Privacy Policy

1. Data controller

The controller responsible for processing your personal data is Foundster Corporate Services FZCO, IFZA Business Park – DDP, Building A1, Dubai Silicon Oasis, United Arab Emirates. License No. 41494 issued by the Dubai Integrated Economic Zones Authority (DIEZ). You can reach us at support@foundster.com.

2. Categories of personal data we process

• Identification & contact data: name, email, phone, nationality, country of residence — provided when you register, contact us or place an order.
• Onboarding & KYC data: passport scan, Emirates ID (where applicable), proof of address, signature samples, beneficial-ownership information — required for company formation under UAE AML/KYC rules.
• Account & usage data: login credentials (hashed), device and browser metadata, IP address, pages visited, actions taken in the CompanyCockpit platform.
• Payment data: processed by Stripe Payments Europe Ltd. (and/or Stripe, Inc.). Foundster never stores full card numbers.
• Affiliate / referral data: click IDs, attribution cookies, conversion events — used by our partner programme (partner.foundster.com).
• Voluntary content: information you provide in chats with Foundster AI, support emails or contact forms.

3. Purposes and legal bases

• To provide and operate the Services — performance of a contract (GDPR Art. 6(1)(b); PDPL Art. 5(2)).
• To comply with statutory obligations (UAE AML/CFT, tax, corporate registry filings) — legal obligation (GDPR Art. 6(1)(c); PDPL Art. 5(4)).
• To improve the platform, prevent fraud and maintain security — legitimate interest (GDPR Art. 6(1)(f); PDPL Art. 5(7)).
• To send transactional and, where you consented, marketing communications — consent (GDPR Art. 6(1)(a); PDPL Art. 4(1)).
• To run the affiliate programme — performance of contract with affiliates and legitimate interest in fair attribution.

4. Cookies, local storage and tracking

We use strictly-necessary cookies for authentication, language preference and partner attribution (365-day cookie). Where required by law we ask for your consent before setting non-essential analytics cookies. You can clear cookies and local storage at any time in your browser settings.

5. Recipients and processors

• Stripe — payment processing (Ireland / United States).
• Google Cloud / Google AI (Gemini API) — AI assistant and infrastructure (Belgium / United States).
• Replit, Inc. — hosting and deployment (United States).
• Email-delivery and customer-support tools under data-processing agreements.
• We do not sell your personal data.

6. International data transfers

Personal data may be processed outside the UAE (notably in the EU/EEA and the United States). Where we transfer data internationally, we rely on Standard Contractual Clauses, adequacy decisions or — under PDPL Art. 22 — equivalent safeguards. A copy of the safeguards in place is available on request.

7. Retention

We retain personal data only as long as necessary for the purposes set out above and to comply with UAE corporate, AML and tax retention rules (typically up to 5 years after the end of the business relationship, or longer if required by law).

8. Your rights

Subject to UAE PDPL and (where applicable) GDPR, you have the right to access your data, request correction or erasure, restrict or object to processing, withdraw consent and request portability. You may also lodge a complaint with the UAE Data Office or your local supervisory authority. To exercise any right, write to support@foundster.com.

9. Security

We apply technical and organisational measures appropriate to the risk: TLS 1.3 in transit, AES-256 at rest, role-based access, audit logging and least-privilege principles.

10. Changes to this policy

We update this policy when our processing practices change. The current version is dated above. Material changes will be communicated via email or in-app notice.