Fowndr

Draft — not legal advice

Privacy Policy

See also our Terms of Service.

1. Who we are

This Policy describes how Fowndr("we," "us") handles personal information when you use our website and related services. The legal entity responsible for an engagement may be identified on your Statement of Work, invoice, or receipt - counsel should align this paragraph with your formation docs (docs/legal-entity-jurisdiction.md).

2. Scope — who this applies to

This Policy applies to:

  • visitors browsing our marketing site;
  • people who submit lead, contact, or inquiry forms;
  • users who create an account or sign in (email, magic link, or social login); and
  • individuals who use payment links we provide (processed by our payment provider).

If you are an end user of a product we built for a client, that client's privacy notice may apply to their app - contact them first for requests about their service.

3. Information we collect

Depending on how you interact with us, we may collect:

  • Lead and contact forms: name, email, company (if provided), message, and optional technical content such as feature lists or image snapshots you attach.
  • Accounts: name, email, password hash (if you use email/password), profile image (if provided), role, optional MFA data, email verification status, and a stable account identifier.
  • OAuth sign-in: identifiers and profile details your provider shares with us when you choose Google or Microsoft login; authentication tokens may be stored to keep your account linked.
  • Payments: billing-related data processed by Stripe (e.g. email pre-filled at checkout). We do not store full card numbers - Stripe handles card data under its terms.
  • Technical and security data: IP address and request metadata used for rate limiting and abuse prevention when our configuration uses shared infrastructure; server logs as operated by our host.
  • Client hub / project data: if you use a signed-in portal, we may store project-style information you or we add (milestones, links, tasks) keyed to your account - as described in your SOW.

4. How we use information

We use personal information to:

  • respond to inquiries and operate sales conversations;
  • provide and secure accounts, authentication, and the client hub;
  • send transactional messages (e.g. verification, sign-in links) when you request them;
  • process payments you authorize;
  • deliver contracted build services and communicate about engagements;
  • send optional marketing or newsletter-style email only if you opt in on the contact form - replying to your inquiry is handled as a separate, service-related use and does not depend on that opt-in;
  • protect the Site, enforce our Terms, and comply with law.

We do not sell your personal information. Counsel should add lawful basis language (e.g. contract, legitimate interests, consent) for GDPR/UK visitors if applicable.

5. Subprocessors and sharing

We use service providers to run the Site and our business. They process data on our behalf and are contractually or legally required to protect it - counsel to confirm DPA/SCC wording for your regions. We only use the providers that are actually configured for your production environment; trim this list to match reality before going live.

ProviderRolePrivacy
VercelWebsite hosting and application deliveryPolicy
NeonDatabase for accounts and authentication dataPolicy
StripePayments and checkoutPolicy
ResendTransactional email (e.g. sign-in and verification messages)Policy
GoogleOptional sign-in with Google (OAuth)Policy
MicrosoftOptional sign-in with Microsoft (Entra ID)Policy
UpstashOptional infrastructure (rate limiting, technical operations)Policy

Additional recipients (if you enable them): a lead webhook (e.g. automation tools such as Zapier or Make) may receive the same fields you submitted in a lead form; an embedded calendar widget loads a third party in your browser - list the exact provider and link their policy when you turn those on. Internal register: docs/legal-subprocessors.md.

We may disclose information if required by law, court order, or to protect rights, safety, and integrity of the Site and users - counsel to refine.

6. International transfers

Our subprocessors may process data in the United States and other countries. If you serve EEA, UK, or Swiss users, counsel should add Standard Contractual Clauses, UK Addendum, or other transfer mechanisms as required, and describe them here.

7. Cookies and similar technologies

We use cookies and similar technologies that are necessary to operate sign-in and security. We do not ship first-party advertising or marketing analytics pixels in the Site codebase today. If you add non-essential analytics or ad pixels, get counsel guidance on consent and update this section. Operators maintain an in-repo record at docs/legal-cookies-analytics.md.

  • Session / auth cookies (e.g. names starting with authjs.) - set when you sign in at /login or complete related flows. HttpOnly where applicable. Purpose: maintain your session and protect account security.
  • CSRF / callback cookies may be set briefly during OAuth or sign-in redirects.
  • Theme preference - light/dark mode may be stored in localStorage (via next-themes) so your choice persists; not used for advertising.

8. Retention

We keep information as long as needed for the purposes above, including to meet legal, accounting, or reporting obligations. Examples (non-exhaustive - counsel to validate):

  • Account and engagement records: for the life of the relationship and a reasonable period after.
  • Email verification tokens: short-lived (e.g. on the order of 24 hours).
  • Technical identifiers used for idempotency (e.g. payment webhook processing): bounded retention where we use shared caches.

9. Security

We use administrative, technical, and organizational measures appropriate to the nature of the data and our stack (e.g. encrypted transport, access controls, reputable hosting). No method of transmission or storage is 100% secure.

10. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing. You may also have the right to lodge a complaint with a data protection authority.

To exercise rights, contact us using the options on the Site. We may need to verify your request. Counsel should add jurisdiction-specific sections (e.g. California CPRA, Colorado, EU/UK GDPR, Virginia) where you have users.

11. Children

The Site is not directed to children. We do not knowingly collect personal information from children under the age counsel specifies (often 13 or 16 depending on region). Counsel to set age and process.

12. Changes to this Policy

We may update this Policy from time to time. We will post the new version on the Site and revise the "Last updated" date. Material changes may require additional notice - counsel to confirm.

13. Contact

For privacy questions or requests, use the contact options on our marketing site. For Terms, see the Terms of Service.

← Back to home