Privacy Policy

Last Updated: April 9, 2026

Our Commitment to Privacy

At Foundry Solutions Group, we take your privacy seriously. This policy explains how we collect, use, and protect your personal information across all of our services, including our main website at foundrysolutionsgroup.com and our BrandEngine platform at beta.foundrysolutionsgroup.com. We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the EU Artificial Intelligence Act, and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide

When you interact with our websites or services, you may provide us with personal information including:

  • Account Information: Name, email address, password, profile photo, company name, and job title when you create an account on BrandEngine or our admin portal
  • Contact Information: Name, email address, phone number, company name submitted through contact forms, Launch Partnership requests, or direct communication
  • Business Information: Industry, service interests, business size, location
  • Communication Content: Messages sent through contact forms, support requests, or email
  • Newsletter Data: Email address and name for newsletter subscriptions
  • Brand & Content Data: Brand questionnaires, voice samples, content drafts, writing style preferences, and other creative inputs you provide through BrandEngine
  • LinkedIn Profile Data: When you connect your LinkedIn account to BrandEngine, we receive your LinkedIn profile information (name, profile ID, headline) and post analytics data as authorized by you through LinkedIn's OAuth consent flow
  • Uploaded Media: Images, documents, and other files you upload to BrandEngine for use in content creation or brand training
  • Recruitment Data: Resumes, application materials, phone numbers, and professional information submitted through our recruitment services

1.2 Information Collected Automatically

When you visit our websites, we automatically collect certain information:

  • Usage Data: Pages visited, features used, time spent, navigation patterns, and interactions within the application
  • Device Information: Browser type, operating system, device type, screen resolution
  • Log Data: IP address, access times, referring URLs, error logs
  • Session Recordings: Anonymized session replays and heatmaps via Microsoft Clarity to understand how users interact with our website (see Section 9 for details)
  • Cookies: See our Cookie Policy and Section 9 below for details

1.3 Information from Third Parties

We may receive information about you from third-party sources:

  • LinkedIn API: Profile information, post engagement metrics, and analytics data when you authorize your LinkedIn account (see Section 4)
  • Data Enrichment Services: Publicly available professional information (name, headline, company, location) from LinkedIn profile enrichment services to improve our contact and business intelligence capabilities
  • Scheduling Platforms: Name, email address, and booking details when you schedule meetings through Calendly widgets embedded on our site

2. How We Use Your Information

We use your personal information for the following purposes:

2.1 Service Delivery

  • Respond to your inquiries and contact form submissions
  • Process Launch Partnership requests and schedule discovery calls
  • Provide customer support and answer questions
  • Send service-related communications

2.2 BrandEngine Platform

  • Generate, refine, and manage social media content using AI on your behalf
  • Analyze and develop your brand voice profile from questionnaire responses and content samples
  • Publish content to your connected LinkedIn account at your direction
  • Retrieve and display post performance analytics from LinkedIn
  • Generate custom images for your content using AI image generation services
  • Provide content intelligence by aggregating industry news, trends, and relevant topics from public sources
  • Train personalized image style models using images you upload (processed by third-party AI services)

2.3 Marketing & Communication

  • Send newsletters and updates (with your consent)
  • Provide information about our services
  • Send relevant content and resources
  • You can unsubscribe anytime from marketing emails

2.4 Recruitment Services

  • Process job applications and match candidates to positions
  • Communicate with candidates via email and WhatsApp (with consent)
  • Store and organize resumes and application materials
  • Use AI-powered semantic matching to identify relevant candidate-job fits

2.5 Analytics & Improvement

  • Understand how visitors use our websites and platform features
  • Improve our services, user experience, and AI-generated output quality
  • Analyze trends and measure campaign effectiveness
  • Detect and prevent fraud or security issues

3. BrandEngine Platform Services

BrandEngine is a content creation and management platform operated by Foundry Solutions Group, accessible at beta.foundrysolutionsgroup.com. This section describes the specific data processing activities unique to BrandEngine.

3.1 What BrandEngine Does

BrandEngine helps you create, manage, and publish professional content on LinkedIn. The platform uses artificial intelligence to generate content drafts, analyze your brand voice, create custom images, and provide content performance analytics. To deliver these services, BrandEngine processes your data through several third-party AI and API services as described in Sections 4, 5, and 6 of this policy.

3.2 Data You Provide to BrandEngine

  • Brand Questionnaire: Responses about your professional background, expertise, target audience, content preferences, and brand positioning
  • Voice & Style Samples: Example posts and writing samples used to train your personalized brand voice profile
  • Content Drafts: Posts you create, edit, or generate through the platform
  • Images: Photos and graphics you upload for content use or AI style model training
  • LinkedIn Connection: OAuth tokens and permissions that enable BrandEngine to interact with LinkedIn on your behalf

3.3 Multi-Tenancy & Data Isolation

BrandEngine operates as a multi-tenant application. Your data is logically separated from other users' data at the database level through organization-scoped access controls. Each organization's content, brand profiles, images, and LinkedIn connections are isolated and accessible only to authorized members of that organization.

4. LinkedIn Integration & Data

Important: LinkedIn Data Handling

BrandEngine integrates with LinkedIn via the official LinkedIn API. This section specifically addresses how we handle data received from or sent to LinkedIn, in compliance with the LinkedIn API Terms of Use and the LinkedIn Data Processing Agreement.

4.1 LinkedIn OAuth & Permissions

When you connect your LinkedIn account to BrandEngine, you are redirected to LinkedIn's authorization page where you explicitly grant the following permissions:

  • Profile Access (r_liteprofile): Read your basic profile information including your name, LinkedIn member ID, and profile picture
  • Post Publishing (w_member_social): Publish posts and content to LinkedIn on your behalf
  • Post Analytics (r_member_postAnalytics): Retrieve performance metrics for your posts, including impressions, reactions, comments, shares, and clicks

We request only the minimum permissions necessary to provide BrandEngine's core features. You must affirmatively consent to each scope through LinkedIn's OAuth flow before we access any data.

4.2 What LinkedIn Data We Access

  • Profile Data: Your LinkedIn member ID, first name, last name, and profile picture URL. This is accessed once during authorization and refreshed only when you actively use BrandEngine.
  • Post Analytics: Engagement metrics (impressions, reactions, comments, shares, clicks) for posts published through BrandEngine. This data is retrieved to display performance dashboards within the platform.
  • Publishing: When you approve a post for publishing, BrandEngine submits the content to LinkedIn's API on your behalf. We do not publish content without your explicit action.

4.3 How We Use LinkedIn Data

LinkedIn data is used solely to provide BrandEngine's features:

  • Display your profile identity within BrandEngine so you can manage your connected account
  • Publish content to LinkedIn at your direction
  • Retrieve and display post performance analytics within BrandEngine dashboards
  • Improve content recommendations based on your post performance (analytics are not shared with other users)

We do not sell, rent, lease, or share your LinkedIn data with any third party. We do not use LinkedIn data for advertising, lead generation, or any purpose outside of the BrandEngine service. We do not combine LinkedIn Content with data from non-LinkedIn sources in ways that would prevent attribution to LinkedIn.

4.4 LinkedIn Data Storage & Retention

  • OAuth Tokens: Your LinkedIn access token and refresh token are stored in our encrypted database for the duration of your account. Tokens are deleted immediately when you disconnect your LinkedIn account or close your BrandEngine account.
  • Profile Data: Stored for the duration of your active account. Profile data is refreshed only when you are actively using BrandEngine, not on an automated schedule.
  • Post Analytics: Stored for the duration of your active account to enable historical performance tracking. Deleted upon account closure or disconnection.
  • Published Content: Records of posts published through BrandEngine are retained for your reference. The content itself lives on LinkedIn and is governed by LinkedIn's policies.

4.5 Revoking LinkedIn Access

You may disconnect your LinkedIn account from BrandEngine at any time through your account settings. Upon disconnection, we will immediately delete your LinkedIn OAuth tokens and cease all API access to your LinkedIn account. You may also revoke BrandEngine's access directly from your LinkedIn account settings.

4.6 LinkedIn Data Deletion

You may request deletion of all LinkedIn-sourced data at any time by contacting us at hello@foundrysolutionsgroup.com or through your BrandEngine account settings. Upon receiving a valid deletion request, we will delete all LinkedIn Content (profile data, analytics, tokens) within 30 days, except where retention is required by law. When you close your BrandEngine account, all LinkedIn data is automatically deleted.

4.7 Compliance

Our use of LinkedIn data complies with the LinkedIn API Terms of Use, the LinkedIn Data Processing Agreement for Business Development Agreements (BD DPA), and all applicable LinkedIn developer documentation. Our privacy practices regarding LinkedIn data are at least as stringent as LinkedIn's own Privacy Policy.

5. Artificial Intelligence & Automated Processing

AI Transparency Notice

BrandEngine uses artificial intelligence to generate content, images, and analytics. This section explains which AI providers we use, what data is processed, and your rights regarding AI-processed data. Content generated by BrandEngine's AI features is AI-generated content.

5.1 AI Providers & Data Processing

BrandEngine sends data to the following AI service providers to deliver its features. Each provider operates as a sub-processor under our Data Processing Agreements:

  • Anthropic (Claude): Our primary AI provider for content generation, brand voice analysis, content refinement, and classification. When you use these features, your prompts, brand questionnaire data, voice samples, and content drafts are sent to Anthropic for processing. Anthropic does not use API data for model training. Data location: United States (EU-US Data Privacy Framework certified).
  • OpenAI: Used for text embeddings (semantic search and content matching) and AI image generation. When you generate images, your prompts and visual context are sent to OpenAI. When content is indexed for search, text excerpts are sent for embedding. OpenAI does not use API data for model training by default. Data location: United States (EU-US Data Privacy Framework certified).
  • Google (Gemini): Used as a fallback AI provider for content generation when needed. Data handling follows Google Cloud AI terms. Google does not use paid API data for model training. Data location: United States.
  • Replicate: Used for specialized image generation (Flux models) and custom image style model training. When you train a custom style model, the images you upload are sent to Replicate for processing. Data location: United States.

5.2 What Data Is Sent to AI Providers

  • Text content: prompts, brand questionnaire responses, content drafts, voice samples, and refinement instructions
  • Image data: uploaded images for vision analysis or style model training, image generation prompts
  • Contextual data: industry context, content intelligence summaries, and performance signals used to improve content quality

We do not send your name, email, password, LinkedIn OAuth tokens, or financial information to AI providers. We minimize the personal data included in AI processing requests.

5.3 AI Data Retention by Providers

AI providers may temporarily retain API request data for abuse detection and service monitoring:

  • Anthropic: Retains API inputs/outputs for up to 30 days, then deletes
  • OpenAI: Retains API inputs/outputs for up to 30 days, then deletes (zero-retention options available)
  • Google Gemini: Retention per Google Cloud terms of service
  • Replicate: Training data and model weights retained until you request deletion or model expiry

None of these providers use your data sent through our API to train their general-purpose models.

5.4 AI-Generated Content

Content and images produced by BrandEngine's AI features are AI-generated. While we strive for accuracy and quality, AI-generated outputs may contain errors and should be reviewed before publishing. You retain full editorial control over all content before it is published to LinkedIn or any other platform.

5.5 Automated Decision-Making

BrandEngine uses AI to assist with content classification, performance scoring, and content recommendations. These are assistive features designed to help you make better content decisions. No fully automated decisions with significant legal or similarly significant effects are made about you. You always have the final decision on content creation and publishing. Under GDPR Article 22, you have the right to request human review of any AI-assisted recommendation or classification.

5.6 Your Rights Regarding AI Processing

  • You may request information about how AI processes your specific data
  • You may request human review of AI-generated classifications or recommendations
  • You may request deletion of AI-generated content and associated processing data
  • You may object to specific AI processing activities under GDPR Article 21

6. Data Sharing & Third-Party Services

We do not sell your personal information. We share data with third parties only as necessary to provide our services, comply with law, or protect our rights. Each third-party provider operates under a Data Processing Agreement or equivalent contractual obligation.

6.1 AI & Machine Learning Providers

  • Anthropic: Content generation and analysis (see Section 5)
  • OpenAI: Embeddings, image generation, and semantic matching (see Section 5)
  • Google (Gemini): Fallback content generation (see Section 5)
  • Replicate: Image generation and custom model training (see Section 5)

6.2 Social Media & APIs

  • LinkedIn API: Profile access, content publishing, and analytics (see Section 4)
  • EnrichLayer: Professional profile enrichment using publicly available LinkedIn data (names, headlines, company information)

6.3 Analytics & User Experience

  • Google Analytics 4: Website usage analysis, conversion tracking, and audience insights. Data includes page views, session data, and anonymized IP addresses. We also use server-side Measurement Protocol for privacy-sensitive event tracking.
  • Microsoft Clarity: Session recording, heatmaps, and user behavior analysis to improve website usability. Clarity captures anonymized interaction data (clicks, scrolls, navigation) but does not capture keystrokes in password fields or sensitive form inputs.

6.4 Communication Services

  • Resend: Transactional and marketing email delivery. Receives recipient email addresses, names, and email content.
  • Meta WhatsApp Business API: Used in recruitment services to communicate with candidates who have opted in. Receives candidate phone numbers and message content.
  • Calendly: Embedded scheduling widget for booking discovery calls and meetings. Receives your name, email, and booking preferences when you schedule a meeting.

6.5 Cloud Infrastructure & Storage

  • Railway: Application hosting and managed PostgreSQL database. All application data is stored in Railway-hosted databases. Data location: United States.
  • Vercel: Website hosting, serverless functions, and file storage (Vercel Blob). Data location: United States with global CDN edge nodes.
  • Cloudflare R2: Object storage for BrandEngine-generated images and media files. Data location: globally distributed.
  • Redis (hosted): In-memory data store used for background job processing queues. Transient processing data only; no long-term personal data storage.

6.6 Enterprise & Document Management

  • Microsoft Azure AD & SharePoint: Used in recruitment services for secure resume storage and document management. Receives resume files, candidate names, and job titles.

6.7 Content Intelligence Sources

BrandEngine aggregates public information from external sources to provide content intelligence and trend analysis. These sources include:

  • NewsCatcher API: Industry news and article search
  • X (Twitter) API: Public trending topics and industry discussions
  • GDELT Project: Global news and event data
  • Reddit (public API): Community discussions and trending topics
  • Hacker News: Technology and startup news
  • Google Trends: Search trend data
  • RSS Feeds: Industry publication updates

No personal user data is sent to these content intelligence sources. We query them for publicly available content based on industry topics relevant to your brand profile.

6.8 Other Services

  • IndexNow: Notifies search engines (Bing, Yandex) of updated pages on our website. Sends only page URLs, no personal data.

6.9 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

6.10 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and ensure the receiving party honors this privacy policy or provides equivalent protections.

7. Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption in Transit: All data transmitted via HTTPS/TLS 1.2+ encryption
  • Encryption at Rest: Database contents and stored files encrypted at rest
  • Access Controls: Limited access to personal data on a need-to-know basis with role-based permissions
  • Secure Credential Storage: Passwords hashed with bcrypt; OAuth tokens and API keys encrypted in the database
  • Regular Audits: Ongoing security assessments and dependency vulnerability monitoring
  • Employee Training: Team trained on data protection best practices
  • Incident Response: Documented process for identifying, containing, and notifying affected parties of security incidents within 72 hours as required by GDPR

While we take reasonable precautions, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data.

8. Your Rights & Choices

You have the following rights regarding your personal information:

8.1 Access & Correction

  • Request a copy of the personal data we hold about you
  • Update or correct inaccurate information
  • Request deletion of your personal data
  • Export your BrandEngine data in a structured, machine-readable format (data portability)

8.2 Marketing Preferences

  • Unsubscribe from marketing emails anytime (link in every email)
  • Opt out of certain data collection (cookies via browser settings)
  • Request to stop processing your data for marketing purposes

8.3 LinkedIn Data Rights

  • Disconnect your LinkedIn account from BrandEngine at any time via account settings
  • Revoke BrandEngine's access directly from your LinkedIn account privacy settings
  • Request deletion of all LinkedIn-sourced data stored in BrandEngine
  • Upon disconnection or deletion request, all LinkedIn tokens, profile data, and analytics are removed

8.4 AI Processing Rights

  • Request information about how AI processes your specific data
  • Request human review of any AI-assisted decision or classification
  • Object to specific AI processing activities
  • Request deletion of custom AI models trained on your data

8.5 GDPR Rights (EU/EEA Residents)

If you are in the European Union or European Economic Area, you have additional rights:

  • Right to data portability (receive your data in a structured format)
  • Right to restrict processing
  • Right to object to processing based on legitimate interests
  • Right not to be subject to solely automated decision-making (GDPR Article 22)
  • Right to lodge a complaint with a supervisory authority
  • Right to withdraw consent at any time without affecting the lawfulness of prior processing

8.6 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it
  • Request deletion of your personal information
  • Opt-out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information

To exercise any of these rights, contact us at hello@foundrysolutionsgroup.com. We will respond to verified requests within 30 days as required by law.

9. Cookies & Tracking

We use cookies and similar tracking technologies to improve your experience and analyze website usage:

  • Essential Cookies: Required for website functionality, authentication sessions (NextAuth), and security
  • Analytics Cookies: Google Analytics 4 cookies (_ga, _gid) help us understand how visitors use our site. We use IP anonymization.
  • Session Recording: Microsoft Clarity uses cookies and scripts to record anonymized user sessions (clicks, scrolls, page navigation) for UX improvement. Clarity does not capture sensitive form data. You can opt out at Microsoft's privacy dashboard.
  • Scheduling Widgets: Calendly embeds may set third-party cookies when you interact with the booking widget on our site
  • Marketing Cookies: Track campaign effectiveness and conversions
  • Local Storage: Cookie consent preferences are stored in your browser's local storage

You can control cookie preferences through your browser settings or our cookie consent banner. Note that disabling cookies may affect website functionality. See our Cookie Policy for details.

10. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy:

10.1 Website Data

  • Contact Form Submissions: 2 years or until you request deletion
  • Newsletter Subscribers: Until you unsubscribe
  • Analytics Data: 26 months (Google Analytics default); Microsoft Clarity per Microsoft retention policies
  • Scheduling Data: Meeting bookings retained per Calendly's data retention policies

10.2 BrandEngine Data

  • Account Data: Retained for the duration of your active account. Deleted within 30 days of account closure, with backups purged within 90 days.
  • Content & Brand Profiles: Retained for the duration of your active account
  • Generated Images: Stored in Cloudflare R2 for the duration of your account
  • Custom AI Models: Training data and model weights on Replicate retained until you request deletion or model expiry

10.3 LinkedIn Data

  • OAuth Tokens: Retained until you disconnect your LinkedIn account, tokens expire, or you close your BrandEngine account
  • Profile Data: Retained for the duration of your active connection; refreshed only when you are actively using the application
  • Post Analytics: Retained for the duration of your active account for historical performance tracking
  • All LinkedIn data is deleted promptly upon disconnection, account closure, or valid deletion request

10.4 AI Processing Data

  • Anthropic/OpenAI: API request logs retained by providers for up to 30 days, then deleted
  • Google Gemini: Per Google Cloud terms of service
  • Replicate: Model training data retained until deletion request or expiry
  • Our Systems: AI-generated outputs stored for the duration of your account

10.5 Recruitment Data

  • Applications & Resumes: Retained for the duration of the recruitment engagement plus 1 year, unless a longer period is required by law or you request earlier deletion
  • WhatsApp Communications: Message records retained per the recruitment engagement period

10.6 Client Data

  • Client Service Data: Duration of service agreement plus 7 years (tax/legal requirements)

11. International Data Transfers

Our operations are based in the United States and Europe (Kosovo). Your data may be transferred to and processed in the following locations depending on which services you use:

  • United States: Primary application hosting (Railway), AI providers (Anthropic, OpenAI, Google, Replicate), email delivery (Resend), website hosting (Vercel)
  • Europe (Kosovo): Foundry Solutions Group operational team
  • Global CDN: Cloudflare R2 and Vercel edge nodes distribute static assets globally for performance

For transfers from the EU/EEA to the United States, we rely on the EU-US Data Privacy Framework (where our sub-processors are certified, including Anthropic, OpenAI, Google, and Microsoft) and Standard Contractual Clauses (SCCs) where applicable. We ensure appropriate safeguards are in place for all international transfers in compliance with GDPR and other applicable data protection laws.

12. Sub-Processors

The following is a summary of our sub-processors — third-party services that process personal data on our behalf. We maintain Data Processing Agreements or equivalent contractual protections with each provider. We will update this list when sub-processors change and notify affected users where required by applicable law.

AI & Machine Learning

  • Anthropic — Content generation, classification (US, DPF certified)
  • OpenAI — Embeddings, image generation, semantic matching (US, DPF certified)
  • Google (Gemini) — Fallback content generation (US, DPF certified)
  • Replicate — Image generation, model training (US)

Infrastructure & Hosting

  • Railway — Application hosting, PostgreSQL database (US)
  • Vercel — Website hosting, serverless functions, file storage (US, global CDN)
  • Cloudflare — R2 object storage for generated images (global)

Communication

  • Resend — Email delivery (US)
  • Meta (WhatsApp Business) — Candidate messaging for recruitment (US/EU)
  • Calendly — Meeting scheduling (US)

Analytics

  • Google (Analytics 4) — Website usage analytics (US, DPF certified)
  • Microsoft (Clarity) — Session recording, heatmaps (US/EU, DPF certified)

Social Media & Data

  • LinkedIn (Microsoft) — Profile data, publishing, analytics API (US/EU, DPF certified)
  • EnrichLayer — Professional profile enrichment (EU)

Enterprise

  • Microsoft (Azure AD, SharePoint) — Identity, document storage for recruitment (US/EU, DPF certified)

13. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us, and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or sub-processors. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. For BrandEngine users, material changes will also be communicated via email or in-app notification. Continued use of our services after changes constitutes acceptance of the updated policy.

15. Contact Us

Questions about this Privacy Policy or our data practices?

Privacy & Data Requests:

hello@foundrysolutionsgroup.com

We will respond to privacy requests within 30 days as required by law. For LinkedIn data deletion requests, we will process your request and confirm deletion within 30 days.

16. Additional Information for Client Services

If you become a client and we provide customer operations services on your behalf:

  • We act as a data processor for your customer data
  • You (the client) remain the data controller
  • We process data only according to your instructions
  • We sign Data Processing Agreements (DPAs) with all clients
  • We maintain SOC 2 Type II equivalent security standards
  • Client data is segregated and encrypted
  • We sign BAAs for HIPAA-covered entities
  • We maintain an up-to-date list of sub-processors (see Section 12) and notify clients before adding new ones

Note: This Privacy Policy covers our website (foundrysolutionsgroup.com), BrandEngine platform (beta.foundrysolutionsgroup.com), and related services. Client service agreements include additional data protection terms specific to your engagement. For BrandEngine-specific terms, please also refer to the BrandEngine Terms of Service.