founder_mode

Privacy Policy

Last updated: 2 May 2026 · Effective: 29 April 2026

1. Who we are

Founder Mode Network ("Founder Mode", "we", "our", "us") is the controller for personal data described in this policy. Contact us at [email protected] for any privacy question or to exercise your rights.

This policy covers foundermode.network, the Founder Mode iOS and macOS apps, and the Founder Mode Discord community bot.

2. The short version

We collect what we need to run the Service: your account, the content you post, and operational data (truncated and hashed IP, basic usage events). We never sell your data, never run ad networks, never use tracking cookies, never request device sensors (camera, photos, microphone, location, contacts), and never use your content to train our own AI models. Our servers and primary storage are in Germany. You can delete your account from Settings → Account → Delete Account at any time.

3. What we collect

3.1 Account & identity

  • Email address and a password hash (when you sign up with email and password).
  • OAuth identifiers from the providers you choose (Discord, GitHub, Apple) — the account ID returned by the provider, your handle, name, and avatar URL. We do not retain provider access, refresh, or ID tokens at rest.
  • Passkey credential identifiers (when you set up a passkey).
  • Authorisations you have granted to MCP clients that connect to your account.

3.2 Profile and content you provide

  • Display name, handle, bio, social links, avatar, banner, location, timezone.
  • Ventures (ideas and projects), posts, direct messages, comments, ratings, bookmarks, follows.
  • Files (images and documents) you upload — stored in our object storage in Germany, with access controlled by short-lived signed URLs.

3.3 Activity and device data

  • Your IP address is retained only as a truncated hash (a /24 network prefix for IPv4, /48 for IPv6) for abuse prevention.
  • Browser and device user agent, session metadata, sign-in timestamps.
  • Actions you take in the Service, captured in our internal activity log.
  • Aggregated, cookieless page-view counters via Plausible Analytics.

3.4 AI usage data

Some AI features run when you trigger them (for example, generating an idea description or a project image). Other AI features run automatically when you post content. The current automatic features are: periodic summaries of active venture discussions when participation crosses an activity threshold, and a project legitimacy score that is computed when a project is created or its content changes.

Both kinds of feature send the relevant content from your account to third-party AI processing partners. Our current named partners are Google (Gemini, primary large-language-model and embeddings provider, United States), Zhipu AI / GLM (fallback large-language-model provider used when Gemini is unavailable, China), fal.ai (image generation, United States), and LangChain (LangSmith, observability and tracing of LLM calls, United States). The full, current list is published at /legal/subprocessors.

To enable semantic search and retrieval-augmented AI features, we generate vector embeddings of your text content (ideas, projects, posts, comments, documents, and Discord messages persisted from the Founder Mode server) using Google's embeddings API. The vectors and the chunked source text are stored on our servers in Germany (PostgreSQL with pgvector); their retention follows the source content — deleted when you delete the underlying content, and anonymised when the source content is anonymised under section 8.

We log usage metrics (provider, model, tokens) for billing and abuse-prevention purposes. We do not use your content to train our own AI models, and we do not pass your content to AI partners' training datasets.

3.5 Payment data

Subscriptions are handled by our payments processor. We receive a customer reference, plan, and subscription status. We never receive or store card numbers, CVCs, or full billing details.

3.6 Discord integration

When you sign in with Discord or join the Founder Mode Discord server, we collect your Discord user ID, username, avatar, and guild memberships. The bot also persists messages you post in the Founder Mode server, including edits and deletions, and stores attachments in our object storage.

Why: we maintain a bidirectional link between the Founder Mode Discord community and the website's discussion features, so a conversation in Discord and its counterpart on the website stay in sync. Bot mentions trigger AI processing as described in section 3.4.

For members of the Founder Mode Discord server only, we additionally record online and offline status transitions (online, idle, do-not-disturb, offline) so we can surface contributor activity signals on the website. We store one row per status transition with the old status, the new status, and a timestamp; we do not store rich-presence details (the application or game you are using). These rows are deleted when you delete your account.

We only persist messages, attachments, and presence transitions from the Founder Mode Discord server. Activity in other Discord servers is not stored, even if our bot is present in them.

If you do not want your Discord activity stored, you can leave the Founder Mode server.

3.7 Native apps

  • Authentication tokens are stored in the iOS or macOS Keychain on your device.
  • Cached images (venture logos, avatars) are stored in the OS-managed cache directory and are automatically purged by the OS.
  • UI preferences (recent searches, draft state, onboarding completion timestamp, "already-seen" coach marks) are stored locally in UserDefaults — on your device only.
  • The apps embed no third-party SDKs, no advertising or analytics frameworks, and no crash-reporting service. We do not use IDFA or App Tracking Transparency.

3.8 Push notifications

When you enable push notifications, your device's push token is sent to our backend and used solely to deliver notifications you have subscribed to (mentions, replies, project updates, etc.). Push tokens are never used for tracking, advertising, or analytics. You can revoke push permission at any time in your device settings.

4. How we use your data

  • Provide and operate the Service (run your account, host your content, deliver notifications).
  • Authenticate you and keep your sessions secure.
  • Communicate with you (transactional email such as verification and password reset, in-app notifications, push, and — only with your consent — product updates).
  • Bill you for paid plans, when applicable.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Power AI features you trigger and AI features that summarise content for the Service (such as discussion summaries and project legitimacy scoring).
  • Comply with legal obligations.

5. Legal bases (GDPR & UK GDPR)

  • Performance of a contract — for processing necessary to provide the Service, including AI features (which are a core feature of the Service).
  • Legitimate interest — for security, abuse prevention, and basic product analytics.
  • Consent — where we explicitly ask for it (e.g. optional marketing emails). You may withdraw consent at any time.
  • Legal obligation — for tax, accounting, and fraud-prevention records.

6. Sharing & subprocessors

We use third-party processors to operate the Service. The current, named list is published at /legal/subprocessors and updated whenever it changes. Categories include:

  • Payments processor (subscription billing).
  • Transactional email provider.
  • Object storage and compute (in Germany).
  • AI processing partners (LLM and image-generation providers in the US, EU, and Asia).
  • Authentication identity providers you choose (Discord, GitHub, Apple).
  • The Discord platform itself (when you use our community).
  • Cookieless web analytics.

We do not sell your personal information.We do not share your personal information for cross-context behavioural advertising.We do not use your content to train our own AI models. AI processing partners receive your content via their standard APIs; their use of data is governed by their own privacy terms.

7. International transfers

Most of your data is stored in Germany. When personal data flows to a service outside the EU/EEA, we apply transport-layer encryption and pass only the minimum content the service needs to do its job. Each non-EU service operates under its own published privacy terms, linked from /legal/subprocessors.

If you have concerns about a specific subprocessor or transfer, email [email protected].

8. Retention

We keep account data for as long as your account exists. When you delete your account:

  • Sessions, OAuth links, passkeys, and MCP authorisations are revoked immediately.
  • Your profile fields (email, name, image, Discord avatar and name) and your handle are anonymised within seconds.
  • Authored content (ventures, posts, direct messages, comments) is anonymised to "[deleted]" in feeds and conversations.
  • Remaining data is fully erased asynchronously, typically within hours and at most within 30 days.

Server logs and IP hashes are retained for up to 30 days for abuse investigation. Legal, billing, and tax records are retained as required by applicable law.

9. Your rights

9.1 GDPR & UK GDPR

If you are in the EU, EEA, or UK, you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased — self-serve via Settings → Account → Delete Account (OTP-confirmed).
  • Restrict or object to processing.
  • Withdraw consent where processing is based on consent.
  • Receive your data in a portable format.
  • Lodge a complaint with your supervisory authority.

Rights other than self-serve deletion are fulfilled on request. Email [email protected] and we will respond within one month.

9.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you.
  • Request that we delete it.
  • Correct inaccurate personal information.
  • Limit our use of sensitive personal information.
  • Not be discriminated against for exercising any of these rights.

We do not sell personal information and we do not share it for cross-context behavioural advertising. Requests can be sent to [email protected].

10. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn we have, we will delete it. If you believe a child has provided us with personal data, contact [email protected].

11. Security

  • TLS in transit; HSTS and a strict Content Security Policy on the website.
  • Passwords stored using one-way hashing.
  • Authentication tokens stored in the iOS / macOS Keychain on native apps.
  • Provider OAuth tokens scrubbed at rest — we keep the account ID, not the access token.
  • Your IP address is truncated and hashed rather than retained raw.

No method of transmission over the internet or storage is 100% secure, and we cannot guarantee absolute security.

12. Cookies

We use only strictly-necessary cookies:

  • A Better Auth session cookie (Secure, HttpOnly, 30-day expiry) so you stay signed in.
  • A staging_access cookie on the staging environment only.

Plausible Analytics is cookieless. We set no advertising or cross-site tracking cookies. No consent banner is required because no consent-requiring cookies are set.

13. Native apps & the App Store

Our iOS and macOS apps:

  • Do not collect IDFA or use App Tracking Transparency.
  • Embed no third-party analytics, advertising, or crash-reporting SDKs.
  • Do not request access to your camera, photo library, microphone, location, contacts, Bluetooth, or local network.

Web subscriptions run through our payments processor. If we introduce in-app purchases on iOS, they will use Apple's StoreKit and will additionally be governed by Apple's Privacy Policy.

14. Changes to this policy

We may update this policy as the Service evolves. The "Last updated" and "Effective" dates at the top, and the changelog at the bottom, reflect every revision. Material changes will be announced in-product or by email.

15. Contact us

Privacy questions and rights requests: [email protected].

16. Changelog

  • 2 May 2026 — clarification revision. Named the AI processing partners individually (Google Gemini, Zhipu / GLM, fal.ai, LangSmith); disclosed that certain AI features (discussion summaries, legitimacy scoring) run automatically; disclosed vector embeddings of user content; clarified Discord persistence is scoped to the Founder Mode server only and added presence-transition disclosure. Simplified section 7 (international transfers) to plain language describing what we actually do, and split the subprocessors page into "Processors" and "Independent third parties" tables for clarity. No new categories of personal data are processed.
  • 29 April 2026 (Effective 29 April 2026) — full rewrite to reflect the current product (accounts, ventures, AI features, native apps, payments, subprocessors). Replaces the December 2024 marketing-site policy.
  • December 2024 (superseded) — original Discord-community privacy policy.