Privacy Policy

Effective Date:

PRIVACY POLICY

Effective Date: April 24, 2026

1. Introduction

PolicyFoundry.ai ("we," "us," or "our") respects your privacy and is committed to protecting the personal and business information you share with us. This Privacy Policy explains how we collect, use, share, and safeguard information when you visit our website, purchase our services, or interact with our products.

This Privacy Policy applies to all current and future PolicyFoundry products and services, including Guardian, Regulation Watch, and additional modules (Compass, Shield, Trust, Vault, SOC 2 Suite) as they are released.

2. Information We Collect

a. Information You Provide Directly

When you visit our Site, purchase services, or submit forms, we may collect:

  • Name

  • Email address

  • Company name and business address

  • Phone number (if provided)

  • Payment information (processed by Stripe; see Section 5)

  • Responses to our structured intake questionnaire

  • Communications with us (email, support requests, feedback)

b. Intake Questionnaire Data

As part of purchasing Guardian and certain future modules, you provide responses to a structured questionnaire that may include:

  • Descriptions of your organization's AI use cases and systems

  • Information about your regulatory exposure and compliance posture

  • Details about your internal governance, vendors, and data handling practices

  • Organizational structure and operating environment

This information is used solely to author your customized policy document and is treated as confidential business information.

c. Information Collected Automatically

When you use the Site, we may automatically collect:

  • Browser type and version

  • Device type and operating system

  • IP address (partial or generalized)

  • Pages visited and time spent on pages

  • Referring URLs

  • Date and time of visits

This information is collected through cookies and similar technologies. See our Cookie Policy for details.

3. How We Use Information

We use the information we collect to:

  • Provide, deliver, and improve our services and products

  • Draft, review, and deliver your purchased policy documents

  • Process payments and send transactional communications (order confirmations, delivery notifications, receipts)

  • Provide customer support and respond to inquiries

  • Send optional communications, including newsletters such as the AI Governance Digest, if you have opted in

  • Monitor and improve Site functionality, performance, and security

  • Comply with legal obligations and enforce our Terms of Service

  • Conduct quality assurance and improve our methodology (using anonymized or aggregated data where possible)

4. AI Processing Disclosure

To produce policy deliverables, PolicyFoundry uses artificial intelligence services, including Anthropic's Claude API, as part of our drafting workflow. Your intake responses may be transmitted to Anthropic for processing under Anthropic's commercial API terms, which prohibit use of API inputs for training Anthropic's models. All AI-drafted content is reviewed and revised by a credentialed human practitioner before delivery.

You may review Anthropic's data handling practices at https://www.anthropic.com/privacy and https://www.anthropic.com/legal/commercial-terms.

5. Third-Party Service Providers

We share information with trusted third-party service providers only to the extent necessary to operate our business:

  • Stripe — Payment processing

  • Anthropic — AI-assisted drafting (as described in Section 4)

  • Google (Google Forms, Google Workspace) — Intake questionnaire collection and email infrastructure

  • Zoho Mail — Transactional email delivery (hello@policyfoundry.ai)

  • Beehiiv — Newsletter delivery (AI Governance Digest)

  • Framer — Website hosting

  • Analytics providers we may engage for Site performance monitoring

Each of these providers is subject to their own privacy policies and data handling practices. We select providers whose practices we believe are consistent with protecting your information.

6. Data Sharing

We do not sell personal information. We share information only in the following circumstances:

  • With service providers as described in Section 5

  • When required by law, regulation, legal process, or governmental request

  • To protect our rights, property, or safety, or the rights, property, or safety of others

  • In connection with a merger, acquisition, or sale of assets (subject to confidentiality)

  • With your explicit consent

7. Data Retention

  • Intake questionnaire responses: Retained for ninety (90) days after policy delivery for quality assurance and customer support purposes, after which they are deleted from our systems.

  • Delivered policy documents: Retained by PolicyFoundry for three (3) years after delivery for audit trail, integrity verification, and legal compliance purposes. A redacted reference copy (with customer-identifying information removed) may be retained indefinitely for internal quality assurance.

  • Payment and transaction records: Retained for the period required by tax and accounting regulations, typically seven (7) years.

  • Communications: Retained for three (3) years from the date of the communication or as required for ongoing customer support.

  • Newsletter subscribers: Retained until you unsubscribe or request deletion.

  • Website analytics data: Retained for twenty-six (26) months in aggregated form.

You may request earlier deletion of your information, subject to legal, contractual, and operational retention requirements.

8. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your information, including encrypted transmission, secure storage, access controls, and vendor due diligence. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you

  • Correction: Request correction of inaccurate or incomplete information

  • Deletion: Request deletion of your personal information, subject to legal and contractual retention requirements

  • Restriction: Request that we limit how we use your information

  • Portability: Request a copy of your information in a structured, machine-readable format

  • Objection: Object to certain processing of your information

  • Withdraw Consent: Where we rely on your consent, you may withdraw it at any time

To exercise any of these rights, email hello@policyfoundry.ai. We will respond within thirty (30) days.

10. GDPR (European Union Data Subjects)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the processing of your personal information is subject to the General Data Protection Regulation (GDPR) and related laws. PolicyFoundry processes your information on the following legal bases: performance of a contract (to deliver purchased services), legitimate interests (to operate and improve our business), compliance with legal obligations, and consent (where applicable).

You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. CCPA and US State Privacy Rights (California and Other US Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, the right to opt out of the sale of personal information (note: we do not sell personal information), and the right to non-discrimination for exercising these rights.

Similar rights may apply to residents of Colorado, Connecticut, Virginia, Utah, and other states with applicable privacy laws.

To exercise these rights, email hello@policyfoundry.ai.

12. International Data Transfers

PolicyFoundry is based in the United States. If you access our services from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction. By using our services, you consent to this transfer.

13. Third-Party Links

Our Site may contain links to third-party websites. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

14. Children's Privacy

Our services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at hello@policyfoundry.ai and we will delete it.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Site or by email to registered customers. The "Effective Date" at the top of this Privacy Policy indicates when it was last updated.

16. Contact

Questions, concerns, or requests regarding this Privacy Policy or your personal information should be directed to:

hello@policyfoundry.ai

PolicyFoundry · Charlotte, NC, USA