Legal
Privacy Policy
Version 2.0 · Effective 1 June 2026
1. Who we are
Foundry Compliance ("we", "us", "our") is operated by Foundry Compliance Ltd, a company registered in England and Wales (company number 17192669).
Data protection contact: privacy@foundrycompliance.co.uk
2. Data we collect
2a. Website visitors
- Analytics data: We use privacy-respecting analytics (Plausible or Fathom) that collect no personal data and set no cookies. Data collected: page views, referrer source, country. No IP addresses are stored.
- No tracking cookies: The marketing website sets no cookies of any kind.
2b. Early access applicants
When you submit the early access form, we collect:
- Your name and email address (required)
- Practice name and size (optional)
- Standards relevant to your work (optional)
- How you heard about us (optional)
We use this data to assess your application and, if accepted, to set up your account. We do not share this data with third parties except as necessary to deliver email confirmations.
2c. Registered users (product accounts)
- Account credentials: email address and hashed password.
- Session identifier: a random UUID stored in a browser cookie to maintain your session.
- IP address: recorded at the time you accept these Terms, for contract-formation audit purposes.
- Uploaded document metadata: file size only; we do not store raw uploaded files.
-
AI processing fields (
ai_promptandai_raw_output): text snippets extracted from your uploaded specifications during compliance analysis. Retained for 30 days as an audit trail confirming which data was processed to generate your results. - Assessment parameters and results: building parameters you submit and compliance results returned.
- Subscription data: billing information processed by Stripe. We do not store payment card data directly.
3. How we use your data
- To provide the compliance checking service.
- To assess early access applications and onboard accepted users.
- To record your acceptance of our Terms of Service (contract formation).
- To process subscription payments via Stripe.
- To send operational emails (password reset, account notifications). No marketing emails without consent.
Beta scope: During the early access phase, uploaded specifications and data derived from them are used exclusively to perform the compliance check you request. We do not use uploads for product improvement, model training, feature extraction, or any purpose beyond the specific check requested.
4. Third parties and sub-processors
| Sub-processor | Purpose | Data transferred |
|---|---|---|
| Render | Application hosting | All product data. DPA at render.com/dpa |
| Anthropic | AI compliance analysis | Extracted specification text only |
| Stripe | Payment processing | Billing and subscriber data |
| Plausible / Fathom | Analytics | Anonymised page visit data only, no personal data |
No personal data is shared with any other third party.
5. Data retention
- AI processing fields: deleted after 30 days.
- Assessment records and upload metadata: deleted after 30 days.
- Account data: retained while your account is active. Deleted 30 days after cancellation.
- ToS acceptance records: retained for the duration required to demonstrate legal contract formation.
- Early access application data: retained until you request deletion or 12 months after application, whichever comes first.
6. Cookies
Marketing website (foundrycompliance.co.uk): No cookies are set.
Product application (/app): A single session cookie (sid) which is
strictly necessary for the operation of the Service. It is HTTP-only and expires after 365 days.
No advertising or tracking cookies are used.
7. Your rights
Under UK GDPR you have the right to access, rectify, or erase your personal data, and to object to or restrict processing. To exercise these rights, contact us at privacy@foundrycompliance.co.uk.
You can export your full check history at any time from the account settings page.
8. Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of discovery (UK GDPR Article 33). If the breach creates a high risk to you personally, we will also notify you directly.
9. Changes to this policy
We may update this Privacy Policy. The version date at the top indicates when it was last updated. Material changes will be notified via email to registered users at least 30 days in advance.
10. Contact
privacy@foundrycompliance.co.uk
Foundry Compliance Ltd · Company 17192669