Privacy Policy
Last updated: 2026-05-28
We handle personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario law.
1. Introduction
This Privacy Policy explains how Foundero Inc. (“Foundero”, “we”, “us”) collects, uses, discloses, and protects your personal information when you use foundero.ai and our incorporation services (the “Service”).
Foundero helps you incorporate a business in Ontario. We are a document-preparation and filing-assistance service. We are not a law firm and do not provide legal advice.
By using the Service, you consent to the practices described here.
2. What personal information we collect
Account information: name, email address, password (hashed), and authentication identifiers.
Incorporation information (you provide this to generate and file your corporate documents):
- Director / officer / shareholder full legal names
- Residential or service addresses
- Date(s) where required by the filing
- Share ownership and corporate structure details
- [ pending — if collected: Social Insurance Number (SIN) — only if required for CRA/tax registration ]
Payment information: processed by Stripe. We do not store your full card number; we receive only a token and limited transaction metadata.
Government-issued identifiers received on your behalf: after incorporation, the Ontario Business Registry issues a Company Key (a confidential 9-digit credential granting authority over your corporation). We handle this with heightened safeguards (see §7).
Usage / technical data: IP address, device/browser type, and pages visited, for security and service operation.
3. Why we collect it (purposes)
We use your personal information to: (a) create and secure your account; (b) generate your corporate documents; (c) submit filings to the Ontario Business Registry on your behalf under your authorization; (d) process payment; (e) send transactional notices about your incorporation; (f) provide support; (g) meet legal/record-keeping obligations. We do not sell your personal information.
4. Consent
We collect, use, and disclose personal information with your consent, which you give by providing the information and using the Service for the purposes above. You may withdraw consent (see §8), subject to legal/contractual limits — note that withdrawing consent mid-incorporation may make us unable to complete your filing.
5. Service providers (processors) we share data with
We use the following third-party processors to operate the Service. Each receives only the data needed for its function.
| Processor | Function | Data shared | Region / cross-border |
|---|---|---|---|
| Supabase | Database + authentication | Account + incorporation data | [ pending — region — Adam to confirm ] |
| Stripe | Payment processing | Name, email, payment token | United States (cross-border) |
| Vercel | Application hosting | Technical/usage data in transit | United States (cross-border) |
| Google (Gmail / Workspace) | Transactional + support email | Name, email | United States (cross-border) |
| Anthropic (Claude) | Automated checks on document/name data | Limited incorporation field data | United States (cross-border) |
| Ontario Business Registry (Ministry of Public and Business Service Delivery) | Government filing of your incorporation | Your filing data + Company Key | Canada (government) |
| [ pending — if used: CGI / Nuans API ] | Name search / reservation | Proposed company name | Canada |
Note: ServiceOntario / OBR is a government registry we file with, not a commercial processor — but it is listed for transparency because your data is transmitted there.
6. Cross-border disclosure
Some processors above store or process data in the United States. PIPEDA permits this but requires we tell you: while data is in another country, it may be accessible to that country's courts/law enforcement under their laws. We use processors that contractually commit to protecting your data. [ pending — transfer-mechanism wording — counsel to confirm ]
7. How we protect your information
We use encryption in transit (TLS) and at rest, access controls, and least-privilege practices.
Company Key — heightened handling: your Company Key is encrypted at rest, never sent in plain text by email, access-logged on every read, and [ pending — UX safeguards (view-once / masked / 2FA) — product decision ]. This is a confidential credential; treat it like a password.
8. Your rights (PIPEDA)
You may: (a) access the personal information we hold about you; (b) request correction of inaccurate data; (c) withdraw consent (subject to §4 limits); (d) request deletion of your data, subject to legal record-keeping requirements (e.g., we may need to retain certain incorporation/financial records for [ pending — X years — counsel to confirm ]). To exercise these, contact our Privacy Officer (§11). We respond within 30 days as required by PIPEDA.
9. Retention
We keep personal information only as long as needed for the purposes above or as required by law. [ pending — statutory retention periods for incorporation / financial records — counsel to confirm ] After that, we securely delete or anonymize it.
10. Cookies / analytics
[ pending — analytics & cookies disclosure — confirm whether any analytics are in use ]
11. Contact / complaints
Privacy Officer: adam@foundero.ai
Mailing address: [ pending — registered address — Adam to confirm ]
If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
12. Changes
We may update this policy. Material changes will be notified by email or in-app. The “last updated” date reflects the current version.