Privacy.

FOUND3RY is a workspace operating system for multi-venture operators. To do its job it ingests data you authorize from tools you already use (GitHub today; Linear and Notion next). We store that data on infrastructure we control, encrypt access tokens at rest, and never sell or share it. You can disconnect a tool, export your data, or delete your account at any time.

• Account info — your email, display name, and a hashed password (bcrypt). We never store your password in plaintext.
• Workspace contents — projects, ideas, tasks, knowledge items, and any text you create inside FOUND3RY.
• Connector data — when you authorize a connector (GitHub, etc.), we ingest the entities you grant access to: repos, commits, pull requests, issues, comments. We do not write back to the connector unless you explicitly opt in.
• OAuth access tokens — encrypted at rest with a per-deployment symmetric key (Fernet, AES-128-CBC + HMAC). Revoking a connection deletes the token.
• Operational logs — request paths, HTTP status, IP address, and duration for debugging and abuse prevention. We do not log secrets, tokens, or passwords.
• Embeddings — short text excerpts from your docs are sent to Voyage AI to produce vector embeddings. Voyage is contractually prohibited from using your content to train their models.
• Agent queries — when you ask COFOUND3R a question, the question plus the retrieval context is sent to Anthropic (Claude) to produce the answer. Anthropic does not train on API-tier inputs by default.

• Banking, credit-card, or government-ID numbers (Stripe handles payments).
• Browsing history outside the FOUND3RY app.
• Facial images, biometric data, or location.
• Third-party cookies or cross-site tracking pixels.

Production data sits in a Postgres database operated on Railway (US region) with daily encrypted backups. Embeddings are stored in the same database (pgvector). OAuth tokens are encrypted with a Fernet key held only in our Railway environment. WebSocket and HTTP traffic is TLS-only via a Let's Encrypt certificate on api.found3ry.com.

We share data only with subprocessors strictly necessary to run the service:

• Railway — application hosting and Postgres.
• Vercel — frontend hosting.
• Anthropic — LLM responses for COFOUND3R.
• Voyage AI — text embeddings.
• Stripe — payment processing (when you subscribe).
• Sentry — error monitoring (we scrub tokens before sending).
• GitHub / Linear / Notion — only when you authorize a connector.

We do not sell data. We do not run ad networks.

If you're in the EU, UK, or California you have specific data rights (access, rectification, erasure, portability, objection). Regardless of jurisdiction, FOUND3RY gives every user the same controls:

• Export — request a copy of your workspace data by emailing privacy@found3ry.com.
• Delete — from Settings, the "Delete account" action permanently wipes your workspace, disconnects all OAuth connections, and purges your data within 30 days.
• Disconnect a connector — from Connections, click Disconnect. The access token is revoked and removed from our database.

FOUND3RY is not directed at anyone under 13 and we do not knowingly collect data from children. If you believe a child has registered an account, email privacy@found3ry.com and we will delete it.

If we detect a breach affecting your data we will notify the affected accounts within 72 hours of confirmation and disclose the scope, what we know, and what we're doing about it.

When we change this policy we'll update the "Last updated" date at the top and, for any material change, email all account holders before the change takes effect.

Privacy questions, data requests, or anything that smells wrong: privacy@found3ry.com.