← Back
Legal

Privacy Policy

Last updated: 5 June 2026.

Placeholder.Replace this page's content with the finalised Privacy Policy reviewed against UK GDPR before launch. The signup flow links here and the checkbox refers to this document.

1. What we collect

When you sign up we collect your name, email address, and (during onboarding) the course you study/studied, graduation year, optional bio, LinkedIn/GitHub/portfolio links, and the sectors and skills you select. When you post a listing we store its content and metadata.

2. How we use it

To verify your eligibility (current student domain check, alumni admin review), to show your profile in the member directory you opted into, to send transactional emails (verification, decisions, account notices, contact replies), and to operate features like newest-members banner and filtering.

3. Lawful basis (UK GDPR)

Consent. You opt in when you sign up. You can withdraw consent at any time by deleting your account, which removes all of your profile data, posted opportunities, events, and VC/grant submissions from our systems.

4. Where it's stored and who processes it

Your data is hosted in UK/EU regions and does not leave UK/EU jurisdictions during normal operation. We use the following sub-processors:

  • Supabase (EU, London) — database, authentication, and file storage. Holds your profile and the content you post.
  • Vercel (EU, Frankfurt) — application hosting and serving.
  • Resend (EU) — sending transactional email; processes recipient address and message content in transit.
  • Cloudflare (EU) — DNS, inbound contact-email routing, edge protection, and the Turnstile anti-spam challenge on our forms. Processes request metadata (e.g. IP address) to block abuse.
  • Upstash (EU) — rate limiting. Stores only short-lived request counters keyed to your user ID or IP; no profile data.
  • Sentry (EU) — error monitoring. May capture technical diagnostics (e.g. URL, browser, user ID) when an error occurs; we do not send form contents.
  • PostHog (EU) — privacy-friendly, cookieless product analytics (which pages and features are used).

5. Who can see it

Your profile (name, course, grad year, bio, working_on, sectors, skills, links) is visible to other approved Foundry members in the directory. Your email address is not displayed unless you explicitly tick the "visible" box on a listing's contact email. Admins can see all profile data including emails for operational and review purposes.

6. Email

We use your email only for transactional purposes (sign-in, decisions, account/content notices, contact replies). We do not send marketing emails or share your address with third parties.

7. Retention and deletion

We hold your data while your account is active. Deleting your account (via /settings) removes your profile and the content you posted. Admins also have a graduate-cleanup tool that removes student accounts whose graduation year has passed, with a congratulations notice giving you the option to reapply as an alum.

8. Your rights

Under UK GDPR you have the right to access, correct, export, or delete your personal data. Use the profile editor at /profile to amend, or the Delete Account flow at /settings to remove. For other rights requests, contact the team via /settings → Contact the team.

9. Cookies

We use one essential cookie for your sign-in session (managed by Supabase). Cloudflare Turnstile may set a temporary token to confirm you are not a bot when you submit a form. Our product analytics (PostHog) runs cookieless. We do not use tracking or marketing cookies.

10. Contact

Data protection contact: via /settings → Contact the team in the app.