What we collect and why.

Last updated: 3 June 2026.

Who we are

Foundation Machines is a UK-based sole trader operated by Lewis Wigmore. We act as the data controller for personal data processed through foundationmachines.ai and our related products. We will update this section if our legal form changes.

What we collect

• ·Account information: email address and, if you sign in with GitHub SSO, your GitHub username and numeric GitHub account id (the latter persists for rate-limit accounting so reconnecting the service does not reset your monthly counter). If you connect GitLab, we also process your GitLab group and project identifiers required for tenant linking.
• ·API request metadata: timestamp, model identifier, token counts and source IP address.
• ·Billing information: handled by Stripe. We receive the last four digits of your card and the billing country only.
• ·Basic product analytics where you have opted in.

Source-host integration data

When you connect Sebastion to a source host (GitHub and GitLab SaaS), we process pull and merge request diffs in memory only and do not write source code to persistent storage. We retain source-host connection identifiers (for example GitHub installation IDs or GitLab group linkage metadata), repository/project access metadata, and per-month audit counters for billing and abuse protection. Findings posted back as inline review comments remain in your source host and are owned by you.

What we do not collect

We do not store API request bodies or response bodies. Source code passed to the audit endpoint is processed inside ephemeral sandboxes and discarded once the audit run completes. We do not train models on your data.

Why we collect it

• ·To operate the service and authenticate requests.
• ·To bill correctly for usage above plan.
• ·To prevent abuse and investigate security incidents.

Sub-processors

• ·GitHub and GitLab: source-host integrations, repository/project metadata and OAuth flows where applicable.
• ·Cloudflare: CDN, Workers and R2 object storage.
• ·Vercel: hosting for the marketing site and dashboard.
• ·Stripe: payment processing and billing.
• ·PostHog: product analytics, hosted on EU infrastructure.
• ·OpenRouter: LLM gateway. All audit and chat completions are routed through OpenRouter to upstream model providers (Anthropic, OpenAI, Google and others). Both the OpenRouter relay and the upstream provider handle the request payload during inference; no-train flags are set on every request that supports them.

Data retention

Request metadata is retained for 90 days for billing reconciliation and abuse investigation. Account data is deleted 30 days after closure unless we are required to retain it for legal or tax purposes.

Your rights

Under UK GDPR you have the right to access, correct, delete or export your personal data and to object to certain kinds of processing. Submit a request via /contact and we will respond within one calendar month.

International transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the UK or EEA we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses.

Cookies

We use a minimal set of cookies. A session cookie is set if you are signed in. Analytics cookies are set only if you opt in. We do not use third-party advertising cookies.

Changes

If we make material changes to this policy we will email account holders before the changes take effect. Minor edits will be reflected by updating the date at the top of this page.