Privacy Policy — Founder Kit

1. What we collect

We collect your name, email address, and password (hashed with PBKDF2 — never stored in plain text) when you create an account. When you use the Grant Automator, we store your organization profile fields (company name, focus area, geography, etc.) to score grants and generate pitches. We do not store payment card numbers — Stripe handles all payment processing.

2. How we use your data

To provide the services: grant matching, pitch generation, formation documents, and federal registration guidance.
To send transactional emails (welcome, password reset, pitch delivery) via Resend.
To track monthly usage (searches and pitch generations) and enforce plan limits.
To process payments and manage subscriptions via Stripe.

3. Third-party services

Stripe — payment processing. Subject to Stripe's privacy policy.
Resend — transactional email delivery.
Exa — live web search for grant discovery. Your organization profile is sent to Exa to perform searches.
OpenRouter / Google Gemini — AI grant scoring and pitch generation. Your profile is sent to these services.
Neon — hosted PostgreSQL database (AWS Frankfurt region).
Vercel — hosting and deployment.

4. Data retention

We retain your account data for as long as your account exists. You may request deletion by emailing hello@myfounderkit.com. Usage event records are retained for 13 months to enforce monthly limits. Password reset tokens expire after 1 hour and are deleted on use.

5. Cookies

We set a single httpOnly session cookie (app_session) after login. It expires when you log out. We do not use advertising or tracking cookies.

6. AI-generated content

Grant pitches, formation documents, and registration checklists are generated by AI and may contain errors. They are not legal advice. Always verify with a licensed attorney before filing or submitting to funders.

7. Contact

Questions or deletion requests: hello@myfounderkit.com