Privacy Policy

Effective date: May 15, 2026

1. Who We Are

FounderSold(“we”, “us”, or “our”) operates foundersold.com, an open database of indie startup acquisitions. We are the data controller for the personal data collected through this Service.

If you have any questions about how we handle your data, contact us at foundersold@gmail.com.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account data

When you create an account, we collect your email address and optionally your name and profile picture (if you sign in with a social provider such as Google or GitHub via Supabase Auth).

2.2 Payment data

Pro plan payments are processed by Stripe. We store only your Stripe customer ID and subscription status — we never see or store your full card number. Stripe's privacy policy governs their handling of payment information.

2.3 Usage data

We collect standard server logs including IP addresses, browser user-agent strings, pages visited, and timestamps. This data is used to operate and secure the Service (rate limiting, abuse prevention) and is not sold or shared for advertising purposes.

2.4 Newsletter data

If you subscribe to our newsletter, we store your email address and optionally your name. You can unsubscribe at any time via the link in any newsletter email.

2.5 Submission data

If you submit an exit story through our submission tool, we collect the information you provide (company name, description, exit details, source URL). Approved submissions become part of the public database.

2.6 Cookies and local storage

We use session cookies set by Supabase for authentication and, only with your consent, Google Analytics cookies. We do not currently use advertising cookies. For the full list of cookies, their purpose and duration, and how to withdraw consent, see our Cookie Policy. You can also control cookies through your browser settings.

3. How We Use Your Data

Purpose	Data used	Legal basis
Provide and maintain the Service	Account data, session	Contract performance
Process payments	Stripe customer ID	Contract performance
Send transactional emails (auth, receipts)	Email address	Contract performance
Send newsletter (if subscribed)	Email, name	Consent
Prevent abuse and enforce rate limits	IP, user-agent	Legitimate interest
Security audit logging	IP, user-agent, action	Legitimate interest
Comply with legal obligations	As required	Legal obligation

4. Data Sharing and Third Parties

We do not sell your personal data. We share it only with the following sub-processors, strictly to operate the Service:

Supabase — authentication and database hosting (EU region, AWS eu-west-1).
Stripe— payment processing. Subject to Stripe's own privacy policy.
Vercel — application hosting and CDN (edge network globally, data processing in EU where possible).
Upstash — Redis-based rate limiting. Stores hashed IP addresses transiently with a 1-minute TTL.
Resend — transactional email delivery. Processes recipient email addresses.

We may also disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., a court order).

5. Data Retention

Account data — retained as long as your account is active, and for up to 90 days after deletion to allow account recovery.
Payment records — retained for 7 years for tax and accounting compliance.
Server logs — retained for 30 days, then automatically deleted.
Audit logs — retained for 12 months for security purposes, then deleted.
Newsletter subscriptions — retained until you unsubscribe.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure— request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
Restriction — request that we restrict processing of your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — unsubscribe from the newsletter or revoke any previously given consent at any time.

To exercise any of these rights, email foundersold@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

7. International Data Transfers

Our primary infrastructure is hosted in the EU (AWS eu-west-1 via Supabase). Some sub-processors (Stripe, Vercel CDN) may process data outside the EEA. When this occurs, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate data protection.

8. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

9. Security

We implement industry-standard security measures including HTTPS encryption, rate limiting, Content Security Policy headers, HTTP-only session cookies, and audit logging of sensitive admin actions. For details, see our Security Policy.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to foundersold@gmail.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect and update the effective date at the top of this page.

Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or to exercise your rights:

Email: foundersold@gmail.com
Website: foundersold.com