Privacy Policy

Last updated: February 22, 2026

1. Data Controller

Foldase Inc. ("we", "us") is the data controller for personal data processed through our Service. For data protection inquiries, contact our Data Protection Officer at privacy@foldase.com.

2. Data We Collect

  • Account data — name, email, profile image (managed by Clerk)
  • Workspace data — organization name, team members, roles
  • Usage data — page views, feature usage, search queries (PostHog, with consent)
  • Uploaded documents — SEC filings, press releases you upload (stored encrypted in Cloudflare R2)
  • User feedback — claim flags, preferences, watchlists
  • Payment data — processed by Stripe; we do not store credit card numbers
  • Technical data — IP address, browser type, device info (for security and debugging)

3. How We Use Your Data

  • Providing and improving the Service (document extraction, brief generation)
  • Quality improvement using aggregated, anonymized metrics
  • Analytics to understand feature usage (only with your consent)
  • Email communications (welcome, brief notifications, weekly digests)
  • Billing and subscription management

4. Legal Basis (GDPR Art. 6)

  • Contract — processing necessary to deliver the Service you signed up for
  • Legitimate interest — security, fraud prevention, service improvement
  • Consent — analytics cookies (PostHog), marketing emails

5. Data Sharing

We share data with the following processors, all under data processing agreements:

  • Clerk — authentication and user management
  • Stripe — payment processing
  • Mailgun — transactional email delivery
  • PostHog — product analytics (only with consent)
  • Sentry — error tracking and monitoring
  • Cloudflare (R2) — document storage (encrypted at rest)
  • OpenAI / Anthropic — document processing via enterprise API (data is NOT used for model training per enterprise terms)

We do not sell your personal data to third parties.

6. LLM Data Processing

Documents you upload are sent to OpenAI and/or Anthropic APIs for extraction. We use enterprise API tiers where provider terms explicitly state that input data is not used for model training. Document content is not stored by these providers beyond the API request lifecycle.

7. Data Retention

  • Account data — retained until account deletion + 30-day grace period
  • Uploaded documents — retained until you delete them
  • Analytics data — 12 months
  • Application logs — 90 days
  • Read notifications — 30 days

8. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access — export your data as a ZIP file (Settings → Account)
  • Rectification — update your profile information
  • Erasure — request account deletion with 30-day cooling period (Settings → Account)
  • Portability — download your data in JSON/CSV format
  • Objection — opt out of analytics via cookie preferences

9. CCPA (California Residents)

California residents have the right to know what personal information we collect, request deletion, and opt out of data sales. We do not sell personal data. To exercise your rights, contact privacy@foldase.com.

10. Cookies

We use necessary cookies for authentication (Clerk) and optional analytics cookies (PostHog). See our Cookie Policy for details.

11. International Transfers

Data is stored in the United States (Cloudflare R2, Render Oregon). For EU users, transfers are protected by Standard Contractual Clauses (SCCs). Enterprise customers may request EU data residency (Frankfurt region).

12. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors.

13. Changes

We may update this policy with 30 days' email notice to registered users.

14. Contact

privacy@foldase.com