Your data is yours. Here's exactly what that means.

FounderOS is a private operating environment for founders running one or more ventures. The whole product is designed around the idea that your data is yours. We will not sell it, we will not rent it, and we will not train shared AI models on your private content.

The five things worth knowing before reading the rest:

• We collect what we need to run your workspace and nothing else: account info, the ventures you create, the integrations you connect, and the conversations you have with Donna, our AI Chief of Staff.
• We do not train shared models on your data. OpenAI, our model provider, also does not train on data sent via the Responses API we use. This is contractually enforced.
• Integrations (Gmail, Calendar, Slack, Linear, Jira, Notion, Airtable, Microsoft Graph) are read-scoped by default. Writes require your explicit approval per action.
• The Founders' Clubhouse uses a stricter privacy model. Nothing in your private workspace is ever visible to other members unless you explicitly post it.
• You can export everything and delete everything at any time, from inside the app, without writing to support.

The rest of this document is the long version, plain-language, with no legal trickery. If anything reads as ambiguous, write to us and we will fix it.

FounderOS is a product of Clive AI, Inc. ("FounderOS," "we," "us," or "our"). When this policy refers to "the Service," we mean the FounderOS website at founderos.com, the FounderOS web application, the FounderOS mobile applications for iOS and Android, the FounderOS API, and any related features including the Situation Room, Venture Control, Donna, the Weekly Review, the Founders' Clubhouse, and Mastermind Circles.

For the purposes of the EU GDPR and the UK GDPR, Clive AI, Inc. is the data controller of personal data processed about you as an end user of FounderOS. When you use FounderOS to operate your own businesses, you are the controller of the personal data of your customers, employees, and contacts that you enter or import into FounderOS, and we are the processor on your behalf — governed by our Data Processing Addendum (DPA), available on request.

This policy covers personal data we process about you when you:

• visit any page on founderos.com;
• create or use a FounderOS workspace on web or mobile;
• connect a third-party integration to FounderOS;
• chat with Donna or use any AI feature in the product;
• participate in the Founders' Clubhouse, Rooms, Circles, Office Hours, co-working rooms, or Roundtables;
• email us, fill in a form, talk to support, or interact with us on social channels.

It does not cover the privacy practices of the third-party tools you choose to connect (Slack, Google, Linear, Atlassian, Notion, Airtable, Microsoft, etc.). Those services have their own policies.

We collect three categories of data, in roughly this order of sensitivity.

1. Account & identity data

• Name, email address, profile photo, time zone, and the password hash if you sign in with email; or the OAuth subject identifier if you sign in with Google or Apple.
• Workspace metadata: workspace name, your role (Owner / Executive / Operator / Engineer / Viewer / Service), and the team members you invite.
• Billing data: plan, subscription status, billing email, and the last four digits of the card. Full card numbers are handled by Stripe and Paystack, our PCI-compliant payment processors. We never see them.

2. Workspace content

Everything you put inside FounderOS to run your ventures. This is the most sensitive category and we treat it accordingly.

• Ventures you create, with stage, health, priority, owner, objective, blockers, milestones, last-reviewed timestamps, and workstreams (Product / Sales / Ops / Finance / Legal / Team).
• Initiatives, tasks, "waiting on" items, decisions, notes, voice memos, and files you upload.
• Briefings (daily Situation Room and Weekly Review), including the redactions and edits you make.
• Donna conversations: the messages you send to Donna and Donna's replies, plus the structured action requests Donna proposes (with rationale, risk level, and your approve/reject decision).
• Audit log entries we write for every state change: actor, source, before, after, timestamp, correlation ID, and approval ID.

3. Integration data

When you connect an integration via OAuth, we receive an access token and a refresh token from the provider, scoped to the permissions you grant on the consent screen. Refresh tokens are held in a dedicated secrets manager; access tokens are encrypted before they are written to our database. We use those tokens to read provider data and, where you authorize it, to write back.

The kinds of data each connector reads, by default:

• Google Calendar — events on the calendars you select, including title, attendees, location, time, and description, so meetings can auto-attach to ventures and Donna can draft pre-reads and post-meeting summaries.
• Gmail — message metadata and bodies for threads relevant to a venture (sender, recipients, subject, date, snippet, and full body when you open it). We never send mail without your explicit approval.
• Slack — channels and threads you choose to link to a venture. We can post weekly summaries into channels you select; we never DM your team without your action.
• Linear / Jira — issues, projects, statuses, and assignees so engineering work links to initiatives. Status changes flow back automatically once you authorize the scope.
• Notion / Airtable — databases and pages you select; indexed for retrieval, not bulk-copied into our systems.
• Microsoft Graph — Outlook calendar and mail for Microsoft-first founders, with the same defaults as the Google connectors.

Webhook payloads from these providers are normalized into internal events. We store the canonical state we need to recompute briefings and venture pages — not the raw provider payloads in perpetuity.

4. Device & usage data

• Browser type, operating system, device model (mobile), language, IP address, and approximate region (derived from IP).
• Page views, feature usage, performance metrics, and crash logs. We use first-party analytics where possible; we do not sell this data and we do not run third-party advertising pixels.
• For the mobile app, an Expo push token (only if you opt into notifications) so we can deliver venture-scoped pings and due-tomorrow digests.

5. Sensitive categories we deliberately do not collect

We do not ask for and do not knowingly collect government IDs, health data, biometric data, precise location, children's data, or financial account credentials. If a third-party integration you connect would include such data in its payload, we recommend turning that integration off.

We use your data only for the purposes listed here. Each purpose is paired with the legal basis we rely on under GDPR / UK GDPR.

To provide the Service (Contract)

• Create your workspace, render your Situation Room, run your Weekly Review, and keep your venture pages in sync with the integrations you connected.
• Operate Donna: read your portfolio context, propose actions, execute approved actions, and remember decisions across sessions.
• Send transactional emails and push notifications you have opted into (briefings, due reminders, Circle digests, billing receipts, security alerts).
• Process payments and manage your subscription.

To keep the Service safe (Legitimate interest)

• Detect abuse, fraud, and unauthorized access; rate-limit traffic; and enforce our Terms of Service.
• Maintain a tamper-evident audit log of state-changing actions so you can investigate anything that looks wrong.

To improve the Service (Legitimate interest)

• Aggregate, de-identified analytics on which features are used, where users get stuck, and how briefings perform. We never use your raw workspace content for product analytics.
• Internal model evaluation on synthetic and explicitly opted-in data only. Your private workspace content is never used to train shared models.

To communicate with you (Consent or Legitimate interest)

• Reply to support requests, schedule onboarding calls, and send product updates you've subscribed to. You can unsubscribe from non-transactional emails at any time.

To comply with the law (Legal obligation)

• Respond to lawful requests from authorities, retain records for tax and accounting, and meet our regulatory obligations.

Donna is an AI operator with a strict job description. This section explains, with no hand-waving, exactly what happens when you use any AI feature in FounderOS.

What gets sent to model providers

When you talk to Donna or trigger a feature like "draft a follow-up," "summarize this thread," or "generate this week's briefing," we send a context window to our model provider containing:

• the message or instruction you wrote;
• the relevant subset of your workspace state Donna needs to answer it (e.g. the venture's current objective, blockers, recent notes, and linked integration items);
• a system prompt and a typed list of tools Donna is allowed to call (e.g. os.update_venture_status, comms.draft_email).

Who the providers are

• OpenAI — primary model provider, accessed via the OpenAI Responses API. Under our zero-retention agreement with OpenAI, your prompts and completions are not retained beyond the request and are not used to train OpenAI models.
• Specific narrow features may use other vendors (e.g. transcription for voice notes, search). These are listed in our subprocessor index, available on request.

What we do not do

• We do not train shared or third-party AI models on your private workspace content.
• We do not allow Donna to take consequential actions without your explicit approval. Every state-changing action is categorized as low-risk (auto-execute, logged) or requires-approval (proposed, awaits your tap).
• We do not give Donna a "do anything" superpower. Donna can only call functions that are pre-defined as typed contracts. Anything outside that list is not possible, by construction.

Memory

Donna's memory is your conversation history, your decisions, and the things you've explicitly told her to remember. It lives in your workspace database. You can review, redact, and erase any item from Donna's memory at any time from Settings → Donna → Memory.

Opt-outs

You can disable AI features per workspace in Settings → Donna → Mode. You can also restrict Donna to Advise mode (read-only) or Propose mode (drafts only, never executes), so no action is taken without your tap.

The Clubhouse is a private, vetted social layer next to your Situation Room. Because it sits beside your private operating data, we apply a stricter privacy model to it than we do to the rest of the product.

Hard separation

Your private FounderOS workspace is never visible to other members. Anything that leaves your workspace and enters the Clubhouse is either:

• explicitly written by you and posted by you, or
• drafted by Donna from your data and approved by you, with the redactions you choose, before it is posted.

There is no implicit data flow from the private OS to the social layer. Ever.

Membership and visibility

• Membership is by invitation or vouch. We verify identity at a level proportionate to the room. We may reject or remove members who violate the Code of Conduct.
• Posts are visible to the audience you choose (a Room, a Circle, the whole club, or specific members). We log every audience change.
• Mastermind Circles use end-to-end audience controls. The weekly Circle Briefing draws on each member's redacted-and- permissioned data only — never on raw private workspace content.

DMs and small groups

Direct messages and small private group threads are visible only to the participants. Donna can be opted into a thread to help draft, summarize, or remember — but only with the explicit consent of all participants, and never silently.

Live moments

Office Hours, co-working rooms, and Roundtables are governed by the same identity, Circles, and audience controls as the rest of the Clubhouse. Recording is off by default and requires consent from every participant.

We share data in three carefully limited ways. We never sell personal data, and we never share it with advertisers.

1. With service providers (subprocessors)

We use a small set of vendors to run the Service. They are contractually bound to use your data only to provide their service to us, and to apply security and privacy practices at least as protective as ours.

The current list of subprocessors is maintained at /security#subprocessors. We notify customers in advance of material changes.

2. With your team and your audience

• Anyone you invite to your workspace will see workspace content according to their role.
• Anything you post to a Clubhouse Room, Circle, or DM is shared with the audience you chose.
• Connected integrations receive only the data you explicitly authorize (e.g. the Slack message Donna drafts and you approve).

3. For legal and safety reasons

• To comply with a binding legal request (warrant, subpoena, court order). We push back on overbroad requests and we attempt to notify you, unless legally prohibited.
• To protect the rights, property, or safety of FounderOS, our users, or the public — for example, investigating credible threats or fraud.
• In connection with a merger, acquisition, or sale of assets, in which case we will notify you and give you a meaningful opportunity to delete your data before the transaction closes.

FounderOS operates from the United States with infrastructure in the US, the EU, and the UK. When data is transferred from the EEA, the UK, or Switzerland to a country that has not been deemed adequate by the European Commission, we rely on:

• the European Commission's Standard Contractual Clauses (Module 2 or 3, as appropriate), supplemented by transfer risk assessments where required;
• the UK International Data Transfer Addendum where the transfer is from the United Kingdom; and
• additional safeguards including encryption in transit (TLS 1.2+), encryption at rest, and least-privilege access controls.

You can request a copy of the relevant transfer mechanism by writing to hi@cliveai.com.

We keep personal data only as long as we need it for the purposes described in this policy.

When you delete your workspace, we mark it as scheduled for deletion immediately and irrevocably wipe it within 30 days, including from primary storage and any active replicas. Encrypted backups age out within 35 days of the deletion.

Depending on where you live, you have some or all of the following rights over your personal data. We honor all of them for every user, regardless of jurisdiction.

• Access — get a copy of the personal data we hold about you.
• Portability — export your workspace content in a structured, machine-readable format. From the app: Settings → Data → Export workspace.
• Rectification — correct inaccurate data, either inline in the product or by writing to us.
• Erasure — delete your account and your workspace. Settings → Data → Delete workspace.
• Restriction — pause specific processing (for example, switching Donna to Advise-only or disabling AI features entirely).
• Objection — object to processing based on our legitimate interests; we will weigh and respond.
• Withdraw consent — for processing based on consent (e.g. marketing email), withdraw at any time without affecting prior lawful processing.
• Lodge a complaint — with your local supervisory authority. We'd appreciate the chance to fix it first by writing to hi@cliveai.com.

California residents have additional rights under the CCPA /CPRA, including the right to know what categories of personal information we collect, the right to opt out of "sharing" for cross-context behavioral advertising (we do not do this), and the right not to be discriminated against for exercising any of these rights.

We treat security as a feature, not a checkbox. The full architecture lives at /security. Highlights:

• Encryption in transit via TLS 1.2+ on every endpoint, with HSTS pre-loaded.
• Encryption at rest via AES-256 on the database, on object storage, and on backups.
• Token vaulting — sensitive integration tokens are encrypted in the application before being written to MongoDB; refresh tokens live in a dedicated secrets manager.
• Least-privilege access — engineers can only access production with hardware-backed MFA, time-bound elevated roles, and a logged justification.
• Audit logging — every state change is written to a tamper-evident log with actor, source, before, after, timestamp, correlation ID, and approval ID.
• Continuous testing — automated dependency scanning, regular third-party penetration tests, and a responsible disclosure program.

If we ever discover a breach affecting your data, we will notify you without undue delay and, where required, within 72 hours.

We use a small, audited set of cookies and local storage:

• Essential — session cookie to keep you logged in, CSRF token, and a workspace selector preference. Cannot be disabled without breaking the product.
• Functional — UI preferences (theme, density, last-opened venture).
• Analytics — first-party analytics with IP truncation. No third-party advertising trackers.

We do not use third-party advertising cookies. We respect the Global Privacy Control (GPC) signal where it is legally meaningful.

FounderOS is not directed at children and is not intended for users under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, write to hi@cliveai.com and we will delete it.

We will update this policy from time to time. When we make material changes, we will notify you in-product and by email to the address on file at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version. Older versions are archived and available on request.

For any privacy question, request, or complaint:

• Email: hi@cliveai.com
• Mail: Clive AI, Inc., Attn: Privacy, 2261 Market Street, Suite 5641, San Francisco, CA 94114, USA

For users in the UK and the EU, you may contact our representative under Article 27 GDPR by writing to the same address; we will route your request appropriately.