Privacy Policy

1. Data controller

The controller is Foundster Corporate Services FZCO, IFZA Business Park – DDP, Building A1, Dubai Silicon Oasis, United Arab Emirates. License No. 41494 issued by DIEZ. Contact: support@foundster.com.

2. Categories of personal data we process

• Identification & contact data: name, email, phone, nationality, country of residence.
• Onboarding & KYC data: passport scan, Emirates ID (where applicable), proof of address, signature samples, beneficial-ownership data — required under UAE AML/KYC.
• Account & usage data: hashed credentials, device metadata, IP, pages visited, actions in CompanyCockpit.
• Payment data: handled by Stripe; Foundster never stores full card numbers.
• Affiliate / referral data: click IDs, attribution cookies, conversion events.
• Voluntary content: chats with Foundster AI, support emails, contact forms.

3. Purposes and legal bases

• To provide the Services — performance of contract.
• To comply with statutory obligations (UAE AML/CFT, tax, corporate filings) — legal obligation.
• To improve the platform, prevent fraud and maintain security — legitimate interest.
• Transactional and (with consent) marketing communications — consent.
• Affiliate programme — performance of contract and legitimate interest.

3a. Tax Check tool (foundster.com/tax-check)

Tax Check is a free, anonymous self-serve tool that produces a personalised UAE tax-relocation analysis. The data flow differs from the rest of our Services:

• Form answers: processed in-memory to run the rules engine and AI narrator. Not persisted. Legal basis: GDPR Art. 6(1)(b) / PDPL Art. 5(2) — service performance.
• Optional context free-text: sanitised against prompt-injection, sent to Google Gemini AI (Belgium/EU) for the duration of report generation, then discarded.
• Generated report: stored under an HMAC-signed token for max 30 minutes until you unlock it via email. Deleted within 60 minutes of unlock or expiry.
• Email + name (only after explicit Lead-Form submission): stored to deliver the report and — if you ticked the optional marketing checkbox — for occasional Foundster updates. Legal basis: consent.
• Anonymous IP-hash: SHA-256 hash held 24h in memory for rate limiting (max 3 checks per IP per day). Raw IP never stored.
• Marketing follow-up: opt-in only. Maximum three follow-up emails. One-click unsubscribe.
• Right to deletion: write to support@foundster.com — we delete your Tax Check Lead within 30 days.

4. Cookies, local storage and tracking

We use strictly-necessary cookies for authentication, language preference, partner attribution and the order-wizard session. These are exempt from consent requirements (GDPR Recital 30 / ePrivacy Directive Art. 5(3) second sentence) because the site cannot function without them.

With your explicit consent we additionally load Google Analytics 4 (operated by Google Ireland Ltd. as joint controller / Google LLC) to understand aggregate usage of foundster.com. We run Analytics in Google Consent Mode v2 with the default state set to `denied` — no Analytics request leaves your browser until you click "Accept" on the cookie banner. We enable IP anonymization (`anonymize_ip`) and disable Google signals and ad personalization. Legal basis: your consent (GDPR Art. 6(1)(a) / PDPL Art. 4(1)). You can withdraw your consent at any time via Cookie Settings in the footer or by clearing cookies in your browser.

• `foundster_consent_v2` (essential, set by us) — remembers your cookie choice (`granted` / `denied`); 12 months.
• `_ga` (analytics, only after consent) — distinguishes users for Google Analytics; 24 months.
• `_ga_<container-id>` (analytics, only after consent) — session state for Google Analytics; 24 months.
• Local storage — language preference, partner-attribution cookie (365 days), order-wizard draft state. No third party reads this storage.

5. Recipients and processors

• Stripe — payment processing (Ireland / United States).
• Google Cloud / Google AI (Gemini API) — AI assistant, Tax Check narrator and infrastructure (Belgium / United States).
• Google Ireland Ltd. / Google LLC — Google Analytics 4 (Ireland / United States), only after you accept the analytics consent.
• Mailgun (Sinch) — transactional email delivery (Ireland / United States) for Tax Check reports and order confirmations.
• Replit, Inc. — hosting (United States).
• Support tools under data-processing agreements.
• We do not sell your personal data.

6. International data transfers

Personal data may be processed outside the UAE (notably EU/US). For transfers we rely on Standard Contractual Clauses, adequacy decisions or — under PDPL Art. 22 — equivalent safeguards. Copies of safeguards are available on request.

7. Retention

Personal data is retained only as long as necessary for the purposes above and for UAE statutory retention (typically up to 5 years after the end of the business relationship).

8. Your rights

Under PDPL, GDPR (where applicable) and DPDPA principles, you have the right to access, rectify, erase, restrict and object to processing, withdraw consent and request portability. You may complain to the UAE Data Office or your local supervisory authority. Write to support@foundster.com.

9. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.3 in transit, AES-256 at rest, role-based access, audit logging.

10. Changes to this policy

We update this policy when our processing practices change. Material changes will be communicated via email or in-app notice.