Privacy Policy

1. Introduction

The Founders' Exit Limited ("we", "us", "our") is committed to protecting the privacy of everyone who interacts with our website (thefoundersexit.com), our platform (app.thefoundersexit.com), and our related services. This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The Founders' Exit Limited is a company registered in England and Wales (company number 16941575), with its registered office at Chargrove House, Shurdington Road, Cheltenham, Gloucestershire, England, GL51 4GA. We are the Data Controller for the personal data described in this policy.

2. What data we collect

2.1 Data you provide directly

• Account registration data: Name, email address, business name, job title, telephone number
• Business profile data: Company information including sector, revenue, EBITDA, employee count, ownership structure, and exit timeline
• Uploaded documents: Financial statements, contracts, organisational charts, and other business documents uploaded to the Exit Documents module
• Payment data: Billing address and payment card details (processed and stored by Stripe; we do not store full card numbers)
• Communications: Emails, support requests, and feedback you send to us
• Contact form submissions: Name and email address submitted via the website contact form

2.2 Data we collect automatically

• Usage data: Pages visited, features used, modules completed, session duration, and interaction patterns (collected via Google Analytics and Hotjar)
• Device and browser data: IP address, browser type, operating system, screen resolution, and device type
• Cookie data: As described in our Cookie Policy
• AI interaction data: Queries submitted to the Platform's AI systems and the responses generated, collected for quality monitoring and improvement via Langfuse

2.3 Data we receive from third parties

We may receive data from Stripe regarding payment status and billing events. We do not purchase data from data brokers or receive personal data from any other third-party source.

3. How we use your data

We process your personal data for the following purposes:

• Delivering the Platform: Creating and managing your account, processing your subscription, and providing access to all Platform features — lawful basis: contract
• AI-powered analysis: Analysing uploaded documents and generating exit readiness outputs, valuations, and advisory reports — lawful basis: contract
• Platform improvement: Understanding how the Platform is used in order to improve functionality and user experience — lawful basis: legitimate interests
• Communications: Responding to support queries, sending service updates, and (where you have opted in) sending marketing communications — lawful basis: contract / legitimate interests / consent
• Security and fraud prevention: Protecting the Platform and its users from unauthorised access, abuse, and fraud — lawful basis: legitimate interests / legal obligation
• Legal compliance: Meeting our obligations under applicable law, including HMRC record-keeping requirements — lawful basis: legal obligation

4. How we share your data

We do not sell your personal data to any third party. We share data only with the third-party Sub-Processors listed in Schedule 1 of our Platform Terms & Conditions, solely for the purpose of delivering the Platform services. All Sub-Processors are bound by data processing agreements that impose obligations consistent with UK GDPR.

We may also share personal data where required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of the Company, its users, or the public.

5. International data transfers

Some of our Sub-Processors process data outside the UK, including in the United States. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the ICO
• The recipient's participation in recognised data protection frameworks
• The Company's own assessment that the transfer provides an adequate level of protection

A full list of Sub-Processors and their data processing locations is maintained in Schedule 1 of the Platform Terms & Conditions and is available on request.

6. Data retention

We retain different categories of data for different periods, based on the nature of the data and our legal obligations:

• Account and platform data: Retained for the duration of your subscription and for 90 days following account closure, during which you may export your data
• Uploaded business documents: Retained for the duration of your subscription and deleted within 30 days of account closure, unless you request earlier deletion
• Financial and billing records: Retained for 6 years in accordance with HMRC requirements
• Communications and support records: Retained for 3 years following last contact
• Analytics data: Retained in accordance with the retention settings of each analytics provider (typically 14 months for GA4)

7. Your rights

Under UK GDPR, you have the following rights in respect of your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can ask us to delete your personal data, subject to our retention obligations.
• Right to restrict processing: You can ask us to restrict how we process your data in certain circumstances.
• Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
• Right to object: You can object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us. We will respond within 30 days. If we need to verify your identity before processing a request, we will let you know.

If you are unsatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. AI processing and third-party models

A core function of the Platform is to analyse business documents and data using artificial intelligence. This section explains how that processing works and which third-party AI providers are involved.

What data is processed by AI systems

When you upload documents to the Platform or submit queries to the Platform's AI advisory features, the contents of those documents and queries are transmitted to third-party AI model providers for processing. This may include business financial data, contractual information, organisational data, and other commercially sensitive information. We do not transmit personal data to AI providers unless it is contained within a document you have chosen to upload.

Third-party AI providers

We use third-party AI model providers. Each is subject to a data processing agreement and listed as a Sub-Processor in Schedule 1 of our Platform Terms & Conditions.

Our AI providers are contractually prohibited from using your data to train their models. Data transmitted for AI processing is used solely to generate the specific output requested and is not retained by the AI provider beyond the duration of the API call, subject to each provider's data handling terms.

Automated decision-making

All AI-generated outputs are advisory and indicative in nature. They do not constitute automated individual decision-making within the meaning of Article 22 UK GDPR, as no decision producing legal or similarly significant effects is made solely by automated means. You retain full control over how you use any outputs generated by the Platform.

9. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Role-based access controls with principle of least privilege
• Regular security reviews of infrastructure and Sub-Processors
• Incident detection and response procedures
• Secure credential management and multi-factor authentication for administrative access

No system is entirely secure. While we take reasonable precautions, we cannot guarantee absolute security. If a data breach occurs that poses a risk to your rights, we will notify you and the ICO in accordance with our legal obligations.

10. Third-party links

The website and Platform may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review their privacy policies before providing any personal data.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or an in-platform notification at least 30 days before they take effect. The "Last updated" date at the top of the policy will be revised accordingly.

12. Contact