1. Who we are
Fundamento is operated by Fundamento, LLC (a Delaware limited liability company), together with its operating affiliate Inversiones Santa Lucía, S.A. (Costa Rica) (collectively, "we," "us"). This Privacy Policy explains what personal data we collect when you use www.getfundamento.com and the platform, how we use it, who we share it with, and your rights.
For users in the European Union and the United Kingdom, our designated Art. 27 GDPR representative is Prighter GmbH, Schönbrunner Straße 222-228/3/7.OG, 1120 Vienna, Austria. EU and UK residents may also raise data-protection requests with us directly at privacy@getfundamento.com. See §8 below for the full EU/UK section.
2. What we collect
- Account data: name, email, password hash, language preference, country code.
- Subscription data: tier, billing history (we do not store full card numbers — Stripe handles those).
- Usage data: pages viewed, calculator scenarios you save, library cards you read, alerts you configure.
- Accredited-investor verification data (Premier tier only): documents you upload to VerifyInvestor.com to substantiate accredited status. Documents are stored on VerifyInvestor's systems, not ours.
- Family Office engagement data: portfolio holdings, jurisdictional information, and decision questions you share for advisory purposes.
- Device data: IP address (truncated for analytics), browser type, OS, time zone.
3. How we use it
- To operate the service (auth, billing, scenario persistence, alerts).
- To improve the platform (anonymized usage analytics).
- To send transactional email (receipts, password resets, alert digests you opted into).
- To send service announcements (rare; you cannot opt out of these without canceling).
- To meet legal obligations (tax reporting, regulatory compliance for Premier tier).
4. Third-party processors
The following processors receive specific data to provide their portion of the service. Each is bound by a data-processing agreement.
- Supabase — primary database and authentication. Receives all account, subscription, scenario, and engagement data.
- Stripe — payment processing. Receives name, email, billing address, and card data (which never touches our servers).
- Resend — transactional email sending. Receives email address and message content for emails we send you.
- HubSpot — CRM for Family Office and Enterprise sales pipeline. Receives name, email, company, inquiry context for users who request an introductory call on those tiers.
- PostHog — product analytics. Receives anonymized usage events (page views, button clicks). No PII unless you explicitly identify yourself in a feature that opts in.
- Plausible — privacy-friendly web analytics. Receives aggregate pageview data, no cookies, no individual identification.
- Sentry — error tracking. Receives error stack traces and the URL where they occurred. Personal data is scrubbed before transmission.
- VerifyInvestor.com — accredited-investor verification (Premier tier only). Receives documents you upload to substantiate accredited status.
- Cloudflare — DNS, CDN, and DDoS protection. Sees request metadata for security purposes.
- Vercel — frontend hosting and deployment infrastructure. Serves the application to your browser.
- Google Workspace — email and calendar for the Fundamento team. Sees only inbound/outbound email you exchange with team addresses.
- DeepL Pro — translation API for the Spanish content pipeline. Does not see your personal data; only the source-language content we send for translation review.
5. Cookies and similar technologies
We use a minimal set: an authentication cookie to keep you logged in, a language-preference cookie, and analytics cookies that fire only after you accept consent via the cookie banner. We do not use third-party advertising cookies. See our Cookie Policy.
6. Cross-border data transfers
Some processors are in the United States; some may be in the European Union, the United Kingdom, or other jurisdictions. For transfers of personal data from the EEA, UK, or Switzerland to third countries that lack an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor), supplemented by transfer-impact assessments and technical/organizational measures (encryption in transit and at rest, principle-of-least-privilege access). See §8 (EU/UK) below.
7. Your rights — by jurisdiction
Depending on where you reside, you have rights to access, correct, delete, port, and object to processing of your personal data. Submit any data-rights request to privacy@getfundamento.com; we acknowledge receipt within 7 days and respond substantively within 30 days (or the maximum period allowed by your local law if shorter). The jurisdiction-specific sections that follow describe how those rights apply to you and what additional protections may exist under your local data-protection regime.
8. European Union / United Kingdom (GDPR / UK GDPR)
Legal bases (Art. 6 GDPR). We process your personal data on the following bases: (a) performance of a contract — to operate the Platform, deliver paid features, and bill for subscriptions; (b) legitimate interests — to improve the Platform, prevent fraud, and protect our network (we have balanced these interests against your rights); (c) consent — for non-essential cookies, marketing communications, and any future processing that requires it; (d) legal obligation — to comply with tax, accounting, anti-money-laundering, and Securities and Exchange Commission rules applicable to the Premier tier. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Your rights. Under the GDPR / UK GDPR you have the right to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object (Art. 21), and not be subject to solely automated decision-making with legal or similarly significant effects (Art. 22). The Platform does not use automated decision-making in that sense.
Cross-border transfers. Personal data is transferred from the EEA/UK to the United States and other countries to be processed by our hosting, analytics, and payment processors (see §4). We rely on the Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) for these transfers, together with supplementary safeguards. A copy of the SCCs in force is available on request to privacy@getfundamento.com.
Data Protection Impact Assessment. We have conducted a DPIA covering the accredited-investor verification flow and the Family Office engagement pipeline (the two highest-risk processing operations). A summary is available to supervisory authorities on request.
Representative in the Union (Art. 27 GDPR). Prighter GmbH acts as our designated Article 27 representative for users in the European Union. Contact: Schönbrunner Straße 222-228/3/7.OG, 1120 Vienna, Austria. EU users may direct queries either to us at privacy@getfundamento.com or to the representative.
Complaints. You have the right to lodge a complaint with your local supervisory authority. For the UK, that is the Information Commissioner's Office (ico.org.uk).
9. California (CCPA / CPRA)
This section supplements the rest of the Policy for California residents. It is provided pursuant to the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA").
Categories of personal information we collect, sources, business purposes, and recipients.
- Identifiers (name, email, account ID, IP address) — collected directly from you; used to operate the Platform; disclosed to Supabase, Stripe, Resend, HubSpot, Cloudflare, Vercel.
- Commercial information (subscription tier, billing history) — collected from you and Stripe; used for billing and revenue analytics; disclosed to Stripe, Supabase.
- Internet activity (page views, calculator interactions) — collected automatically; used for product analytics; disclosed to PostHog, Plausible.
- Geolocation (approximate) (country/region derived from IP) — collected automatically; used to comply with local law and currency display; disclosed to Cloudflare, PostHog.
- Professional / employment information — accredited-investor verification documents you choose to provide via VerifyInvestor.com (stored on VerifyInvestor's systems, not ours).
- Inferences (asset-class scoring inputs, tier-fit signals) — derived from your inputs; used for in-app recommendations only; not disclosed to third parties.
- Sensitive Personal Information ("SPI") — account credentials; financial-account information used for verification. We use SPI only for permissible purposes under CPRA § 7027(m) and do not use SPI to infer characteristics about you.
Sources. Directly from you; from VerifyInvestor (verification status); from analytics processors. Recipients. The processors enumerated in §4 above.
"Sale" and "sharing" of personal information. We do NOT sell or share your personal information as those terms are defined under CCPA/CPRA. We have not done so in the preceding 12 months. We have not knowingly sold or shared the personal information of any consumer under 16. A page reflecting this no-op posture is available at Do Not Sell or Share My Personal Information.
Financial incentive: none offered.
Your CCPA rights. You have the right: to know; to delete; to correct; to opt out of sale/share (none applicable); to limit use of SPI (we already limit); and to non-discrimination for exercising any of these rights.
How to submit a request. Email privacy@getfundamento.com with the subject line "CCPA Request" and tell us which right you wish to exercise.
Authorized agents. Accepted with written authorization signed by you and identity verification.
Retention. Account data for the life of the account plus 7 years for tax / securities recordkeeping; accredited-investor verification documents for 5 years per Rule 506(c) records best practice.
Right to appeal. If we deny a request, you may appeal by writing to privacy@getfundamento.com with the subject line "CCPA Appeal".
10. Brazil (LGPD)
This section supplements the rest of the Policy for data subjects in Brazil and is provided pursuant to Law No. 13,709/2018 ("Lei Geral de Proteção de Dados Pessoais" — LGPD).
Controller and Encarregado (DPO). The controller of your personal data is Fundamento, LLC; in Brazil, the operating affiliate is Inversiones Santa Lucía, S.A.. The designated encarregado pelo tratamento de dados pessoais (Data Protection Officer) is available at privacy@getfundamento.com (subject line: "LGPD — Encarregado"), unless the small-processor exemption under Resolution CD/ANPD No. 2/2022 applies. The DPO acts as the contact point for data subjects and the Autoridade Nacional de Proteção de Dados (ANPD).
Legal bases (Art. 7 LGPD). We process personal data on the bases of: (i) execution of a contract (Art. 7, V); (ii) compliance with a legal or regulatory obligation (Art. 7, II); (iii) legitimate interest of the controller (Art. 7, IX), balanced against your fundamental rights; and (iv) consent (Art. 7, I) for non-essential cookies and marketing communications, which you may withdraw at any time.
Your rights (Art. 18 LGPD). You have the right to: confirmation of processing; access; correction; anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully-processed data; data portability; deletion of data processed on the basis of consent; information about with whom your data is shared; information about the possibility of withholding consent; and revocation of consent. Submit requests to privacy@getfundamento.com.
International transfers (Art. 33 LGPD). Personal data is transferred to processors in the United States, the European Union, and other countries. We rely on specific contractual clauses (broadly aligned with the EU Standard Contractual Clauses) and on the necessity of the transfer for contract performance and our legitimate interests, as permitted under Art. 33.
Complaints. You have the right to lodge a complaint with the ANPD (gov.br/anpd).
11. Mexico (LFPDPPP / SABG) — Aviso de Privacidad integral
This section is provided pursuant to the Mexican Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares — LFPDPPP). Personal-data-protection functions were assumed by the Secretaría Anticorrupción y Buen Gobierno (SABG) in March 2025 following the legislative restructuring that dissolved INAI; references to "INAI" in older documents should be read as references to the SABG.
Identity and address of the responsible party. Fundamento, LLC, operating in Mexico through its affiliate Inversiones Santa Lucía, S.A. where applicable. Mailing address: Fundamento, LLC, c/o Corporation Service Company, 251 Little Falls Drive, Wilmington, DE 19808.
Personal data collected. As enumerated in §2 above (identification, contact, account, billing, usage, and — for Premier tier only — accredited-investor verification flag).
Primary purposes (essential). To operate the Platform, deliver paid features, bill for subscriptions, send transactional emails, comply with applicable law (including Mexican tax obligations where relevant), and conduct accredited-investor verification on the Premier tier.
Secondary purposes (non-essential). To send service announcements you may opt out of, to conduct anonymized product analytics, and to send marketing communications where you have consented. You may object to or limit the secondary purposes at any time by writing to privacy@getfundamento.com.
Transfers. We transfer personal data to processors (see §4) located in the United States, the European Union, and other countries, in each case bound by a data-processing agreement that includes equivalent protections. Transfers necessary to perform the contract and fulfill the responsible party's legal obligations do not require your separate consent under Art. 37 LFPDPPP; for any other transfer we will seek your express consent. Article 36 transfer clauses are incorporated by reference in our processor agreements.
ARCO rights. You have the right to Acceso, Rectificación, Cancelación, y Oposición (Access, Rectification, Cancellation, Objection) and to revoke consent for the processing of your personal data. Exercise these rights by emailing privacy@getfundamento.com with the subject line "Derechos ARCO" and including (a) your name and a contact channel; (b) documentation that proves your identity (or that of your representative); (c) a clear description of the personal data and the right you wish to exercise; and (d) any element that assists in locating the data. We respond within 20 business days and act within 15 business days of confirming a decision in your favor.
Personal data officer. The personal-data officer for Mexico is reachable at privacy@getfundamento.com.
SABG complaint pathway. Following the March 2025 dissolution of INAI, oversight responsibilities have been redistributed under the SABG framework. You may submit complaints through the federal channel designated by the SABG (currently administered by the Secretaría Anticorrupción y de Buen Gobierno); we will update this notice when a permanent successor agency is named.
Changes to this notice. See §17 below.
12. Costa Rica (Law 8968)
This section applies to data subjects in Costa Rica, including where our operating affiliate Inversiones Santa Lucía, S.A. acts as a controller or processor in connection with the Platform.
Database registration. Inversiones Santa Lucía, S.A. (the operating affiliate) does not currently maintain databases used for distribution, dissemination, or commercialization of personal data within the meaning of Law 8968 Article 21; if such use begins, the relevant databases will be registered with the Agencia de Protección de Datos de los Habitantes (PRODHAB).
ARCO+P rights. Access, Rectification, Cancellation, Objection, and Portability. Exercise them by writing to privacy@getfundamento.com.
Breach notification. Notifications to PRODHAB will be made within 5 business days of our awareness of a security incident materially affecting personal data of Costa Rican residents.
Cross-border transfers. Based on the data subject's express consent or other lawful basis under Law 8968 and its implementing regulations.
Complaints. You may submit complaints to PRODHAB (prodhab.go.cr).
13. International transfers (summary)
Where personal data crosses borders (e.g., from the EU/UK or Latin America to the United States), we rely on: (a) the European Commission's Standard Contractual Clauses, Module 2 (Controller-to-Processor), with supplementary transfer-impact assessments; (b) equivalent contractual safeguards under the LGPD, LFPDPPP, and Law 8968; and (c) technical and organizational measures including encryption in transit (TLS 1.2+), encryption at rest, and principle-of-least-privilege access controls.
14. Data retention
Account data is retained while your account is active. After cancellation, we retain billing records for 7 years (tax compliance), then delete. Scenario data is deleted 90 days after cancellation unless you request earlier deletion. Anonymized aggregate analytics may be retained indefinitely.
15. Security
We use industry-standard security: TLS in transit, encryption at rest, principle-of-least-privilege access, hardware-key-required admin login, regular dependency updates, and Sentry-monitored error tracking. No system is perfectly secure; we encourage you to use a unique strong password and enable two-factor authentication where available.
16. Children
Fundamento is not directed to children under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact privacy@getfundamento.com for prompt deletion.
17. Changes
Material changes to this Policy will be notified by email or in-app banner at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.
18. Contact
Privacy questions, data-rights requests, or complaints: privacy@getfundamento.com. EU representative: Prighter GmbH, Schönbrunner Straße 222-228/3/7.OG, 1120 Vienna, Austria. LGPD Encarregado / Mexico personal-data officer / Costa Rica contact: same email, with the country named in the subject line.