal data we hold about you (Art. 15).
· Rectify inaccurate or incomplete data (Art. 16).
· Request erasure of your data, subject to limited exceptions (Art. 17).
· Restrict or object to certain processing (Arts. 18 and 21).
· Receive a portable copy of the data you provided to us (Art. 20).
· Withdraw consent at any time where processing is based on consent.
· Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe we have not handled your data lawfully.

To exercise any of these rights, email contact@founderise.co.uk. We will respond within 30 days.

8AI & Automated Processing

· Founderise uses large language models (currently Google's Gemini family) to generate insights, draft plans, and respond to questions inside the platform.
· AI outputs are intended as guidance — not professional, legal, or financial advice. They may contain errors or omissions and should be reviewed before acting on them.
· We do not use AI to make decisions about you that have legal or similarly significant effects without human review.
· Founderise uses the paid Gemini API tier. Under Google's current Gemini API terms, prompts you submit (including any cached content and supporting files) and the model's responses are not used to improve Google's products.

9Cookies & Tracking

· Strictly necessary cookies keep you signed in (Amazon Cognito session cookies) and remember your cookie preferences (`cc_cookie`). These cannot be disabled because the service cannot function without them.
· Stripe cookies are set on checkout pages by Stripe to prevent fraud and maintain your payment session. These are essential when you are paying for a subscription.
· Analytics cookies (PostHog) help us understand how Founderise is used so we can improve it. PostHog runs on PostHog Cloud EU (Frankfurt, Germany). A cookie banner is shown on your first visit so you can accept or reject these. You can change your choice at any time using the 'Cookie preferences' link in the footer.
· We do not use cookies for advertising and do not allow third-party advertising networks on Founderise.

10International Transfers

· The majority of processing happens in the EU (`eu-west-1`, Ireland).
· Some of our sub-processors (notably Stripe and Google) may transfer data to the United States or other third countries. Where they do, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or another lawful transfer mechanism.

11Security

· Credentials are handled exclusively by Amazon Cognito; we never see or store your password.
· All connections to Founderise use HTTPS/TLS in transit; data at rest is encrypted at the storage layer by our cloud providers.
· No system is perfectly secure. If we ever detect a personal-data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and contact you where the law requires it.

12Changes to This Policy

· We may update this Policy from time to time. When we make material changes, we will update the 'Last Updated' date at the top and, where appropriate, notify you by email or in-product message.
· Continued use of the Founderise platform after an update means you accept the revised Policy.

13Contact Us

· For questions about this Policy or to exercise any of the rights above, please contact contact@founderise.co.uk.