FoundationBook My Strategy Call

Privacy Policy

Last updated: 28 May 2026

1. Introduction

This Privacy Policy explains how Foundation collects, uses, stores, and protects personal information.

Foundation is operated by Programmatical Pty Ltd (ABN 66 686 965 604), trading as Foundation (“Foundation”, “we”, “us”, “our”). We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy applies to our website (https://usefoundation.com.au), our products and services, and any other interactions you have with Foundation.

If you are a Foundation client engaged under a Master Services Agreement, Statement of Work, or other signed agreement, additional or supplemental privacy terms may apply under that agreement. Where there is any inconsistency, the terms of your signed agreement prevail with respect to your engagement.

2. What We Collect

In the course of operating our business, we may collect the following categories of personal information:

  1. (a) Identity information: name, title, and other identifiers you provide;
  2. (b) Contact information: email address, phone number, postal address, and similar contact details;
  3. (c) Professional information: company, role, industry, business size, and other details about your professional context;
  4. (d) Communications: emails, messages, calls, meeting recordings, transcripts, and notes from interactions with Foundation;
  5. (e) Engagement data: responses to forms, surveys, or questionnaires; feedback; preferences; and similar information you provide;
  6. (f) Technical data: IP address, browser type, device information, operating system, time zone, referral source, pages visited, time spent on pages, and similar information automatically collected when you interact with our website;
  7. (g) Marketing data: subscription preferences and engagement with our marketing communications;
  8. (h) Financial information: limited to billing details required for paid engagements. Full payment processing is handled by third-party payment processors such as Stripe; Foundation does not store full credit card details; and
  9. (i) Sensitive information: collected only with your explicit consent, and only where necessary for a specific business purpose (for example, where a client shares business-sensitive information to enable us to provide services).

We may also collect personal information from third parties, including referral sources, service providers, publicly available sources, and your authorised representatives.

3. How We Collect Information

We collect personal information through a variety of means, including:

  1. (a) directly from you when you provide it via our website (forms, demo requests, newsletter signups), email, phone, video calls, in-person meetings, or other communications;
  2. (b) automatically when you interact with our website, including through cookies and similar technologies (see clause 8);
  3. (c) from third-party tools and platforms used in the course of providing our services (for example, calendar booking platforms, payment processors, electronic signature platforms);
  4. (d) from publicly available sources where relevant; and
  5. (e) from your authorised representatives, employer, or referral sources.

4. Why We Collect Information and How We Use It

We use personal information for the following purposes:

  1. (a) providing our products and services, including AI advisory, AI infrastructure builds, and related services;
  2. (b) communicating with you, including responding to enquiries, providing service updates, and conducting business correspondence;
  3. (c) marketing and sales, including newsletters, marketing communications, event invitations, and product updates (see clause 9);
  4. (d) operating and improving our business, including research, analytics, product development, quality assurance, and process improvement;
  5. (e) managing our relationships with clients, prospects, contractors, suppliers, and other parties;
  6. (f) complying with legal obligations, including tax, regulatory, and reporting requirements;
  7. (g) protecting our legal interests, including establishing, exercising, or defending legal claims; and
  8. (h) any other purpose for which you have provided your consent or which is otherwise permitted by law.

We may use anonymised and aggregated data (data that no longer identifies any individual) for any purpose, including research, analytics, and improvement of our products and services.

We do not sell, rent, or trade your personal information.

5. AI Systems and Client Data

A core part of our service is accessing client business systems — with your explicit permission — to build and configure AI infrastructure. This may involve processing business data including emails, documents, CRM records, and operational workflows. We treat this access with particular care:

  • We access only the systems and data you explicitly authorise.
  • Client business data is used to deliver your engagement, not for unrelated purposes.
  • Access credentials shared during delivery are used only for the agreed scope, and are returned or revoked at project completion.
  • All team members with client system access operate under confidentiality obligations.

Where we use third-party AI model providers to deliver services, we select providers and configurations that support these commitments.

6. Who We Share Information With

We may disclose personal information to:

  1. (a) our personnel, including employees, contractors, and subcontractors, on a need-to-know basis for the purpose of providing our services;
  2. (b) sub-processors and service providers that support our operations (see clause 7);
  3. (c) clients, where personal information is shared in connection with services we provide to them (for example, where we deliver work product that includes personal information);
  4. (d) professional advisers, such as lawyers, accountants, and auditors;
  5. (e) regulatory authorities, courts, or other bodies, where required by law or in connection with legal proceedings;
  6. (f) successors or assigns, in connection with a sale, merger, or transfer of our business or assets; and
  7. (g) any other party with your consent or as otherwise permitted by law.

7. Third-Party Tools and Sub-Processors

We use third-party tools and service providers to operate our business and deliver our services. The main categories, and the data they typically process, are:

ServicePurposeData processed
StripePayment processingName, email, billing details
Cal.comBooking and schedulingName, email, booking details
Google WorkspaceEmail and collaborationName, email, correspondence
VercelWebsite hostingIP address, device and usage data
AI model providers (e.g. Anthropic)AI service delivery and operationsData you authorise us to process (see clause 5)
AttioCRM and salesName, email, professional and engagement data
eSignature providerAgreements and contractsName, email, signature
Meeting/transcription toolCall notes and transcriptsName, voice/recording, transcript
Analytics providerWebsite analyticsUsage data (de-identified where possible)

This list is not exhaustive and may change over time. Each provider operates under its own privacy policy. We take commercially reasonable steps to ensure third-party providers handle personal information in accordance with this Privacy Policy and applicable law, but we do not warrant the practices of any third-party provider. A current list of our significant sub-processors is available on request from .

8. Cookies and Similar Technologies

Our website uses cookies and similar technologies for the following purposes:

  1. (a) Essential cookies that are necessary for the website to function;
  2. (b) Functional cookies that remember your preferences and improve your experience;
  3. (c) Analytics cookies that help us understand how visitors use our website; and
  4. (d) Marketing cookies that may be used to measure engagement with our marketing or to deliver targeted advertising (where applicable).

You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete cookies, or be notified when cookies are set. Disabling cookies may affect the functionality of the website.

9. Email Marketing

We may send you marketing communications about our products, services, events, and content. By providing your email address to us (whether through our website, by email, in person, or otherwise), you consent to receiving these communications.

You can unsubscribe at any time by:

  1. (a) clicking the unsubscribe link in any marketing email;
  2. (b) replying to a marketing email and asking to be removed; or
  3. (c) emailing .

We may continue to send you transactional or service-related emails (for example, billing notifications, contract updates, or service announcements) even after you unsubscribe from marketing communications.

10. Storage and Security

We store personal information using commercially reasonable security measures, including encryption in transit and at rest where practicable, access controls, and segregation between client environments.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. However, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.

In the event of a data breach affecting your personal information, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where required under the Notifiable Data Breaches scheme in the Privacy Act 1988 (Cth).

If you become aware of a security issue, please contact us immediately at .

11. Retention

We retain personal information only for as long as is reasonably necessary for the purposes for which it was collected, or as required by law. As a guide:

  • Client engagement records: 7 years (tax and legal requirements)
  • Payment records: 7 years (ATO requirements)
  • Website analytics data: 26 months rolling
  • Marketing contact information: until you unsubscribe

For signed clients, retention is governed by the relevant signed agreement (typically during the engagement and for a further 7 years thereafter). After the relevant retention period, we will either de-identify or delete personal information.

12. Cross-Border Data Transfers

Our operations and the third-party tools we use may involve the storage and processing of personal information outside Australia (for example, in the United States, the European Union, or other jurisdictions where our service providers operate).

By providing personal information to us, you consent to the transfer of that information to such jurisdictions for the purposes described in this Privacy Policy.

We take commercially reasonable steps to ensure that any cross-border transfer complies with the Australian Privacy Principles, including by selecting service providers that maintain appropriate data protection practices.

13. Your Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have certain rights with respect to your personal information, including:

  1. (a) Access: you may request access to the personal information we hold about you;
  2. (b) Correction: you may request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
  3. (c) Deletion: you may request that we delete personal information held about you. We will action such requests within a reasonable time, subject to any legal or contractual retention obligations;
  4. (d) Withdrawal of consent: you may withdraw your consent for direct marketing or other consent-based processing at any time;
  5. (e) Anonymity or pseudonymity: you may interact with us anonymously or under a pseudonym in some circumstances, where it is lawful and practicable to do so.

To exercise any of these rights, email . We will respond within 30 days. We may need to verify your identity before actioning a request, and may charge a reasonable cost-recovery fee for access to large volumes of information.

14. Complaints

If you have a concern or complaint about how we have handled your personal information, please contact us first at . We take privacy concerns seriously, and will acknowledge your complaint promptly and respond within a reasonable time, generally within 30 days.

If you are not satisfied with how we have handled your complaint, you can also raise it with the Office of the Australian Information Commissioner (oaic.gov.au).

15. Children's Information

Our services are not directed to children under the age of 16, and we do not knowingly collect personal information from children under 16 without parental or guardian consent.

If you believe a child has provided personal information to us without consent, please contact us at and we will take reasonable steps to delete the information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

Updates will be posted on our website with a revised ‘Last updated’ date at the top of the document. For material changes, we will provide additional notice (such as a prominent notice on the website or, where applicable, by email). Your continued use of our website or services after an update constitutes acceptance of the updated policy.

17. Contact

For any questions, concerns, or requests in connection with this Privacy Policy, please contact:

Foundation — Privacy

Programmatical Pty Ltd

ABN 66 686 965 604

Trading as Foundation

4 Indigo Close, Greensborough, Victoria 3088, Australia

Email:
Website: https://usefoundation.com.au