GDPR & Data Usage
Last updated: 14.05.2026
1. Our commitment
FOUNDR complies with the EU General Data Protection Regulation (GDPR, EU 2016/679) and the Estonian Personal Data Protection Act. Your data belongs to you - our role is to safeguard it.
2. Lawful basis for processing
Our lawful bases include: performance of a contract (Art 6(1)(b)); compliance with legal obligations including KYC/AML (Art 6(1)(c)); legitimate interest (Art 6(1)(f)); and your consent (Art 6(1)(a)) for marketing and cookie preferences.
3. Data subject rights
You have the right to access, rectify, erase ("right to be forgotten"), restrict, object to, and port your data, as well as to withdraw consent at any time. We respond to legitimate requests within 30 days.
4. Retention periods
Accounting records: 7 years. AML records: 5 years after the client relationship ends. Marketing data: until consent is withdrawn. Website analytics: up to 14 months.
5. Sub-processors
We rely on trusted providers (cloud hosting, email, accounting, payment processing) bound by GDPR and Data Processing Agreements. The full list is available upon request at contact@foundr.ee.
6. Transfers outside the EU
Where data is transferred outside the European Economic Area, we apply the European Commission's Standard Contractual Clauses (SCCs) and supplementary safeguards.
7. Data breaches
We report data breaches that are likely to affect data subject rights to the Estonian Data Protection Inspectorate within 72 hours and notify affected individuals where required.
8. How we use data
We use data to deliver our services, prepare documents, communicate with you, comply with legal obligations, and improve our service. We never sell your data to third parties.
9. Contact
For data protection matters, contact us at contact@foundr.ee. Supervisory authority: Estonian Data Protection Inspectorate, www.aki.ee.