Skip to main content
Foundster Logo
Get Started

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Foundster Corporate Services FZCO ("Foundster", "we", "us") collects, uses, discloses and safeguards personal data when you visit foundster.com, app.foundster.com or partner.foundster.com (the "Services").

We process personal data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and, where applicable to visitors located in the European Economic Area or the United Kingdom, the EU/UK General Data Protection Regulation (GDPR).

1. Data controller

The controller responsible for processing your personal data is Foundster Corporate Services FZCO, IFZA Business Park – DDP, Building A1, Dubai Silicon Oasis, United Arab Emirates. License No. 41494 issued by the Dubai Integrated Economic Zones Authority (DIEZ). You can reach us at support@foundster.com.

2. Categories of personal data we process

  • Identification & contact data: name, email, phone, nationality, country of residence — provided when you register, contact us or place an order.
  • Onboarding & KYC data: passport scan, Emirates ID (where applicable), proof of address, signature samples, beneficial-ownership information — required for company formation under UAE AML/KYC rules.
  • Account & usage data: login credentials (hashed), device and browser metadata, IP address, pages visited, actions taken in the CompanyCockpit platform.
  • Payment data: processed by Stripe Payments Europe Ltd. (and/or Stripe, Inc.). Foundster never stores full card numbers.
  • Affiliate / referral data: click IDs, attribution cookies, conversion events — used by our partner programme (partner.foundster.com).
  • Voluntary content: information you provide in chats with Foundster AI, support emails or contact forms.

3. Purposes and legal bases

  • To provide and operate the Services — performance of a contract (GDPR Art. 6(1)(b); PDPL Art. 5(2)).
  • To comply with statutory obligations (UAE AML/CFT, tax, corporate registry filings) — legal obligation (GDPR Art. 6(1)(c); PDPL Art. 5(4)).
  • To improve the platform, prevent fraud and maintain security — legitimate interest (GDPR Art. 6(1)(f); PDPL Art. 5(7)).
  • To send transactional and, where you consented, marketing communications — consent (GDPR Art. 6(1)(a); PDPL Art. 4(1)).
  • To run the affiliate programme — performance of contract with affiliates and legitimate interest in fair attribution.

3a. Tax Check tool (foundster.com/tax-check)

The Tax Check is a free, anonymous self-serve tool that produces a personalised UAE tax-relocation analysis. The data flow differs from the rest of our Services and we want to be specific:

  • Form answers (tax residence, employment, shareholdings, premises, management location, business model): processed in-memory to run the rules engine and the AI narrator. Not persisted to our database. Legal basis: GDPR Art. 6(1)(b) / PDPL Art. 5(2) — performance of the service you requested.
  • Free-text "context notes" you optionally provide: sanitised against prompt-injection, sent to Google's Gemini AI (in Belgium / the EU) for the duration of the report generation, then discarded with the rest of the form data.
  • The generated report: stored under a server-minted, HMAC-signed token for up to 30 minutes so you can unlock it with your email after seeing the teaser. After unlock or expiry, the report is deleted from our pending-store within 60 minutes.
  • Email + name (only after explicit Lead-Form submission): stored to deliver the report by email and — if you ticked the optional marketing checkbox — for occasional Foundster updates. Legal basis: consent (GDPR Art. 6(1)(a) / PDPL Art. 4(1)).
  • Anonymous IP-hash: a SHA-256 hash of your IP address is held in memory for 24h to enforce the per-day rate limit (max 3 Tax Checks per IP). Raw IP is never stored. Legitimate interest in service availability (GDPR Art. 6(1)(f) / PDPL Art. 5(7)).
  • Marketing follow-up: only if you opt in. Maximum three follow-up emails (report-feedback at day +2, specialist-call invite at day +14). One-click unsubscribe in every mail.
  • Right to deletion: write to support@foundster.com — we delete your Tax Check Lead within 30 days, faster on request.

4. Cookies, local storage and tracking

We use strictly-necessary cookies for authentication, language preference, partner attribution and the order-wizard session. These are exempt from consent requirements (GDPR Recital 30 / ePrivacy Directive Art. 5(3) second sentence) because the site cannot function without them.

With your explicit consent we additionally load Google Analytics 4 (operated by Google Ireland Ltd. as joint controller / Google LLC) to understand aggregate usage of foundster.com. We run Analytics in Google Consent Mode v2 with the default state set to `denied` — no Analytics request leaves your browser until you click "Accept" on the cookie banner. We enable IP anonymization (`anonymize_ip`) and disable Google signals and ad personalization. Legal basis: your consent (GDPR Art. 6(1)(a) / PDPL Art. 4(1)). You can withdraw your consent at any time via Cookie Settings in the footer or by clearing cookies in your browser.

  • `foundster_consent_v2` (essential, set by us) — remembers your cookie choice (`granted` / `denied`); 12 months.
  • `_ga` (analytics, only after consent) — distinguishes users for Google Analytics; 24 months.
  • `_ga_<container-id>` (analytics, only after consent) — session state for Google Analytics; 24 months.
  • Local storage — language preference, partner-attribution cookie (365 days), order-wizard draft state. No third party reads this storage.

5. Recipients and processors

  • Stripe — payment processing (Ireland / United States).
  • Google Cloud / Google AI (Gemini API) — AI assistant, Tax Check narrator, and infrastructure (Belgium / United States).
  • Google Ireland Ltd. / Google LLC — Google Analytics 4 (Ireland / United States), only after you accept the analytics consent.
  • Mailgun (Sinch) — transactional email delivery (Ireland / United States) for Tax Check reports, order confirmations and admin notifications.
  • Replit, Inc. — hosting and deployment (United States).
  • Customer-support tools under data-processing agreements.
  • We do not sell your personal data.

6. International data transfers

Personal data may be processed outside the UAE (notably in the EU/EEA and the United States). Where we transfer data internationally, we rely on Standard Contractual Clauses, adequacy decisions or — under PDPL Art. 22 — equivalent safeguards. A copy of the safeguards in place is available on request.

7. Retention

We retain personal data only as long as necessary for the purposes set out above and to comply with UAE corporate, AML and tax retention rules (typically up to 5 years after the end of the business relationship, or longer if required by law).

8. Your rights

Subject to UAE PDPL and (where applicable) GDPR, you have the right to access your data, request correction or erasure, restrict or object to processing, withdraw consent and request portability. You may also lodge a complaint with the UAE Data Office or your local supervisory authority. To exercise any right, write to support@foundster.com.

9. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.3 in transit, AES-256 at rest, role-based access, audit logging and least-privilege principles.

10. Changes to this policy

We update this policy when our processing practices change. The current version is dated above. Material changes will be communicated via email or in-app notice.

Questions or requests regarding personal data: support@foundster.com. We respond within 30 days as required by PDPL and GDPR.