Skip to content
FoundationMachines
Sign in
Privacy

What we collect and why.

Plain English. Written to be skimmed by the person in your team who has to sign things off.

Last updated: 7 May 2026.

Who we are

Foundation Machines Ltd (placeholder company details. Registered in England and Wales.) is the data controller for personal data processed through foundationmachines.ai and our related products.

What we collect

  • Account information: email address and, if you sign in with GitHub SSO, your GitHub username.
  • API request metadata for the /v1/audit and /v1/chat/completions surfaces: timestamp, model identifier, token counts and source IP address.
  • Billing information: handled by Stripe. We receive the last four digits of your card and the billing country only.
  • Basic product analytics where you have opted in.

GitHub App data

When you install the Sebastion AI GitHub App we process the contents of pull request files in memory only, they are never written to persistent storage. We retain your installation ID, the repositories you have granted access to and a per-month audit count for billing purposes. Findings we open as GitHub issues remain in your repository and are owned by you.

What we do not collect

We do not store API request bodies or response bodies. Source code passed to the audit endpoint is processed inside ephemeral sandboxes and discarded once the audit run completes. We do not train models on your data.

Why we collect it

  • To operate the service and authenticate requests.
  • To bill correctly for usage above plan.
  • To prevent abuse and investigate security incidents.

Sub-processors

  • Cloudflare: CDN, Workers and R2 object storage.
  • Vercel: hosting for the marketing site and dashboard.
  • Stripe: payment processing and billing.
  • OpenRouter: LLM gateway. All audit and chat completions are routed through OpenRouter to upstream model providers (Anthropic, OpenAI, Google and others). Both the OpenRouter relay and the upstream provider handle the request payload during inference; no-train flags are set on every request that supports them.

Data retention

Request metadata is retained for 90 days for billing reconciliation and abuse investigation. Account data is deleted 30 days after closure unless we are required to retain it for legal or tax purposes.

Your rights

Under UK GDPR you have the right to access, correct, delete or export your personal data and to object to certain kinds of processing. Submit a request via /contact and we will respond within one calendar month.

International transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the UK or EEA we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses.

Cookies

We use a minimal set of cookies. A session cookie is set if you are signed in. Analytics cookies are set only if you opt in. We do not use third-party advertising cookies.

Changes

If we make material changes to this policy we will email account holders before the changes take effect. Minor edits will be reflected by updating the date at the top of this page.