Privacy Policy | Founder Athlete

Privacy Policy

Founder Athlete Inc. (the "Company", "we", "us", "our")

Last Updated: June 24, 2026

Statement from the Company: We are committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our websites, use our products and services, or otherwise interact with us.

Who we are and the scope of this policy

Controller Identity

Legal EntityFounder Athlete Inc.
Registered Address2482 Yonge Street #1302 Toronto, ON M4P 2H5 Canada
Emailsupport@founderathlete.co
Phone+1 647-254-0828
Data Protection OfficerMrinal Asthana, Chief Technology Officer, mrinal@founderathlete.co
EU Representative (Art. 27)Not applicable - we do not offer services in the EU/EEA
UK RepresentativeNot applicable - we do not offer services in the UK

Scope

This Privacy Policy applies to personal information we collect when you:

  • Visit our websites, including founderathlete.co and any subdomains that link to this Policy;
  • Use our cloud-based software products, APIs, and related services;
  • Attend our events, webinars, or respond to our marketing communications;
  • Communicate with us via email, chat, phone, or social media; or
  • Apply for employment (subject to our separate Candidate Privacy Notice)

(collectively, the "Services").

This Policy does not apply to personal information we process on behalf of our customers as a data processor or service provider. When we process data on behalf of our customers, the customer's privacy policy governs, and our obligations are set forth in our Data Processing Agreement.

Processor/service provider role: When you interact with our Services through your employer or another organization, that organization is the controller (or "business" under the CCPA). We process personal data on their behalf pursuant to written agreements. Please refer to that organization's privacy policy for details on how your data is handled.

Health information and Canadian health-privacy law: Because we provide health- and performance-coaching services, this Policy also covers how we handle health-related information. Most of it is "Wellness Data" that we collect in our own right and that is governed by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) (and, in some provinces, a substantially similar private-sector law). Separately, where a regulated health custodian or trustee (a clinic or practitioner) uses our Services to provide care to you, we act as that provider's agent or information manager under the applicable provincial health-privacy law, such as Ontario's PHIPA, for the personal health information involved. For details, see the "Your privacy rights in Canada (PIPEDA)" and "Our role under Canadian health-privacy laws" sections below.

Information we collect

Information you provide directly

You may provide us with the following information directly through your interactions with our Services:

  • Account registration data: name, email address, password, job title, company name;
  • Payment and billing information: credit card details (processed by our PCI-compliant payment processor), billing address, tax ID;
  • Communications: content of emails, support tickets, chat messages, and feedback forms;
  • Survey and research responses: when you voluntarily participate in surveys, beta programs, or user research;
  • Event registration: name, email, dietary requirements, and accessibility needs when you register for events; or
  • Any other information that you voluntarily provide us, including but not limited to: health, wellness and lifestyle information you choose to share (for example sleep, nutrition, energy patterns, stress response, focus, exercise, and neurodiversity), coaching intake responses, connected wearable data, and the content of your coaching sessions.

Information collected automatically

We may collect certain information automatically, including through the use of cookies or similar technology, through your interactions with our Services, including:

  • Device and browser information: IP address, browser type and version, operating system, device identifiers, screen resolution, and preferred language;
  • Usage data: pages visited, features used, clickstream data, session duration, referring URL, and search queries within the Services;
  • Log data: server logs, error reports, API call metadata, and timestamps;
  • Location data: approximate geographic location derived from IP address. We do not collect precise geolocation unless you separately consent.

Information from third parties

We may collect certain information that is shared to us from third parties, including:

  • Single sign-on providers: if you authenticate via Google, Microsoft, or another SSO provider, we receive your name, email, and profile information as authorized by you;
  • Public sources and data enrichment: business contact information from publicly available sources (e.g., LinkedIn, company websites) and third-party data providers, used for B2B marketing in accordance with applicable law;
  • Connected devices and integrations: if you connect a wearable device or other service to your account (for example Oura, WHOOP, Fitbit, or Google Calendar), we receive the health, activity, and calendar data you authorize that service to share.

Sensitive personal information

Because we provide health- and performance-coaching services, we collect information about your health and wellbeing, and we handle it in two distinct ways. Most of it - for example sleep, nutrition, energy patterns, focus, stress response, exercise, neurodiversity, physiological and wearable-device data (such as from Oura, WHOOP, or Fitbit), and the content of coaching sessions - is "Wellness Data" that you submit to us outside any clinical context. We collect Wellness Data in our own right (not as anyone's agent); it is governed by this Policy under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for any individuals to whom it applies, may also be "special category data" under Article 9 of the GDPR. Separately, where a regulated health-care provider (a "health information custodian") uses our Services to provide care to you, information collected in that clinical context is "personal health information" (PHI) under Ontario's Personal Health Information Protection Act, 2004 (PHIPA), which we handle only as the custodian's agent (see the PHIPA section below). If you choose to share Wellness Data with a custodian in connection with your care, that copy of the data is treated as PHI from the point of sharing forward. We obtain your express, opt-in consent before collecting health-related information; we use it only to provide the Services you have requested; we use it to improve our Services only in de-identified or aggregated form; we apply heightened safeguards including access controls, encryption in transit and at rest, and limited internal access; and we do not use it for advertising and do not sell it.

Under the California Privacy Rights Act (CPRA), several categories of information we collect are classified as "sensitive personal information," including account log-in credentials (i.e., your email address in combination with a password) and health information. We use sensitive personal information only as necessary to provide the coaching services you have requested, to authenticate and secure your account, and for other purposes authorized by CPRA Section 1798.121. We do not use or disclose sensitive personal information to infer characteristics about you or for advertising. You have the right to limit the use of your sensitive personal information to those authorized purposes. To exercise this right, please see Section 8.2 below.

How we use your information and our legal basis

We process your personal information only for the purposes described below. For individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, we identify the legal basis for each purpose under the GDPR.

Purpose Description Legal Basis (GDPR)
Provide the ServicesCreate and manage your account, process transactions, deliver features, provide customer support, and maintain system performance.Performance of contract (Art. 6(1)(b))
Communicate with youSend transactional messages (e.g., confirmations, invoices, security alerts, service updates) and respond to your inquiries.Performance of contract (Art. 6(1)(b))
Improve and develop productsAnalyze usage patterns, conduct A/B testing, develop new features, fix bugs, and optimize performance.Legitimate interest (Art. 6(1)(f)): improving products for users
Marketing and promotionsSend newsletters, product announcements, event invitations, and promotional content. Display targeted advertisements.Consent (Art. 6(1)(a)) where required; otherwise Legitimate interest (Art. 6(1)(f)): promoting our services to existing and prospective customers
Analytics and personalizationUnderstand how users interact with the Services, generate aggregated insights, and personalize user experience.Legitimate interest (Art. 6(1)(f)): understanding and optimizing the user experience
Security and fraud preventionDetect, investigate, and prevent fraudulent transactions, unauthorized access, abuse of the Services, and other illegal activities.Legitimate interest (Art. 6(1)(f)): protecting the security of our systems and users; Legal obligation (Art. 6(1)(c)) where required
Legal complianceComply with legal obligations, respond to lawful requests from public authorities, enforce our terms, and establish, exercise, or defend legal claims.Legal obligation (Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f)): establishing, exercising, or defending legal claims
RecruitmentEvaluate job applications, conduct interviews, and manage the hiring process (subject to our separate Candidate Privacy Notice).Pre-contractual steps at your request (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)): evaluating candidates

Legitimate Interest Assessments: Where we rely on legitimate interest as a legal basis for processing (as indicated in the table above), we have conducted a balancing test weighing our interests against your rights and freedoms as a data subject. We have determined that our interests do not override your rights in each case.

Automated processing and artificial intelligence

We use artificial-intelligence tools provided by third parties (currently Anthropic's Claude and Google's Gemini) to generate your performance profile, summarize coaching calls, and produce tailored coaching recommendations from your intake responses, session transcripts, and Wellness Data. These tools support our human coaches; we do not use them to make decisions that produce legal or similarly significant effects about you without human involvement. We use Wellness Data and other personal information to train, validate, or improve our own models only in pseudonymized or de-identified form, and we do not permit our third-party AI providers to use your information to train their general-purpose models except as necessary to provide the service to us. We do not use PHI to train or develop any general-purpose AI or machine-learning model unless it has first been irreversibly de-identified using methods consistent with recognized standards (such as the Information and Privacy Commissioner of Ontario's de-identification guidelines) or you have given express opt-in consent. You may ask us about the logic involved or object to this processing using the contact details below. If you withdraw consent to this processing, we will stop using your identifiable information for training on a going-forward basis and exclude it from future training; however, data that has already been irreversibly de-identified or aggregated, and any models already trained, are no longer personal information and are not affected by withdrawal (where information we used remained identifiable, such as pseudonymized data, we will remove it from active training datasets on request). The aggregated and de-identified datasets we create, and the models and other materials we derive from them, are owned by Founder Athlete as described in our Terms of Service; this does not apply to personal health information we handle as a custodian's agent.

Whether providing your data is required

In most cases, providing your personal information is voluntary. However, some information is necessary to enter into or perform a contract with us (for example, your name and email to create an account, or billing information to process a payment). If you do not provide such information, we may be unable to provide the relevant Services to you. Where we are required by law to collect certain information (for example, tax identification for invoicing), we will inform you at the point of collection.

Data minimization

We adhere to the principle of data minimization. We collect and process only the personal information that is adequate, relevant, and limited to what is necessary for the purposes stated in this Policy. We regularly review the data we hold to ensure it remains necessary for the stated purposes.

How we share your information

We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We do not use advertising pixels or trackers. We share personal information only with the service providers and in the limited circumstances described below:

Service providers

We engage third-party companies and individuals to perform services on our behalf (e.g., hosting, payment processing, analytics, email delivery, customer support).

Below is a current list of our sub-processors:

Subprocessor Service provided Corporate HQ Data that may be processed
Amazon Web Services, Inc. (RDS Postgres, S3, Cognito, App Runner, Amplify)Database, file storage, authentication, and application hostingUSAEffectively all personal data, including identifiers, login credentials, transcripts, health/fitness data, professional information, and inferences
Anthropic, PBC (Claude API)AI reasoning for user-profile generation, refinement, and qualitative outputsUSAContent sent in prompts: transcript text, intake data, coach observations, health data, professional information, and derived inferences
Fireflies.aiCoaching-call recordings and transcriptsUSAFull audio and transcripts of coaching sessions, including sensory data and everything disclosed verbally (health, personal, professional)
Google LLC (Gemini)Coaching-call transcription (alternative to Fireflies)USAAudio and transcript content of coaching sessions
PromptLayerPrompt-template management and loggingUSALogs of prompts and responses where transcript content and user data are passed into prompts
WHOOP, Inc.Wearable integrationUSAPhysiological/health metrics (e.g., strain, HRV, sleep, activity)
Google (Fitbit)Wearable integrationUSAPhysiological/health metrics (e.g., strain, HRV, sleep, activity)
Ōura Health Oy (Oura)Wearable integrationFinlandPhysiological/health metrics (e.g., strain, HRV, sleep, activity)
Google CalendarCalendar integrationUSACalendar information, working blocks, and availability

Business transfers

In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred to the acquiring entity. When necessary, we will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

Legal requirements and protection of rights

We may disclose personal information if required to do so by law or if we believe in good faith that such action is necessary to: (a) comply with a legal obligation, subpoena, court order, or governmental request; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Services; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

With your consent

We may share personal information for other purposes with your express consent.

International data transfers

Founder Athlete Inc. is based in Ontario, Canada. We use service providers located in other countries - including the United States (for example our cloud hosting, AI, and transcription providers) - to operate the Services. Personal information other than PHI, including Wellness Data, may be processed in those countries; PIPEDA permits these transfers provided we use contractual and technical safeguards to ensure a comparable level of protection. Personal health information (PHI) that we handle as a custodian's agent is stored and processed in Canada by default and is not transferred outside Canada unless the relevant custodian authorizes it in writing (see the PHIPA section below). We require each provider to protect your information under written agreements, and we identify these providers in the sub-processors table above so you can make an informed choice. Laws in the countries where non-PHI is processed may differ from those in your jurisdiction and may, in some circumstances, permit access by courts or government authorities.

Data retention

We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected. We retain Wellness Data while your account is active and for a reasonable period afterward for backup, dispute-resolution, and analytics purposes; you may delete it through your account settings or by contacting us, and aggregated or de-identified information derived from Wellness Data may be retained indefinitely. Personal health information we handle as a custodian's agent is retained only as long as needed to support the custodian's care and in accordance with the custodian's instructions and applicable record-keeping rules (including the Medicine Act, 1991 and College of Physicians and Surgeons of Ontario requirements); retention of clinical records is ultimately the custodian's responsibility. Other retention periods are determined based on the following criteria:

  • the duration of our contractual relationship with you;
  • applicable legal and regulatory retention obligations (including tax, financial reporting, and employment record-keeping requirements);
  • applicable statutes of limitation for potential legal claims;
  • the operational necessity of the data for security, fraud prevention, and service continuity; and
  • whether the purpose for which the data was collected has been fulfilled or the data subject has requested deletion.

When personal information is no longer required under any applicable criterion, we will securely delete or irreversibly anonymize it. Anonymized data may be retained indefinitely for analytics purposes.

Your privacy rights

Rights under the GDPR (EEA, UK, and Switzerland)

These rights apply only to the extent the GDPR applies to our processing; we do not currently offer our Services in the EEA, UK, or Switzerland. If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR with respect to your personal data:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about the processing.
  • Right to rectification (Art. 16): You have the right to correct inaccurate personal data and to have incomplete data completed.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  • Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for a contract, authorized by law, or based on your explicit consent.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. For EU/EEA residents, our lead supervisory authority is your local data protection authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For UK residents, complaints may be directed to the UK Information Commissioner's Office (ico.org.uk). For California residents, complaints regarding our privacy practices may be directed to the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General. For Canadian residents, complaints may be directed to the Office of the Privacy Commissioner of Canada (priv.gc.ca).

How to exercise your rights

To exercise any of the rights described in this Section 7, please submit a request to:

Email: privacy@founderathlete.co

We will respond to your request within ninety (90) days (or one (1) month under the GDPR). If we need to extend this period, we will notify you of the extension and the reasons for the delay. We will verify your identity before processing your request. Requests are free of charge unless manifestly unfounded or excessive.

Additional information for California residents

This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), for residents of California. This section should be read in conjunction with our California Notice at Collection, available as a schedule attached to this Policy, which is incorporated into this Policy by reference.

Your CCPA rights

As a California resident, you have the following rights:

  • Right to know and access (§ 1798.100, 1798.110): You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the business or commercial purposes, and the categories of third parties with whom we share it.
  • Right to delete (§ 1798.105): You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct (§ 1798.106): You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to opt-out of sale or sharing (§ 1798.120): You have the right to direct us not to sell or share (as those terms are defined under the CCPA) your personal information. We do not sell personal information. We do not engage in cross-context behavioral advertising.
  • Right to limit use of sensitive personal information (§ 1798.121): If we collect sensitive personal information for purposes beyond those authorized by the CCPA, you have the right to limit such use. We collect and use sensitive personal information (including health information) only to provide the coaching services you have requested and to secure your account, which are purposes authorized by the CCPA. We do not use it for purposes that would trigger the right to limit, but you may still contact us to discuss how your sensitive personal information is used.
  • Right to data portability (§ 1798.100(d)): You have the right to request that we transmit your personal information to another business in a structured, commonly used, machine-readable format, to the extent technically feasible. This right applies to personal information you provided to us and that we maintain in a digital format.
  • Right to non-discrimination (§ 1798.125): We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide a different level or quality of service because you exercised a privacy right.

How to exercise your rights

To exercise any of the rights described in this Section 8, please submit a request to:

Email: privacy@founderathlete.co

We will verify your identity by matching information you provide with information we have on file. You may designate an authorized agent to make a request on your behalf by providing written authorization or a power of attorney. We may require verification of both the agent's authority and your identity.

Global Privacy Control

We honor Global Privacy Control ("GPC") signals. If your browser or device transmits a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of personal information for that browser or device, as required by § 1798.135(b)(1). GPC signals apply to the specific browser and device from which they are sent. For more information about GPC, visit https://globalprivacycontrol.org.

We do not respond to Do Not Track ("DNT") browser signals, as there is no industry-standard technology for recognizing or honoring DNT signals at this time.

Financial incentive programs

We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

CCPA metrics

In accordance with CCPA regulations, we will publish annual metrics on the number of requests to know, delete, correct, and opt-out received, complied with (in whole or in part), and denied, along with median response times. These metrics are available in a schedule attached hereto.

Cookies and tracking technologies

We may use cookies, pixels, local storage, and similar technologies to operate and personalize the Services, analyze usage, and deliver targeted advertising. In jurisdictions requiring prior consent for non-essential cookies (e.g., the EEA under the ePrivacy Directive), we will obtain your consent before placing such cookies.

Security

We implement appropriate technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. If you would like to learn more, please contact us at Email: privacy@founderathlete.co.

No method of transmission over the Internet or method of electronic storage is completely secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security.

Data breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, as required by GDPR Article 34, unless one of the exceptions in Article 34(3) applies.

For California residents, we will notify you of a breach of security involving your personal information as required by California Civil Code § 1798.29 and § 1798.82.

Children's privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

In compliance with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§ 6501-6506, and 16 C.F.R. Part 312, we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us at privacy@founderathlete.co so we can promptly delete it.

We do not knowingly sell or share (as those terms are defined under the CCPA) the personal information of consumers under the age of 16. If we become aware that a user is under 16, we will not sell or share their personal information unless we have received affirmative authorization from the consumer (if aged 13–15) or verifiable parental consent (if under 13), as required by CCPA Section 1798.120(c).

Additional U.S. state privacy rights

To exercise your rights under any applicable state privacy law, please use the contact methods described in this Policy. If we deny your request, you may appeal our decision by contacting us at privacy@founderathlete.co with the subject line "Privacy Rights Appeal."

Appeal Rights: If we deny your privacy rights request, you have the right to appeal our decision. To appeal, contact us at privacy@founderathlete.co with the subject line "Privacy Rights Appeal." We will respond to your appeal within the timeframe required by applicable law (typically 60 to 90 days). If your appeal is denied, you may contact your state's attorney general to submit a complaint. Contact information for state attorneys general is available at https://www.naag.org/find-my-ag/.

Universal Opt-Out Mechanisms: We honor Global Privacy Control (GPC) signals as valid opt-out requests under all applicable state privacy laws that recognize universal opt-out mechanisms, including Colorado, Connecticut, Montana, Delaware, Oregon, New Hampshire, New Jersey, and Texas. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the sale, sharing, or targeted advertising uses of your personal data for that browser or device.

Profiling and Automated Decision-Making: Under applicable state laws (including Virginia, Colorado, Connecticut, and others), you may have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. To exercise this right, please use the contact methods described herein or enable a GPC signal on your browser.

Your privacy rights in Canada (PIPEDA)

Founder Athlete Inc. is based in Ontario, Canada and operates across Canada. We are not a health information custodian or trustee under any provincial health-privacy law. For the personal information and Wellness Data we collect in our own right, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is our baseline framework; if you are in a province with its own substantially similar private-sector privacy law (for example Alberta's or British Columbia's Personal Information Protection Act), that law may apply to information we handle within that province and gives you comparable rights. Separately, where a regulated health custodian or trustee uses our Services to provide care to you, we act as that custodian's agent or information manager under the applicable provincial health-privacy law - see the section below for how we handle personal health information in that role.

Consent

We collect, use, and disclose the personal information and Wellness Data that we hold in our own right with your knowledgeable consent; because health-related information is sensitive, we obtain your express, opt-in consent before collecting it and explain why we need it. Consent for personal health information that a custodian collects through the Services in a clinical context is obtained and managed by the custodian, not by Founder Athlete. Where we send you marketing or promotional electronic messages, we do so in accordance with Canada's Anti-Spam Legislation (CASL), and you can unsubscribe or withdraw that consent at any time. You may also withdraw your consent to other processing at any time, subject to legal and contractual limits, by contacting us; withdrawing consent may mean we can no longer provide some or all of the Services.

Access and correction

You have the right to ask what personal information we hold about you, to receive a copy of it, and to request a correction if it is inaccurate or incomplete, as provided under PIPEDA. We will respond within the timelines required by law (generally within 30 days) and will tell you if we need an extension. If we cannot correct your information, we will record your disagreement in our files.

Openness and accountability

We follow the fair information principles in PIPEDA, including accountability, identifying purposes, limiting collection, use, disclosure, and retention, accuracy, safeguards, openness, and individual access. Our Privacy Officer is accountable for our compliance and for personal information in our custody, including information transferred to our service providers.

Breach of security safeguards

If your personal information is involved in a breach of our security safeguards that creates a real risk of significant harm to you, we will notify you and report to the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible, and we keep records of breaches as required by PIPEDA.

How to reach us or complain

You can contact our Privacy Officer, Mrinal Asthana (Chief Technology Officer), at privacy@founderathlete.co with any question, request, or complaint about your personal information. If you are not satisfied with our response, you have the right to complain to the Office of the Privacy Commissioner of Canada at 1-800-282-1376 or www.priv.gc.ca.

Our role under Canadian health-privacy laws (agent or information manager to health custodians)

Where a regulated health-care provider that is a custodian or trustee under a Canadian provincial health-privacy law - for example Ontario's Personal Health Information Protection Act, 2004 (PHIPA), New Brunswick's PHIPAA, Nova Scotia's or Newfoundland and Labrador's PHIA, Alberta's Health Information Act, Saskatchewan's HIPA, Manitoba's PHIA, or Prince Edward Island's Health Information Act - uses our Services to provide care to you, we act as that provider's agent, electronic service provider, or information manager, as those concepts are defined in the applicable statute (for example, under PHIPA sections 10(4) and 17 in Ontario). In that role we handle personal health information (PHI) - that is, information collected in a clinical context - only on the provider's behalf and on its instructions, and we keep it segregated from the Wellness Data and other personal information we collect in our own right. The provider, not Founder Athlete, remains the party responsible under the applicable health-privacy law for your PHI, including obtaining and managing your consent, responding to your access and correction requests, providing breach notification to you, and maintaining its own information practices and audit logs. Where care is provided to a minor or to a person who is incapable of consenting, consent may be given by a substitute decision-maker in accordance with the applicable health-privacy and health-care-consent laws.

Your rights under provincial health-privacy law

Under the applicable provincial health-privacy law, the rights below apply to your PHI held by the provider (your clinic or practitioner). Because we act only as the provider's agent or information manager, please direct these requests to the provider, and we will support the provider in responding: (a) Access - you may obtain a copy of your PHI (for example, PHIPA s. 52 in Ontario, with equivalent rights in other provinces); (b) Correction - you may request correction of inaccurate or incomplete PHI (for example, PHIPA s. 55 in Ontario, with equivalent rights elsewhere); (c) Consent - you may give, withhold, or withdraw consent to the collection, use, or disclosure of your PHI, subject to legal and contractual limits and to the consequences of withdrawal; (d) Complaint - you may complain to the provider, to our Privacy Officer, or directly to the privacy regulator for your province (for example, the Information and Privacy Commissioner of Ontario at www.ipc.on.ca); and (e) Limits - certain rights may be limited where the applicable law permits or requires (for example, where access could create a risk of serious harm). For Wellness Data and other personal information we collect in our own right - for example account, billing, coaching, and wearable data you use outside a clinical context - PIPEDA (and, in some provinces, a substantially similar private-sector law) applies and you can exercise your rights with us directly as described in the section above.

What we use PHI for

When we handle PHI as a custodian's agent, we use and disclose it only for the following limited purposes, on the custodian's behalf and on its instructions: (a) Service delivery - to operate the platform's features so the custodian can provide care to you, and so you and any care team you authorize can access your information; (b) De-identified analytics - to measure performance and improve the Services, but only after the PHI has been irreversibly de-identified; (c) Legal and compliance - to meet legal obligations, respond to lawful requests from regulators or courts, and detect or prevent fraud or security threats; and (d) On instruction - any other use that you or the custodian expressly direct. We do not sell PHI; we do not use PHI for marketing, fundraising, or advertising without your separate, express opt-in consent; and we do not use PHI to train general-purpose AI or machine-learning models except as described in the artificial-intelligence section above.

How we handle PHI as an agent

When acting as an agent or electronic service provider, we: (a) use and disclose PHI only as necessary to provide the Services to the custodian and as permitted by our written agreement and PHIPA; (b) do not use PHI for our own purposes, including advertising, marketing, or training general-purpose AI models; (c) apply safeguards including access controls, encryption in transit and at rest, and audit logging; and (d) keep, and make available to the custodian, electronic records of accesses to and transfers of PHI as required.

Breach notification

If PHI we handle for a custodian is lost or stolen, or is accessed, used, or disclosed without authority, we will notify the custodian at the first reasonable opportunity so that the custodian can meet its PHIPA notification duties to you and to the Information and Privacy Commissioner of Ontario (IPC).

Where PHI is processed

We store and process PHI in Canada by default. We do not transfer, disclose, or back up PHI outside Canada unless the relevant custodian authorizes it in writing, in which case any transfer occurs only under an agreement that limits the recipient to the authorized purpose and requires PHIPA-comparable safeguards, including encryption in transit and at rest, access controls, breach-notification duties, and audit rights. Wellness Data and other non-PHI may be processed outside Canada as described in the International data transfers section above.

Our safeguards and assessments as an electronic service provider

As an electronic service provider (and, where applicable, a health information network provider) under PHIPA and O. Reg. 329/04, we: (a) make available to custodians, and on request in plain language, a description of the Services we provide and the administrative, technical, and physical safeguards we use to protect PHI; (b) conduct privacy impact assessments and threat, vulnerability, and risk assessments of the Services and provide the results to custodians on request; (c) keep electronic records of accesses to and transfers of PHI and make them available to the relevant custodian to the extent reasonably practicable; (d) notify the custodian of any unauthorized access to, use, or disclosure of PHI at the first reasonable opportunity; and (e) comply with the directives and restrictions a custodian places on the handling of PHI. We do not use or disclose PHI except as necessary to provide the Services and as permitted by PHIPA and our agreement with the custodian.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy;
  • Provide notice via email to account holders and/or a prominent notice on our website at least 30 days before the changes take effect;
  • Where required by applicable law, obtain your consent before applying material changes to previously collected data.

We encourage you to review this Privacy Policy periodically.

Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Legal EntityFounder Athlete Inc.
Registered Address2482 Yonge Street #1302 Toronto, ON M4P 2H5 Canada
General Emailsupport@founderathlete.co
Privacy Emailprivacy@founderathlete.co
Phone+1 647-254-0828
Data Protection OfficerMrinal Asthana, Chief Technology Officer, mrinal@founderathlete.co
EU Representative (Art. 27)Not applicable - we do not offer services in the EU/EEA
UK RepresentativeNot applicable - we do not offer services in the UK

Schedule A

California Notice at Collection

Founder Athlete Inc. (the "Company", "we", "us", "our")

Last Updated: June 24, 2026

This Notice at Collection is provided to California residents pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), Cal. Civ. Code §§ 1798.100 et seq. This Notice supplements our Privacy Policy. Capitalized terms not defined herein have the meanings set forth in the Privacy Policy.

Categories of Personal Information collected

The following table describes the categories of personal information we collect, the purposes for which each category is used, whether it is sold or shared, and the applicable retention period. These categories correspond to the categories set forth in CCPA § 1798.140(v).

Category (CCPA) Commercial Purpose Sold or Shared? Retention Period Categories of Third Parties
A. Identifiers (Name, email, phone, IP address, etc.)Provide coaching service; create, manage, and authenticate user accountsNot sold or sharedDuration of your account, then deleted within 1 year*Cloud hosting & infrastructure providers; authentication providers
B. Personal information (Name, address, phone, financial info)Name, address, phone, and financial/billing information for product and coaching purchasesNot sold or shared7 years (to meet tax and financial record-keeping obligations)*Cloud hosting & infrastructure providers; payment processors / fintechs
C. Protected classifications (Age, gender)Age and gender collected at health intake as part of coaching assessmentNot sold or sharedDuration of engagement + 10 years*Cloud hosting; AI/ML service providers
D. Commercial information (Transaction history, subscription)Track enrollment, program status, and product historyNot sold or shared7 years*Cloud hosting & infrastructure providers
E. Biometric informationPersonal health history, physiological data, and wearable data (e.g., Oura/WHOOP/Fitbit)Not sold or sharedDuration of engagement + 10 years*Wearable integration providers
F. Internet or network activity (Browsing history, interaction with Services)Monitor platform engagement; server logs; securityNot sold or shared12 months*Cloud hosting & infrastructure providers
G. Geolocation dataCoarse/IP-derived only via hosting logs; no precise location trackingNot sold or sharedTied to server logs (12 months)*Cloud hosting & infrastructure providers
H. Sensory data (Audio recordings)Coaching-call recordings/transcripts used to generate user profiles and coaching outputs; calls are recorded and transcribed by a third-party toolNot sold or sharedTranscripts: duration of engagement + 10 years; raw audio deleted after transcription*Transcription / meeting-capture providers; AI/ML service providers
I. Professional or employment info (Job title, company name)User role, company name, and relevant company context collected at intakeNot sold or sharedDuration of engagement + 10 yearsCloud hosting; AI/ML service providers
J. Education informationN/AN/AN/AN/A
K. Inferences (User preferences, product interests)Gauge product interest and deliver tailored coaching recommendations from data you provideNot sold or sharedDuration of engagement + 10 years*AI/ML service providers; cloud hosting
L. Sensitive personal information (log-in credentials, email)Credentials for platform access, coaching-program engagement, and securityNot sold or sharedDuration of your account, then deleted within 1 year*Authentication providers; cloud hosting
M. Personal health informationPersonal health information shared by clinicians, wearable health data, and physical and mental health data (e.g., sleep, nutrition, neurodiversity, energy, focus, stress, exercise) used to deliver coaching servicesNot sold or sharedDuration of engagement + 10 years*AI/ML service providers; cloud hosting

Retention Criteria: The retention periods specified in the table above are determined based on the following criteria: (a) the duration of our contractual relationship with you; (b) legal and regulatory retention requirements (e.g., tax and financial reporting obligations, statute of limitations for legal claims); (c) the operational necessity of the data for the purposes for which it was collected; and (d) our legitimate business interests, including product improvement and security. When personal information is no longer required under any applicable criterion, it is securely deleted or irreversibly anonymized.

Sources of Personal Information

We collect personal information from the following categories of sources:

  • Directly from you: when you create an account, make a purchase, contact support, or otherwise provide information to us;
  • Automatically: through cookies, pixels, server logs, and similar technologies when you interact with our websites and Services;
  • From third parties: single sign-on providers, data enrichment providers, and publicly available sources;
  • From your employer or organization: when they set up an account on your behalf.

Your California privacy rights

You have the right to:

  • Know what personal information we collect, use, disclose, sell, and share about you;
  • Delete personal information we have collected from you;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of your personal information;
  • Limit our use of sensitive personal information to purposes authorized by the CCPA;
  • Not be discriminated against for exercising your rights.

How to exercise your rights

To submit a verifiable consumer request: Email: privacy@founderathlete.co

Opt-out of sale or sharing

To opt out of sharing any of your personal information for cross-context behavioral advertising, contact us at privacy@founderathlete.co.

Authorized Agent

You may designate an authorized agent to submit a request on your behalf by providing the agent with written permission signed by you. We may require verification of both the agent's authority and your identity before processing the request.

Automated Decision-Making Technology (ADMT): We use automated decision-making technology as described in our Privacy Policy. To the extent our use of ADMT is subject to the CPPA's regulations on automated decision-making technology, you have the right to receive a pre-use notice, to access information about the logic involved in such decisions, and to opt out of ADMT-based decisions that produce legal or similarly significant effects. For details and to exercise your ADMT rights, see our Privacy Policy, or contact us using the methods listed above.