FoundationBack to Home

Privacy Policy

Last updated: April 13, 2026

1. Who We Are

Foundation is operated as a sole trader business registered in Ireland ("Foundation", "we", "us", "our"). Foundation provides software for invoicing, collections, payment follow-up, reporting, and related business operations. For customer account, billing, support, and website data, Foundation acts as a data controller. For debtor, invoice, payment, communications, and other business records that our customers upload or create in the platform, Foundation generally acts as a data processor or service provider on the customer's behalf.

2. Data We Collect

Customer account and company data

  • Name, work email address, company name, role, authentication identifiers, and account settings
  • Subscription and billing records, including Stripe customer and subscription metadata. Payment card details are handled by Stripe and are not stored by Foundation.
  • Usage, activity, security, diagnostic, and audit-log data generated when you use the service

Business data you input or upload

  • Debtor and customer contact details, invoice records, payment records, disputes, notes, tasks, and communication logs
  • Business profile, contracts, employees, CRM, inventory, supplier, purchase-order, and report data if you use those modules
  • Uploaded files and images, including receipts and documents you submit through the platform

Connected mailbox and messaging data

  • If you connect Gmail, Foundation stores OAuth credentials and mailbox settings needed to send email, refresh tokens, and scan for debtor replies
  • Foundation searches for messages from email addresses that match debtor records in your account and may store message metadata, body content, excerpts, threading data, and reply-generation status where needed to operate inbox and automation features
  • If you use Twilio, Stripe, webhooks, or other integrations, Foundation stores the configuration and event data needed to provide those features

3. How We Use Data

  • Service delivery: To authenticate users, manage subscriptions, store your data, generate reports, and run the features you enable
  • Collections and communications: To generate, send, log, and track invoices, payment requests, reminders, public payment links, portal links, replies, and disputes
  • AI features: To draft messages, summarize communications, analyze receipts and documents, score risk, and generate operational insights
  • Security and reliability: To detect abuse, troubleshoot issues, validate integrations and webhooks, rate limit requests, and maintain audit trails
  • Support and business operations: To respond to support requests, administer accounts, and comply with legal, tax, accounting, or regulatory obligations

4. AI and Third-Party Processing

Foundation relies on third-party infrastructure and optional integrations. Depending on the features you enable, data may be processed by providers such as Supabase, Clerk, Stripe, Google APIs (including Gmail, Google Drive, and Google Calendar), Twilio, Resend, SMTP providers, Cloudinary, Slack, HubSpot, Xero, QuickBooks, DocuSign, ShipStation, and external webhook endpoints that you configure.

  • AI requests may be sent to the configured model provider, which is OpenAI by default and may be another provider, such as Mistral, if configured by Foundation
  • When Gmail features are enabled, Foundation accesses mailbox data needed to send messages and identify debtor replies from addresses matching your debtor records
  • When payment features are enabled, Stripe processes payment transactions and related checkout events
  • When you configure outbound webhooks or third-party integrations, you instruct Foundation to send relevant payloads to those destinations

OpenAI states that data sent through its API platform is not used to train its models by default. See OpenAI's business data privacy information. Gmail-connected features are also subject to Google's Google API Services User Data Policy. Stripe's handling of payment data is described in Stripe's Privacy Policy.

5. Legal Basis (GDPR)

We process data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service
  • Legitimate interest: Security, fraud prevention, diagnostics, service administration, and improvement
  • Consent or customer instruction: Optional integrations and connected-account workflows
  • Legal obligation: Tax records, regulatory compliance

For debtor data, you (our customer) are the data controller and must ensure you have a lawful basis for processing under GDPR or applicable legislation.

6. Data Retention

  • Foundation retains account, company, integration, and business records for as long as your account remains active, unless you delete them earlier through the product or by contacting support
  • When data is deleted or an account is closed, we may retain limited information in backups, logs, billing records, and compliance records for a reasonable period where necessary for legal, security, fraud-prevention, or operational reasons
  • We do not currently publish a universal fixed deletion timetable for all categories of customer data because retention varies by feature, backups, and legal obligations

7. Your Rights

Under GDPR and applicable data protection law, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing
  • Withdraw consent or disconnect optional integrations, such as Gmail

To exercise these rights, contact privacy@getfoundation.net. If Foundation is acting only as a processor for data you uploaded on behalf of your own customers, we may direct the request to you as the controller.

8. Security

Foundation uses technical and organizational safeguards designed to protect customer data, including TLS for data in transit, authentication and access controls, request rate limiting, webhook signature verification where configured, encrypted-at-rest storage for integration configuration written by the current application, signed public invoice links, and hashed self-service portal tokens. No internet service can guarantee absolute security, and you remain responsible for securing your own credentials and connected third-party accounts.

9. International Transfers

Your data may be processed in countries other than your own when Foundation or its subprocessors operate infrastructure there. Where applicable, Foundation relies on appropriate contractual, technical, and organizational safeguards for cross-border transfers.

10. Cookies

Foundation uses essential cookies and similar storage needed for authentication, session continuity, and application security. This policy does not promise that every environment is free from analytics or infrastructure cookies supplied by hosting or authentication providers, but Foundation does not use advertising cookies in the application.

11. Contact

For privacy-related questions or data requests, contact us at privacy@getfoundation.net.