Privacy Policy

FounderSkies (“we”, “us”, “our”) is an AI-powered LinkedIn content and distribution platform for founders, operated by Alacrio Tech LLP. We are incorporated in India and act as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Data Controller under the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA).

Contact: privacy@founderskies.com

Grievance Officer (DPDP): Ankush Chauhan, privacy@founderskies.com — Acknowledgement within 48 hours, resolution within 30 days.

• Account data: email address and encrypted password at signup.
• Profile data: display name, handle, one-liner bio, niche, mode (audience/pipeline), and profile CTA text/URL.
• Knowledge Base: your answers to 5 onboarding questions about your expertise, customers, and beliefs. This data directly trains your AI voice.
• LinkedIn data: OAuth access token, LinkedIn member ID, and profile picture URL when you connect LinkedIn. We never store your LinkedIn password.
• Content data: post drafts, ideas generated, and published posts.
• Usage data: count of AI generations per month to enforce plan limits.
• Technical data: IP address, browser type, and server access logs collected automatically. These are deleted within 30 days.

We do not collect sensitive personal data (health, biometric, financial, or special-category data under GDPR Art. 9).

For users in the EEA, we process personal data on the following legal bases:

• Contract (Art. 6(1)(b)): processing your account data, profile data, and content data is necessary to provide the FounderSkies service you signed up for.
• Consent (Art. 6(1)(a)): connecting LinkedIn, adding your Knowledge Base, and enabling the attribution footer. You may withdraw consent at any time via Settings or by emailing us.
• Legitimate interests (Art. 6(1)(f)): server logs and usage analytics to maintain security and improve the platform, where these interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)): retaining certain records where required by applicable law.

We process your personal data only for the following specific, lawful purposes:

• Creating and managing your account.
• Generating AI content ideas and post drafts using your Knowledge Base.
• Publishing posts to LinkedIn on your behalf via the OAuth token you grant.
• Displaying your public profile page at founderskies.com/yourhandle.
• Enforcing usage limits for your subscription plan.
• Sending transactional emails (account confirmation, password reset). No marketing emails without explicit opt-in.
• Maintaining platform security, preventing fraud, and complying with legal obligations.

We will not use your data for any purpose beyond those listed above without obtaining fresh consent.

We share data with the following sub-processors to operate the service. Each is subject to a Data Processing Agreement:

We do not sell, rent, or trade your personal data to any third party.

Our sub-processors are based in the United States. When we transfer personal data from the EEA or India to the USA, we ensure adequate safeguards are in place:

• EEA transfers: we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) with each sub-processor. Copies are available on request.
• India transfers (DPDP Section 16): cross-border transfers are made to countries notified by the Central Government as permissible, or under contractual safeguards equivalent to those mandated by the DPDP Act. We will comply with any future Central Government restrictions on cross-border transfers.

• Account and profile data: retained for the duration of your account. Deleted within 30 days of account deletion.
• Knowledge Base: retained for the duration of your account. Deleted immediately upon account deletion.
• Posts: retained for the duration of your account. Deleted within 30 days of account deletion.
• LinkedIn tokens: deleted immediately when you disconnect LinkedIn or delete your account.
• Usage events: retained for 13 months (12-month rolling window for limit calculation, plus 1 month buffer). Deleted upon account deletion.
• Server logs: retained for 30 days, then automatically purged.
• Legal holds: where we are required by law to retain data beyond these periods, we will retain only the minimum necessary and isolate it from active processing.

You have the following rights under both GDPR and the DPDP Act. To exercise any of them, email privacy@founderskies.com. We will respond within 30 days (GDPR Art. 12) or as required by DPDP.

FounderSkies is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at privacy@founderskies.com and we will delete it promptly.

Under the DPDP Act, we do not process personal data of children (under 18) and will implement age-verification mechanisms as required by the Central Government's rules.

We use only essential session cookies required for authentication (Supabase session management). These cookies are strictly necessary for the service to function and do not require consent under GDPR Recital 47 or ePrivacy Directive Article 5(3).

We do not use tracking cookies, advertising cookies, analytics cookies, or any third-party cookies. No cookie data is shared with advertisers or data brokers.

• All data is transmitted over HTTPS/TLS 1.2+.
• Passwords are hashed using bcrypt and never stored in plain text.
• LinkedIn tokens are stored encrypted at rest in Supabase with row-level security (RLS) ensuring users can only access their own data.
• Access to production systems is restricted to authorised personnel only, with MFA enforced.
• We perform regular dependency audits and security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• GDPR (Art. 33/34): we will notify the relevant supervisory authority within 72 hours of becoming aware. We will notify affected individuals without undue delay if the breach is likely to result in a high risk.
• DPDP Act: we will notify the Data Protection Board of India and affected Data Principals in the manner and within the timeframe prescribed by the Central Government.

To report a suspected breach or security vulnerability, contact security@founderskies.com.

We do not make any automated decisions that produce legal or similarly significant effects about you (GDPR Art. 22). AI-generated content is a tool for your use — you review and approve every post before it is published.

We may update this policy as our service evolves or legal requirements change. For material changes, we will notify you by email or a prominent in-app notice at least 14 days before the change takes effect. The “Last updated” date at the top will always reflect the current version. Continued use of the service after the effective date constitutes acceptance.