04 · Privacy

Privacy Policy

Last updated May 1, 2026

1. Scope

This Privacy Policy explains how Foundry Planning, Inc. (“Foundry”) handles personal information collected from advisors and Firms that use our application. For personal information about a Firm’s clients that the Firm uploads to Foundry, the Firm is the controller and Foundry is the processor; the terms of our Data Processing Addendum govern that data.

2. Information we collect

From you, directly

  • Account identity: name, email, Firm name, role within the Firm.
  • Authentication factors: passwords (hashed by Clerk), MFA factors, passkeys.
  • Billing identity: legal Firm name, billing email, payment method (handled directly by Stripe; we do not see card numbers).
  • Application content you choose to upload: client financial data, scenarios, documents for AI document import.
  • Support correspondence.

Automatically

  • Application logs (request paths, error stack traces with PII redacted, performance metrics).
  • Standard cookies for session management (set by Clerk) and CSRF protection.
  • Limited device metadata (user-agent, approximate region from IP for fraud and rate-limit purposes).

3. How we use information

  • To operate, maintain, and improve the Service.
  • To authenticate users and enforce role-based access.
  • To bill and collect fees.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To communicate with you about your account, security, billing, and product updates.
  • To comply with legal obligations.

We do not sell personal information. We do not use Firm or Firm client data to train AI models; AI document import uses Azure OpenAI under a no-training tenancy.

4. Legal bases (where applicable)

Where the GDPR or comparable laws apply, we process personal information under one of: (a) performance of contract, (b) legitimate interests in operating and securing the Service, (c) legal obligation, or (d) consent where specifically requested.

5. Sharing and subprocessors

We share information only with vendors processing on our behalf under written agreements that mirror our obligations. The current subprocessor list is at docs/vendors.md (also linked from our DPA). We may disclose information when required by law, to protect our rights or others’ safety, or in connection with a corporate transaction (with notice where permitted).

6. Retention

We retain Firm and client data for the life of the subscription. On cancellation, Firm data enters a 30-day read-only grace window for export. After 90 days post-cancellation, Firm data is purged from production stores; backups are rotated out within 35 days thereafter. Audit logs are retained for seven years for regulatory and SOC 2 purposes.

7. Security

Foundry encrypts data in transit with TLS and at rest via Neon’s managed Postgres. Access controls, audit logging, and incident response are described in our Data Processing Addendum.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port the personal information we hold about you, and to object to or restrict certain processing. To exercise these rights, email support@foundryplanning.com. For requests about a Firm’s client data, contact the Firm directly; we will support the Firm’s response.

9. International transfers

Foundry stores application data in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. We rely on the Standard Contractual Clauses or equivalent mechanisms where required.

10. Children

The Service is intended for businesses; we do not knowingly collect personal information from children under 16. If you believe a child has provided information, email us and we will delete it.

11. Changes

We will post any updates here with a new effective date and, for material changes, notify the Firm owner of record at least 30 days in advance.

12. Contact

Foundry Planning, Inc. — questions about this policy: support@foundryplanning.com.