Privacy, in plain English.

1. Who this applies to

"Foundation" is a one-person studio that builds custom internal apps. This policy covers everything on this marketing site and the audit questionnaire. If I've built you an app, that app has its own data handling, agreed in writing during the build, separate from this page.

2. What I collect

• The audit questionnaire. Your name, email, what you told me about your business, your stack, and your goals. Submitted by you, only when you fill out the contact form.
• Newsletter. Your email address, and the fact that you opened or clicked an email, if your client tells me about it.
• Server logs. Short-lived records of which pages were requested and from what general region, kept so I can spot abuse and broken pages. No personal profile is built from these.
• Optional consult booking. Only if you opt into the post-audit consult, a booking provider may process your name, email, timezone and chosen time under its own privacy policy. No booking is created during the audit itself.

I do not collect or store payment card details directly. Audit and build invoices are processed by Stripe, which handles payment data under its own terms.

3. Why I collect it

Three reasons, none of them marketing-tech reasons.

• To run the audit and the work you hired me for (the contract is the legal basis).
• To send you the occasional Notes email if you specifically asked for it (consent is the legal basis, and you can unsubscribe any time).
• To keep this site working and safe (legitimate interest).

4. Who it's shared with

A short list of subprocessors that make the studio run. Each handles a specific job and nothing more.

• Hosting. The marketing site and audit form are hosted by a reputable platform with industry-standard security.
• Email. Confirmation and newsletter delivery via a transactional email provider.
• Booking. A booking provider, used only if you opt into the optional post-audit consult.
• Payments. Stripe for the audit invoice and any build invoices.

I do not sell your data, rent it, trade it, or use it to train AI models. There is no advertising tracking on this site.

5. Cookies & analytics

This site uses one or two strictly necessary cookies, to remember your dark/light preference if you set one, and to keep the audit form working if you navigate away and come back. No third-party advertising or social-media cookies.

If analytics are added later, they will be privacy-respecting (no cross-site tracking, no fingerprinting, no IP-level identification). This page will be updated before any new tool is enabled.

6. How long it's kept

• Audit submissions. Kept for 12 months from your last contact, then deleted, unless you've become a client (in which case it becomes part of your engagement records, kept as long as legally required for accounting).
• Newsletter. Until you unsubscribe.
• Server logs. 30 days, rolling.

7. Your rights

You can ask, at any time, what I hold about you, ask for it to be corrected, or ask for it to be deleted. If you're in the EU/UK, you have the rights GDPR provides (access, rectification, erasure, restriction, portability, objection). Write to me at the email below and I'll respond within 30 days.

8. How to reach me

Email privacy@foundation.example. You'll get a reply from a real person. That's the only kind of person at Foundation.

---

This page is written by a non-lawyer, in plain English, on purpose. It's not a substitute for legal advice. If your work has specific regulatory needs (health, finance, children's data, etc.) we'll address those directly in the build contract.