founder_mode

Privacy Policy

Last updated: 29 April 2026 · Effective: 29 April 2026

1. Who we are

Founder Mode Network ("Founder Mode", "we", "our", "us") is the controller for personal data described in this policy. Contact us at [email protected] for any privacy question or to exercise your rights.

This policy covers foundermode.network, the Founder Mode iOS and macOS apps, and the Founder Mode Discord community bot.

2. The short version

We collect what we need to run the Service: your account, the content you post, and operational data (truncated and hashed IP, basic usage events). We never sell your data, never run ad networks, never use tracking cookies, never request device sensors (camera, photos, microphone, location, contacts), and never use your content to train our own AI models. Our servers and primary storage are in Germany. You can delete your account from Settings → Account → Delete Account at any time.

3. What we collect

3.1 Account & identity

  • Email address and a password hash (when you sign up with email and password).
  • OAuth identifiers from the providers you choose (Discord, GitHub, Apple) — the account ID returned by the provider, your handle, name, and avatar URL. We do not retain provider access, refresh, or ID tokens at rest.
  • Passkey credential identifiers (when you set up a passkey).
  • Authorisations you have granted to MCP clients that connect to your account.

3.2 Profile and content you provide

  • Display name, handle, bio, social links, avatar, banner, location, timezone.
  • Ventures (ideas and projects), posts, direct messages, comments, ratings, bookmarks, follows.
  • Files (images and documents) you upload — stored in our object storage in Germany, with access controlled by short-lived signed URLs.

3.3 Activity and device data

  • Your IP address is retained only as a truncated hash (a /24 network prefix for IPv4, /48 for IPv6) for abuse prevention.
  • Browser and device user agent, session metadata, sign-in timestamps.
  • Actions you take in the Service, captured in our internal activity log.
  • Aggregated, cookieless page-view counters via Plausible Analytics.

3.4 AI usage data

When you use AI features, the prompts you submit and the relevant content from your account are sent to AI processing partners (LLM and image-generation providers in the US, EU, and Asia). We log usage metrics (provider, model, tokens) for billing and abuse-prevention purposes.

3.5 Payment data

Subscriptions are handled by our payments processor. We receive a customer reference, plan, and subscription status. We never receive or store card numbers, CVCs, or full billing details.

3.6 Discord integration

When you sign in with Discord or join the Founder Mode Discord server, we collect your Discord user ID, username, avatar, and guild memberships. The bot also persists messages you post in the Founder Mode server, including edits and deletions, and stores attachments in our object storage.

Why: we maintain a bidirectional link between the Founder Mode Discord community and the website's discussion features, so a conversation in Discord and its counterpart on the website stay in sync. Bot mentions trigger AI processing as described in section 3.4.

If you do not want your Discord activity stored, you can leave the Founder Mode server.

3.7 Native apps

  • Authentication tokens are stored in the iOS or macOS Keychain on your device.
  • Cached images (venture logos, avatars) are stored in the OS-managed cache directory and are automatically purged by the OS.
  • UI preferences (recent searches, draft state, onboarding completion timestamp, "already-seen" coach marks) are stored locally in UserDefaults — on your device only.
  • The apps embed no third-party SDKs, no advertising or analytics frameworks, and no crash-reporting service. We do not use IDFA or App Tracking Transparency.

3.8 Push notifications

When you enable push notifications, your device's push token is sent to our backend and used solely to deliver notifications you have subscribed to (mentions, replies, project updates, etc.). Push tokens are never used for tracking, advertising, or analytics. You can revoke push permission at any time in your device settings.

4. How we use your data

  • Provide and operate the Service (run your account, host your content, deliver notifications).
  • Authenticate you and keep your sessions secure.
  • Communicate with you (transactional email such as verification and password reset, in-app notifications, push, and — only with your consent — product updates).
  • Bill you for paid plans, when applicable.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Power AI features you trigger and AI features that summarise content for the Service (such as discussion summaries and project legitimacy scoring).
  • Comply with legal obligations.

5. Legal bases (GDPR & UK GDPR)

  • Performance of a contract — for processing necessary to provide the Service, including AI features (which are a core feature of the Service).
  • Legitimate interest — for security, abuse prevention, and basic product analytics.
  • Consent — where we explicitly ask for it (e.g. optional marketing emails). You may withdraw consent at any time.
  • Legal obligation — for tax, accounting, and fraud-prevention records.

6. Sharing & subprocessors

We use third-party processors to operate the Service. The current, named list is published at /legal/subprocessors and updated whenever it changes. Categories include:

  • Payments processor (subscription billing).
  • Transactional email provider.
  • Object storage and compute (in Germany).
  • AI processing partners (LLM and image-generation providers in the US, EU, and Asia).
  • Authentication identity providers you choose (Discord, GitHub, Apple).
  • The Discord platform itself (when you use our community).
  • Cookieless web analytics.

We do not sell your personal information.We do not share your personal information for cross-context behavioural advertising.We do not use your content to train our own AI models. AI processing partners receive your content via their standard APIs; their use of data is governed by their own privacy terms.

7. International transfers

Most of your data is stored in Germany. For non-EU subprocessors we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures appropriate to the destination.

8. Retention

We keep account data for as long as your account exists. When you delete your account:

  • Sessions, OAuth links, passkeys, and MCP authorisations are revoked immediately.
  • Your profile fields (email, name, image, Discord avatar and name) and your handle are anonymised within seconds.
  • Authored content (ventures, posts, direct messages, comments) is anonymised to "[deleted]" in feeds and conversations.
  • Remaining data is fully erased asynchronously, typically within hours and at most within 30 days.

Server logs and IP hashes are retained for up to 30 days for abuse investigation. Legal, billing, and tax records are retained as required by applicable law.

9. Your rights

9.1 GDPR & UK GDPR

If you are in the EU, EEA, or UK, you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased — self-serve via Settings → Account → Delete Account (OTP-confirmed).
  • Restrict or object to processing.
  • Withdraw consent where processing is based on consent.
  • Receive your data in a portable format.
  • Lodge a complaint with your supervisory authority.

Rights other than self-serve deletion are fulfilled on request. Email [email protected] and we will respond within one month.

9.2 California (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we have collected about you.
  • Request that we delete it.
  • Correct inaccurate personal information.
  • Limit our use of sensitive personal information.
  • Not be discriminated against for exercising any of these rights.

We do not sell personal information and we do not share it for cross-context behavioural advertising. Requests can be sent to [email protected].

10. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn we have, we will delete it. If you believe a child has provided us with personal data, contact [email protected].

11. Security

  • TLS in transit; HSTS and a strict Content Security Policy on the website.
  • Passwords stored using one-way hashing.
  • Authentication tokens stored in the iOS / macOS Keychain on native apps.
  • Provider OAuth tokens scrubbed at rest — we keep the account ID, not the access token.
  • Your IP address is truncated and hashed rather than retained raw.

No method of transmission over the internet or storage is 100% secure, and we cannot guarantee absolute security.

12. Cookies

We use only strictly-necessary cookies:

  • A Better Auth session cookie (Secure, HttpOnly, 30-day expiry) so you stay signed in.
  • A staging_access cookie on the staging environment only.

Plausible Analytics is cookieless. We set no advertising or cross-site tracking cookies. No consent banner is required because no consent-requiring cookies are set.

13. Native apps & the App Store

Our iOS and macOS apps:

  • Do not collect IDFA or use App Tracking Transparency.
  • Embed no third-party analytics, advertising, or crash-reporting SDKs.
  • Do not request access to your camera, photo library, microphone, location, contacts, Bluetooth, or local network.

Web subscriptions run through our payments processor. If we introduce in-app purchases on iOS, they will use Apple's StoreKit and will additionally be governed by Apple's Privacy Policy.

14. Changes to this policy

We may update this policy as the Service evolves. The "Last updated" and "Effective" dates at the top, and the changelog at the bottom, reflect every revision. Material changes will be announced in-product or by email.

15. Contact us

Privacy questions and rights requests: [email protected].

16. Changelog

  • 29 April 2026 (Effective 29 April 2026) — full rewrite to reflect the current product (accounts, ventures, AI features, native apps, payments, subprocessors). Replaces the December 2024 marketing-site policy.
  • December 2024 (superseded) — original Discord-community privacy policy.