Privacy Policy

Last updated: [INSERT DATE]

This Privacy Policy explains how FoundryDoc (Kosma Lenar ADHOC) collects, uses, shares, and protects personal data, and describes your rights under GDPR/UK GDPR and other applicable laws.

[NOTE: THIS IS A TEMPLATE AND REQUIRES LOCAL LEGAL REVIEW IN POLAND / EU / UK / US.]

1. DATA CONTROLLER

1.1. The data controller is:

  • Kosma Lenar ADHOC
  • Address: ul. Modrzewiowa 11, 32-020 Wieliczka, Poland
  • Email: hello@foundrydoc.com

(“FoundryDoc”, “we”, “us”).

2. PERSONAL DATA WE COLLECT

2.1. Identification Data

  • Name (if provided)
  • Email address
  • Company or project name (optional, if provided in forms)

2.2. Billing & Transaction Data

Processed primarily by Stripe/Gumroad:

  • payment card details (handled exclusively by the payment processor, not stored by FoundryDoc);
  • billing address (if requested by the processor);
  • transaction details (amount, currency, time, product purchased).

FoundryDoc receives only high-level transaction information necessary for record-keeping (e.g., payment status, product, amount).

2.3. Analytics & Technical Data

Via privacy-focused analytics tools:

  • pages visited and general navigation;
  • clicks and events;
  • approximate location (city/country) inferred from anonymised or truncated IP;
  • device type (desktop, mobile, tablet), browser type and operating system;
  • referral source (e.g., search engine, social media link).

We do not use advertising trackers, cross-site behavioural profiling, or third-party marketing cookies.

2.4. Intake Form & User Input Data

For personalised or semi-customised products, we may collect:

  • your role (e.g., founder, marketer, consultant);
  • information about your niche, industry or product;
  • your goals and preferences relevant to the report.

We advise you not to include sensitive personal data in these fields.

2.5. Special Categories of Personal Data

We do not intentionally collect sensitive data, such as:

  • health data;
  • political opinions;
  • religious or philosophical beliefs;
  • genetic or biometric data;
  • sexual orientation;
  • government-issued ID numbers.

If such data is inadvertently provided, we will attempt to ignore or delete it where feasible.

3. PURPOSES AND LEGAL BASES

We process personal data only when we have a lawful basis under GDPR/UK GDPR.

3.1. To Provide Products and Services

  • Purpose: process orders, deliver digital products, handle customer relations.
  • Data: identification data, transaction data, intake form data.
  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

3.2. To Operate and Improve the Website

  • Purpose: understand how visitors use our website, improve content and usability.
  • Data: analytics and technical data.
  • Legal basis:
    • legitimate interests (Art. 6(1)(f) GDPR) in running and improving the website; and/or
    • consent (Art. 6(1)(a) GDPR) for non-essential cookies in EU/UK.

3.3. To Communicate with You

  • Purpose: respond to inquiries, send order confirmations, deliver products, send service notices.
  • Data: identification data, communication content.
  • Legal basis: performance of contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)).

3.4. To Comply with Legal Obligations

  • Purpose: accounting, tax, and legal compliance; responding to lawful requests.
  • Data: identification and transaction data, as required.
  • Legal basis: legal obligation (Art. 6(1)(c)).

3.5. To Improve Our Services (Aggregated / Anonymised Data)

  • Purpose: analyse aggregated trends, product performance, and demand patterns.
  • Data: largely aggregated or anonymised data derived from usage and orders.
  • Legal basis: legitimate interests (Art. 6(1)(f)).

We do not use personal data for targeted advertising or sell personal data to third parties.

4. DATA RETENTION

We retain personal data for no longer than necessary:

  • Order and billing records: generally 5–7 years, to meet tax and accounting obligations.
  • Customer communications: typically up to 3 years after the last interaction, or as required by law.
  • Analytics data: typically 12–24 months, depending on the analytics tool.
  • Intake forms and related context: generally up to 3 years after product delivery, unless deletion is requested earlier and legally permissible.

When data is no longer needed, it is deleted or anonymised.

5. DATA SHARING

We may share data with:

  • Payment processors (e.g., Stripe, Gumroad) – to process payments.
  • Hosting/Infrastructure providers (e.g., web hosting, cloud storage) – to operate the Service.
  • Email and communication providers – to send transactional emails and receive inquiries.
  • Analytics providers – to collect aggregated usage statistics.
  • AI model providers – where your text inputs are processed by AI models under contractual terms.
  • Professional advisers (e.g., accountants, lawyers) – where necessary.
  • Authorities – where required by law or to protect rights and safety.

We require processors to use personal data only as needed to provide their services and to protect it appropriately.

6. INTERNATIONAL TRANSFERS

6.1. Data may be processed in:

  • the EU,
  • the UK,
  • the US,
  • other countries with suitable cloud infrastructure.

6.2. Where data is transferred outside the EEA/UK to a country without an adequacy decision, we rely on appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs);
  • other lawful transfer mechanisms, as applicable.

7. YOUR RIGHTS (EU / UK)

Subject to conditions and exceptions, you may have the following rights:

  • Access: obtain confirmation and a copy of personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of data where it is no longer needed or processed unlawfully.
  • Restriction: request restriction of processing in certain circumstances.
  • Portability: receive data you provided in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Objection: object to processing based on legitimate interests, including profiling.
  • Withdrawal of consent: where processing is based on consent, you can withdraw it at any time.

To exercise your rights, contact us at hello@foundrydoc.com

You also have the right to lodge a complaint with your local data protection authority. In Poland, this is UODO (Urząd Ochrony Danych Osobowych).

8. CALIFORNIA & OTHER US PRIVACY RIGHTS

8.1. If CCPA/CPRA or similar laws apply, California residents may have rights to:

  • know categories of personal information collected and purposes;
  • request deletion of certain personal information;
  • opt out of “sale” or “sharing” of personal information.

8.2. FoundryDoc does not sell personal information as defined under CCPA/CPRA.

9. COOKIES & TRACKING

Use is described in the Cookie & Tracking Policy. In summary:

  • essential cookies are required for site operation;
  • non-essential cookies (e.g., analytics) may require consent in EU/UK;
  • you can manage cookies via your browser and any consent tool we provide.

10. SECURITY

We implement reasonable technical and organisational measures, such as:

  • HTTPS encryption;
  • access controls;
  • secure configurations and updates;
  • data minimisation and limited retention.

However, no system is completely secure; we cannot guarantee absolute security.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy periodically. Changes will be indicated by an updated “Last updated” date; material changes may be notified separately (e.g., on the website or by email, where appropriate).