Privacy Policy

Last Updated: May 15th, 2026

1. Introduction

   
   

This is the privacy policy for Found&, a place to save the things that inspire you. This policy explains what we collect, why, and what your rights are.

For privacy inquiries, contact us at help@foundand.app

2.  What we collect 

Account Information

Your email address and a username when you sign up. If you use Google or Apple Sign-In, we receive your name and email from them.

Authentication

We use Firebase Authentication (operated by Google) to manage sign-in. This means Google's authentication infrastructure issues and validates the tokens that keep you signed in. The active token itself is stored locally on your device, not in our application database. We don't store passwords; password handling is done by Firebase Auth or your chosen identity provider.

What You Save

When you save something to Found&, we keep a record of:

• The link to the original source

• The title of the page

• Your personal note or intention (if you add one)

• The thumbnail

• Public details from the source like the author, caption, or post date

Nothing gets saved unless you save it. 

Your Folders & Social Activity

• Folders you create and what's in them

• Collaborators you've invited and who's joined

• Accounts you follow

• Items you post to your feed

• Comments and reactions on shared content

Analytics

We use Firebase Analytics (Google) for aggregate product analytics — which features are used, which screens are popular, where people get stuck. This data is tied to a randomly generated installation ID, not your account. We don't use third-party advertising pixels or trackers.

Browser Extension

The extension keeps a few things on your device to make it work smoothly — your sign-in info, your last used collection, and your sharing preferences.

The extension only does something when you click to save — it's not watching you browse. We don't read tabs you aren't actively saving from.

3. What We Don't Collect

   
   

❌ Browsing history beyond the moment you click Save 

❌ Sensitive personal information including, but not limited to age, gender, racial or ethnic origin, health data, or biometric data

❌ Data to be sold or train AI

4. How We Use What We Collect 

   
   

We use your information to:

• Run Found& and keep your account working

• Save and display your content the way you organized it

• Power social features like shared collections, follows, and your public feed

• Send you important updates about your account or the Service

• Keep things secure and prevent abuse

That's it. We don't use your data for advertising, profiling, or training AI models.

5. How We Share Your Information

   
   

We don't sell your data and we don't share it for advertising. Here's where your data does go: 

The Tools That Power Found&

We use Firebase (by Google) for hosting, authentication, database, file storage, analytics. Bound by Google Cloud's data processing terms; certified under the EU-U.S. Data Privacy Framework. We use Google and Apple for sign-in if you choose those options.

Other Users (Only when you choose)

When you make a collection public, share one with collaborators, or post to your feed — that content becomes visible based on the settings you picked. You're always in control of what's public and what's private.

Two things to know:

• If you change visibility from public to private, content is hidden from public view immediately. But we can't undo any saves or screenshots others made while it was public.

• If you remove a collaborator from a collection, they lose access immediately. But anything they previously saved to their own collections remains in their account.

Public APIs (No personal data sent)

When you save something from YouTube, TikTok, Spotify, Twitter, or Instagram, we ask their public APIs for basic info about that link. The only data sent is the URL — nothing about you, your account, or your activity. Whatever cookies or tracking those platforms run on their own sites is between you and them. Please check the specific platform’s privacy policy. 

When the Law Requires It

We may share data when required by valid legal process. Our practices:

• We require proper legal process (warrant, subpoena, court order) — we don't volunteer data.

• We push back on requests that look overly broad or fishing.

• We notify you when we receive a request for your data, unless legally prohibited.

6. International Data Transfers

   
   

Found& is operated from Canada. Data is stored in Google Cloud data centers, primarily in the United States. When your data crosses borders, we rely on: 

• EU-U.S. Data Privacy Framework for EU/EEA to U.S. transfers (Google is DPF-certified) 

• UK International Data Transfer Addendum for UK transfers 

• Swiss-U.S. Data Privacy Framework for Swiss transfers

• Standard Contractual Clauses as a backup where the above doesn't apply 

7. How Long We Keep Your Data 

   
   

When you delete something, it is immediately removed from view. It is completely purged from our active servers and backups within 30 days. When you delete your account, we work to remove everything within 30 days.

You also have the right to request deletion at any time, and we will honor that request.

8. About the Browser Extension 

   
   

Our browser extension is designed with privacy as a priority.

What it does:

• Wakes up only when you click to save something

• Grabs the link, title, and image at that moment

• Keeps your sign-in info on your device so you stay logged in

What it doesn't do:

• Watch your browsing history

• Send your history anywhere

• Run in the background tracking you

• Show ads or modify pages

When you uninstall the extension, everything stored on your device is cleared. Anything you previously saved stays in your account until you delete it.

9. Your Rights

   
   

We follow some of the strictest privacy standards in the world — including the EU's General Data Protection Regulation (GDPR), California's Consumer Privacy Act (CCPA/CPRA), and Canada's PIPEDA — and we apply those same protections to every Found& user, no matter where you live.

This means you have the right to:

• Access what we have on you

• Correct anything that's wrong

• Delete your data

• Take it with you if you want to leave

• Tell us to stop processing your data

• Object to any processing you don't agree with

• Withdraw consent at any time

• Opt out of any data sharing or sale (we don't sell or share for advertising, but you can confirm this in writing ) 

• Not be subject to automated decisions that significantly affect you (we don't do this anyway) 

• Not be discriminated against for exercising any of these rights

To exercise any of these rights, email help@foundand.app

10. Children’s Privacy

    
    

Found& isn't built for children. You need to be at least 16 years old to use Found&.

We don't knowingly collect data from anyone under 16 years old. If you believe a child has signed up, email help@foundand.app and we'll delete the account. 

11. AI and Your Content

    
    

We do not use your saved content, notes, collections, or any of your data to train AI or machine learning models — ours or anyone else's. We do not pass your content to third-party AI services.

If we ever build features that involve AI processing of your content (for example, smarter search or auto-tagging), we will:

• Update this policy before launch

• Clearly explain what's processed, by whom, and where 

• Ensure no data is used for model training 

12. Where Your Data Lives

Found& runs on Firebase, which means your data may be stored on servers in the United States or other countries. We use industry-standard protections for these international transfers:

• Standard Contractual Clauses approved by EU regulators

• UK International Data Transfer Agreements where applicable

• Canada's adequacy status under EU privacy law

• Firebase's compliance with global privacy frameworks including the EU-U.S. Data Privacy Framework

If you ever want details about these safeguards, ask us at help@foundand.app

13. How We Keep Your Data Safe 

We protect your data with:

• Encryption: all stored data is encrypted using Google Cloud's default encryption 

• Authentication: managed by Firebase Auth and your identity provider — we never see your password 

• Access controls: only employees who need access have it, and access is logged 

• Local tokens: your active sign-in token stays on your device 

No system is fully secure. If a breach affects your data, we'll notify you and the relevant authorities without undue delay, and in any case within 72 hours of becoming aware, as required by GDPR and similar laws. 

14. Marketing Communications

We send a few kinds of email:

• Transactional: emails like verification, sign-in alerts from other devices, important policy updates, etc. You can't opt out of these while you have an account.

• Product updates: occasional notes about new features. Unsubscribe link in every one.

• Marketing: only if you opt in.

We don't share or sell your email address, ever.

15. Changes

    
    

If we update this policy, we'll let you know by updating the date at the top, posting a notice in the app, and/or emailing you for major changes. Minor changes (typo fixes, formatting) may be made without notice.

16. Contact

    
    

Email us at help@foundand.app for any questions, comments or inquiries about the privacy policy and your data. You can also contact us at [address]. We’re happy to answer! 

If we don't resolve a complaint to your satisfaction, you can contact your local data protection authority:

• EU/EEA: find yours at edpb.europa.eu/about-edpb/board/members_en

• UK: Information Commissioner's Office at ico.org.uk

• California: Attorney General at oag.ca.gov/privacy

• Canada: Office of the Privacy Commissioner at priv.gc.ca

That's it. We tried to make this honest and readable. If anything's unclear or we've missed something, tell us — we'll fix it.