Back to home
Foundworks Logo

Privacy Policy

v1.0 · last updated May 2026 · we'll email registered users about material changes

1. Introduction

This Privacy Policy explains how Foundworks ("we," "us," "our") collects, uses, and protects your personal data when you use our platform. We are committed to GDPR compliance and transparent data practices.

2. Data We Collect

We collect the following categories of data:

  • Account data: Name, email address, bcrypt-hashed password.
  • Business and department data: The business name, mission, brand voice, target customer (ICP), and any instructions or files you or your AI agents produce. Stored as Markdown files in our virtual filesystem.
  • Agent execution data: Task records, event logs, approval queue items, cost-tracking rows per LLM call.
  • Technical data: IP address, browser type, access timestamps, request audit logs.
  • Connected integrations (only if you choose to connect them): An encrypted Microsoft refresh token if you link your Outlook account for agent-driven email sending. We never store your Microsoft password.
  • Newsletter (only if you sign up): Email address and the source you signed up from. Confirmed via a double-opt-in link.
  • Billing data (paid tiers only): Mollie customer + subscription identifiers and invoice records. Card details are handled directly by Mollie and never touch our servers.
  • Optional data: Third-party LLM API keys (stored Fernet-encrypted with an app-level key).

3. How We Use Your Data

  • To provide and operate the Service (running your agents, storing their outputs, surfacing them in the UI).
  • To authenticate your identity and secure your account (JWT issued via bcrypt password verification).
  • To process your business and department instructions and deliver outputs.
  • To send transactional emails: account welcome, weekly digest of your team's activity, approval reminders, budget-threshold warnings, and newsletter confirmations / broadcasts (if you opted in).
  • To bill you (paid tiers) via Mollie.
  • To monitor service health, enforce rate limits, and prevent abuse.

4. Data Storage and Security

Your data is stored on Azure infrastructure located in the European Union (West Europe region). We use industry-standard security measures including:

  • Encryption in transit (TLS) and at rest
  • Bcrypt password hashing with application-level salting
  • Fernet encryption for stored API keys
  • Isolated sandbox environments for agent execution

5. Data Sharing (Sub-processors)

We do not sell your personal data. We process data through these third-party services, each contractually bound to protect it:

  • Microsoft Azure — hosting, Azure SQL database, Azure Blob storage (EU West region).
  • Azure AI / OpenAI — processes your instructions to drive the agent loops. Inputs and outputs transit Azure AI but are not used to train shared models.
  • Azure Communication Services Email — sends transactional email from us to you (welcome, digest, newsletter confirmations, broadcasts, budget warnings).
  • Microsoft Graph — only if you connect your Outlook account; lets your agents send mail through your own mailbox under your OAuth grant.
  • Sandbox providers — Sprites/Fly.io (default) or E2B for isolated agent execution.
  • Mollie — payment processing for paid tiers. Card data goes directly to Mollie; we only see customer/subscription/invoice identifiers.
  • Cloudflare — DNS + edge routing for our domain.

6. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Port your data to another service
  • Object to processing of your data
  • Withdraw consent at any time

To exercise any of these rights, email us at [email protected].

7. Data Retention

We retain your account data for as long as your account is active. Business + department data (instructions, agent outputs, memory files, event logs) lives for the lifetime of the business. When you delete a memory file the row is soft-deleted with a 30-day grace window; after 30 days it's hard-purged from the database. Deleting a business hard-deletes its memberships, departments, tasks, events, approvals, and cost records. Newsletter subscribers can unsubscribe one-click via the link in every newsletter; we keep the row marked unsubscribed (for audit) until you ask us to delete it. You may request full data deletion at any time.

8. Cookies and Tracking

We use a JWT token stored in localStorage for authentication — no third-party tracking cookies or analytics scripts. During the Outlook OAuth flow we briefly carry a signed CSRF token in the URL; it expires after 10 minutes.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance.

10. Contact

For privacy-related inquiries, contact us at [email protected].