Privacy Policy

GetFoundi is a service operated by Lyne Systems & Consultancy (LSC) ("LSC", "we", "us", "our"), the same legal entity that operates the PureAgentive platform.

Legal entity: Lyne Systems & Consultancy (LSC)

Registration number: BCE/KBO BE1011.024.466

Registered address: Groeneweg 17, 9320 Aalst, Belgium

Service: GetFoundi (getfoundi.com)

Privacy contact: privacy@getfoundi.com

GetFoundi is an AI-discoverability platform that helps businesses and professionals publish structured, machine-readable listings so AI assistants can find and describe them accurately. We also auto-create listings from public government and commercial data sources, and send targeted outreach to listing owners who have not yet claimed their profile.

This policy is governed by EU Regulation 2016/679 (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. We do not currently have a designated Data Protection Officer (DPO). All data protection queries are handled by our privacy team at privacy@getfoundi.com.

This policy applies to personal data processed when you:

• Visit or use getfoundi.com and any GetFoundi sub-domains
• Create an account and manage a business or professional listing
• Upload documents to your Enhanced listing
• Contact us by email or through our support channels
• Appear in a listing auto-created from a public registry or commercial directory (even if you have not yet visited our site)
• Receive a claim email or reminder from GetFoundi (cold outreach)

It does not cover third-party websites linked from our pages, or the practices of AI assistants that read your public listing data.

3.1 Data you provide directly

• Account data: email address used to sign up; optional display name; sign-in timestamps.
• Business listing data: business name, category, description, location or service area, opening hours, services, contact details, website URL, pricing information, and languages.
• Professional listing data (if you create a professional profile): name, professional title, practice area, licensing body or professional registration, location, contact details, and any other information you provide.
• Uploaded documents: PDFs, Word files, or plain-text files you upload to your Enhanced listing. These may contain business information you choose to make public (e.g. menus, policies) or keep private (internal use only).
• Communication data: content of emails or messages you send us.
• Consent records: timestamps and version numbers when you accept our terms and privacy policy, and your cookie preferences.

3.2 Data generated through your use of the service

• Usage data: pages visited, features used, actions taken in the dashboard (collected only with your consent for analytics purposes).
• Query signals: anonymised or pseudonymised logs of questions AI systems ask about your listing, including confidence scores, used to power your Visibility Score and discovery feed.
• Billing data: subscription status, invoice history, and payment references managed by our payment processor Stripe. We do not store full card numbers, CVVs, or raw bank details.
• Technical data: IP address, browser type, device type, and session identifiers collected via server logs and, where consented, cookies.
• Ask GetFoundi chat: If you use our public chat at `/chat`, we store conversation messages for signed-in users in `gf_chat_sessions` / `gf_chat_messages`. Guest chats use a functional cookie (`gf_chat_guest`) and may be merged into your account when you sign up. Chat queries about listings are logged for attribution analytics (`beacon_query_log`); readable query text is replaced with an anonymised hash within 24 hours via an automated job. Rate limiting uses a one-way hash of your IP address — we do not store raw IP addresses in chat rate-limit tables. Product analytics events store event names and counts only when you have consented to analytics cookies — not the full text of your messages. AI responses are generated by Anthropic; a Data Processing Agreement with Anthropic covers EU processing for chat.

3.3 Data collected from public registries and directories (CRM Pipeline — Art. 14 notice)

If you are a business owner or director who has not signed up to GetFoundi but whose business appears in our directory, this section applies to you.

GetFoundi's autonomous import pipeline ("Beacon") collects business and professional listing data from publicly available government registries and commercial directories. This data is used to create draft listings that can be claimed by their owners. We do this because we believe every business and professional should be discoverable by AI assistants — and because these sources are publicly available for this purpose.

Data collected via this pipeline may include:

• Business name, registered address, company status, company type, and registration number
• Director names, registered agent details
• Contact email addresses (where publicly listed or discovered via email-discovery heuristics from public sources)
• Phone numbers and website URLs
• Business category and description (where available from source)
• Locale and country of registration

Sources we use:

We only ingest data that is publicly available. We do not purchase private databases, use data brokers, or scrape private areas of websites.

Legal basis: Art. 6(1)(f) — Legitimate interests. See Section 5 (LIA Summaries) for the full three-part test.

Art. 14 obligation: When we create a draft listing from third-party sources, we are obliged under Art. 14 GDPR to provide you with certain information within one month of first collecting your data. We fulfil this obligation by sending our claim email, which is our Art. 14 notice. That email contains: our identity as data controller, the purpose and lawful basis for processing, the categories of data we hold, the sources we obtained data from, your retention period, your data subject rights (including the right to erasure and to object), and contact details for the Belgian DPA.

3.4 Professional listing data (individuals)

If you are an individual professional whose details appear in the GetFoundi directory, this section applies to you.

In addition to business listings, GetFoundi lists individual professionals (freelancers, consultants, practitioners, and licensed professionals) where their professional details are publicly available from licensing bodies, professional registries, or other public sources.

You are a data subject under GDPR. This means all your rights in Section 10 apply to you in full, including the right to erasure of your professional listing. To exercise any right, contact privacy@getfoundi.com.

Data held about individual professionals may include:

• Full name and professional title
• Practice area and specialisation
• Licensing body and professional registration number (where publicly listed)
• Contact details (email, phone, website) where publicly available
• Location / service area
• Professional category

We are aware that certain categories of professional (health practitioners, legal professionals, social workers, etc.) may engage Art. 9 (special category data) concerns where processing professional registration details could reveal sensitive personal attributes. We conduct a case-by-case review of special-category risk by jurisdiction and category, and apply additional data minimisation in those cases (e.g. not storing registration numbers where that is sufficient to infer a sensitive attribute).

Legal basis: Art. 6(1)(f) — Legitimate interests. You may object at any time under Art. 21 GDPR — see Section 10.6.

3.5 Cold outreach and suppression records

If your business or professional listing was auto-created from a public source and you have not yet claimed it, we will send you a sequence of outreach emails (claim email, reminder, final notice) inviting you to claim, review, or remove your listing.

Data held for outreach purposes:

• Email address used to send outreach (sourced from the public data described in Section 3.3)
• Outreach status: dates of claim email, reminder, and final notice sent
• Suppression status: whether you have opted out and the date of opt-out

If you click the unsubscribe link in any email, your email address is added to our suppression list (`gf_email_suppression`) and you will never receive outreach from GetFoundi again. We retain your email address on the suppression list indefinitely — this is necessary to honour your opt-out and prevent accidental re-addition.

3.6 Data about third parties in uploaded documents

If your business listing includes information about individual staff members or other third parties (e.g. named practitioners, booking contacts), you are responsible for ensuring that sharing is lawful and that those individuals have been made aware of this policy.

The table below sets out each processing purpose, the personal data involved, and the legal basis under Article 6 of the GDPR.

4.1 Legitimate interests — general

Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests do not override your fundamental rights and freedoms. You may object to any legitimate-interests processing at any time — see Section 10.6. For the new processing activities introduced in this version, see Section 5 (LIA Summaries).

4.2 Withdrawing consent

Where we rely on consent (Art. 6(1)(a)), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. To withdraw analytics consent, visit your cookie settings. To withdraw marketing consent, use the unsubscribe link in any marketing email or contact privacy@getfoundi.com.

For the three new processing activities introduced by the features added since May 2026, we have conducted Legitimate Interests Assessments. A full LIA summary page is available at /legal/legitimate-interests.

5.1 Auto-created listings from public registries

Purpose test: Making businesses discoverable by AI assistants using publicly available registration data is a legitimate commercial purpose aligned with public interest in business transparency.

Necessity test: We cannot deliver the service without ingesting public registry data; there is no less intrusive way to build a comprehensive, accurate directory.

Balancing test: The data is already public and the purpose (discoverability) is consistent with the purpose for which registries publish it. Individuals and businesses retain control via the claim-or-remove mechanism. We apply data minimisation (only fields necessary for the listing), notify subjects within 1 month (Art. 14 via claim email), and honour erasure requests promptly.

Conclusion: Legitimate interests balance is satisfied.

5.2 Professional listings (individuals)

Purpose test: Professionals in public-facing roles have a reasonable expectation of discoverability. Our purpose — enabling AI assistants to find relevant professionals — is legitimate and proportionate.

Necessity test: The listing data we hold is limited to what is publicly available from professional registries and directories. We do not add private information.

Balancing test: We apply heightened data minimisation for regulated professions where registration numbers could reveal sensitive attributes (Art. 9 risk). Individuals can request erasure at any time, which removes their listing from the directory and all AI-readable endpoints within 24 hours.

Conclusion: Legitimate interests balance is satisfied, subject to ongoing Art. 9 risk monitoring by professional category.

5.3 Cold outreach to unclaimed listing owners

Purpose test: Contacting businesses and professionals to inform them that a listing has been created and give them the opportunity to claim, correct, or remove it is in their legitimate interest as well as ours.

Necessity test: Email is the only practical channel for reaching unclaimed listing owners without physical address or in-person contact. We send a maximum of three emails (claim, reminder, final notice) before marking the listing as lapsed.

Balancing test: The outreach is directly related to the subject's business or professional activity. The first email is our Art. 14 notification, which GDPR itself requires us to send. Every email contains a one-click unsubscribe link. Opt-out is honoured permanently. We do not send cold outreach to private individuals unconnected to a business or professional listing.

Conclusion: Legitimate interests balance is satisfied. This processing is also justified as necessary to fulfil our Art. 14 notification obligation.

This section explains how we fulfil our Art. 14 GDPR obligation — the obligation to inform data subjects when their personal data has been obtained from a third party rather than directly from them.

Who this applies to: Businesses and individuals whose data was sourced from the registries and directories listed in Section 3.3, and who have not yet created a GetFoundi account.

What we provide: Our claim email (the first email you receive from GetFoundi) serves as our Art. 14 notification. It contains:

• Our identity and contact details as data controller (Lyne Systems & Consultancy (LSC), privacy@getfoundi.com)
• The purpose and legal basis for processing (AI discoverability; legitimate interests Art. 6(1)(f))
• The categories of data we hold (see Section 3.3)
• The source we obtained data from (the relevant registry or directory)
• Your retention period (Section 9)
• Your full GDPR rights (Sections 10.1–10.9), including the right to erasure and to object
• The Belgian DPA contact (Section 15)
• A direct link to claim or remove your listing

When you receive it: Within one month of Beacon first collecting your data. In practice, claim emails are sent within 48–72 hours of the listing draft being created.

If we cannot reach you: Where we do not have a valid email address for the listing owner, we cannot send an Art. 14 notification by email. In those cases, the listing remains as a draft and is not published. If a listing owner makes contact (e.g. by using our chat), we provide Art. 14 information at that first point of contact.

Why you may receive an email from GetFoundi even if you did not sign up:

If your business or professional listing appears in a public registry or directory included in our sources (Section 3.3), Beacon may have created a draft listing for you. We send an email to let you know — not as a sales pitch, but as the Art. 14 notice we are legally required to provide, combined with a practical invitation to review what we have built.

Legal basis: Legitimate interests — Art. 6(1)(f). We have conducted a Legitimate Interests Assessment (Section 5.3).

How to opt out: Every email we send contains a one-click unsubscribe link at the bottom. Clicking it immediately adds your email address to our permanent suppression list. You will never receive another email from GetFoundi at that address.

What happens after opt-out:

• Your email address is added to `gf_email_suppression` and never re-added to outreach queues
• Your listing draft is marked with your opt-out preference
• You may still claim your listing later by visiting getfoundi.com — opting out of email does not delete your draft listing

You can also opt out by email: Send a request to privacy@getfoundi.com and we will suppress your address within 24 hours.

Belgian ePrivacy rules: Under the Belgian Act of 13 June 2005 implementing the ePrivacy Directive, B2B electronic marketing is permissible on a legitimate interests basis where the communication relates directly to the recipient's professional activity. Our outreach is addressed to business owners and professionals in connection with their business/professional listing — this meets the B2B exception. We do not send cold outreach to consumer email addresses.

This section applies specifically to Enhanced-tier listings and is important to read if you upload documents.

8.1 Public partition

Documents you mark as public are processed as follows: the text content is extracted, divided into segments, and indexed in our knowledge service so that AI assistants querying your listing can retrieve and quote relevant passages. This constitutes the core Enhanced service.

Legal basis: Contract — Art. 6(1)(b). You initiate and confirm each public upload via an explicit consent step in the dashboard.

8.2 Private partition

Documents you mark as private are stored in our object storage for your records only. They are never indexed, never quoted in AI answers, and never transmitted to external systems. Beacon does not read private files.

8.3 Your responsibility for third-party data in uploads

If a document you upload contains personal data about individuals (customer names, staff details, medical records, etc.) you are acting as a data controller for that data. You must have a lawful basis for including it and should not make such documents public unless those individuals have consented or you have another valid ground under GDPR.

8.4 Suggested answers (Beacon drafts)

When AI systems ask questions your listing cannot fully answer, Beacon may draft a suggested question-and-answer pair using only data you have already provided (structured fields and public documents). Drafts are never published without your explicit approval. Approved drafts are indexed in the same way as public documents.

GetFoundi operates Beacon, an autonomous AI agent that:

1. Imports and normalises listing data from public registries and directories (CRM pipeline — see Section 3.3)

2. Sends outreach emails to unclaimed listing owners via Amazon SES (claim pipeline — see Section 7)

3. Generates suggested Q&A drafts for claimed listings (drafts pending owner approval)

4. Computes Visibility Scores and discovery analytics

5. Anonymises chat query logs on a daily cron schedule

Does Beacon make decisions with legal or significant effects? No. Beacon does not make decisions that determine your access to credit, employment, services, or other significant outcomes. Visibility Scores and draft suggestions are operational tools for the service you signed up for (or are being invited to join). No listing is published without either the owner's explicit approval (claimed listings) or the expiry of the unclaim window (at which point the draft expires, not publishes).

Right to human review: If you believe any Beacon action has had an unjustified effect on you or your listing, you may request human review at privacy@getfoundi.com. We will review the action and respond within one calendar month.

We use cookies and similar technologies as described in our Cookie Policy. In summary:

• Essential cookies: required to operate the service (authentication, security). No consent required.
• Analytics cookies: optional cookies that help us understand how the platform is used. Only set with your consent.
• Marketing cookies: not currently used by GetFoundi directly.
• Email tracking pixels: not used. Our claim and transactional emails do not contain tracking pixels.

You can manage your cookie preferences at any time via the cookie settings link in the footer.

11.1 Your public listing data

Your public listing — structured fields, AI-readable summary, structured data, and public document knowledge — is accessible to any AI client or service connected to the GetFoundi registry. This is the primary purpose of the service. You control what is public at all times from your dashboard.

11.2 Subprocessors

We use the following subprocessors to operate GetFoundi. Each is subject to a data processing agreement and, where applicable, Standard Contractual Clauses under European Commission Decision 2021/914.

We do not sell your personal data to third parties. We do not share personal data with advertisers. You may request a copy of the applicable SCCs by contacting privacy@getfoundi.com.

11.3 The PureAgentive platform

GetFoundi is built on the PureAgentive platform, also operated by LSC. LSC processes data across both services under a unified data protection framework. No additional sharing of your GetFoundi personal data with third parties occurs through this relationship.

11.4 Legal disclosures

We may disclose personal data where required by Belgian or EU law, a valid court order, or to protect the rights, property, or safety of LSC, our users, or the public.

11.5 Business transfers

If LSC or GetFoundi is acquired, merged, or restructured, personal data may transfer as part of that transaction. We will provide notice and, where required, seek consent before any such transfer affects how your data is used.

LSC is based in Belgium and primarily operates within the European Economic Area (EEA). Certain subprocessors (listed in Section 11.2) are based in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914. Amazon SES may process outreach email metadata through US-based infrastructure; SCCs are in place.

You may request a copy of the applicable SCCs by contacting privacy@getfoundi.com.

When your account is deleted, we initiate deletion of all personal data subject to the exceptions above (e.g. billing records retained for tax law compliance). Deletion of public document corpus content also removes indexed knowledge from our services within 24 hours.

Under the GDPR and the Belgian Act of 30 July 2018 you have the following rights. We will respond within one calendar month. In complex cases we may extend by a further two months; we will inform you of any extension within the first month.

To exercise any right, email privacy@getfoundi.com. These rights apply whether or not you have a GetFoundi account — if your business or professional details appear in an auto-created listing you have never claimed, you still have all rights below.

14.1 Right of access (Art. 15)

You may request a copy of all personal data we hold about you. Account holders: use the "Export my data" option in Account → Data & privacy. Non-account holders (unclaimed listing owners): email privacy@getfoundi.com.

14.2 Right to rectification (Art. 16)

You may correct inaccurate personal data directly in your account settings at any time. For data in unclaimed listings, contact privacy@getfoundi.com and we will correct or remove the inaccurate data within 5 business days.

14.3 Right to erasure ("right to be forgotten") (Art. 17)

• Account holders: delete your account and listing at any time from Account settings.
• Unclaimed listing owners (businesses): email privacy@getfoundi.com or click "Remove my listing" in the claim email. Your listing draft will be deleted from the directory and all AI-readable endpoints within 24 hours.
• Individual professionals: email privacy@getfoundi.com. Your professional listing will be removed from the directory and all AI-readable endpoints within 24 hours.

Deletion is subject to legal retention obligations (e.g. billing records under Belgian accounting law). Your email address will be moved to the suppression list so we do not re-import or re-contact you.

14.4 Right to restriction of processing (Art. 18)

You may request that we restrict processing of your data (for example, while you contest accuracy or have objected to processing) by contacting privacy@getfoundi.com.

14.5 Right to data portability (Art. 20)

You may export your listing data and account information in machine-readable format from Account → Data & privacy. This applies to data you provided directly and which we process by automated means under contract or consent.

14.6 Right to object (Art. 21)

You may object at any time to processing based on legitimate interests. For direct marketing (cold outreach), you have an absolute right to object under Art. 21(2) — we will cease outreach immediately and permanently on receipt of your objection. For other legitimate-interests processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

14.7 Rights related to automated decision-making (Art. 22)

We use automated systems (Beacon) to source, maintain, and enrich listing data and compute Visibility Scores. These do not produce legal or similarly significant effects on you — they are operational tools for the service. If you believe a Beacon action has unjustifiably affected you, you may request human review at privacy@getfoundi.com.

14.8 Right to withdraw consent

Where processing is based on consent, you may withdraw at any time (see Section 4.2). Withdrawal does not affect prior lawful processing.

14.9 Right to lodge a complaint

If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with the Belgian supervisory authority:

Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)

Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium

+32 2 274 48 00

www.autoriteprotectiondonnees.be

You may also lodge a complaint with the supervisory authority of your habitual residence or place of work within the EU. We nonetheless encourage you to contact us first at privacy@getfoundi.com so we can try to resolve any concern directly.

In the event of a personal data breach, we will:

• Notify the APD/GBA within 72 hours of becoming aware of the breach (Art. 33 GDPR)
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR)
• Maintain an internal record of all breaches (Art. 33(5) GDPR)

We apply appropriate technical and organisational measures to protect personal data against accidental loss, unauthorised access, alteration, or disclosure. These include:

• Encryption in transit (TLS) and at rest for stored data
• Partition-level access controls: private documents are isolated from all query and retrieval paths
• Role-based access controls limiting staff access to personal data
• Regular security review of our infrastructure and subprocessors
• Incident response procedures aligned with Art. 33–34 GDPR notification obligations
• Automated anonymisation cron jobs for time-limited data categories

No system is completely secure. If you believe a security incident has affected your data, please notify us immediately at privacy@getfoundi.com.

GetFoundi is not directed at children under the age of 16. We set this threshold above the Belgian statutory minimum of 13 (GDPR Art. 8) to ensure additional protection. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact privacy@getfoundi.com and we will delete it promptly.

We will post any material changes to this page and update the version date at the top. For material changes we will notify you by email and ask you to acknowledge the update at your next sign-in before continuing to use the service.

"Material" changes include: processing your data for a new purpose not described here; sharing data with a new category of third party; a change in the legal entity acting as data controller.

For any privacy-related query, request, or complaint:

Email: privacy@getfoundi.com

Response time: We aim to acknowledge requests within 2 business days and resolve within one calendar month.

Data controller (legal entity):

Lyne Systems & Consultancy (LSC)

Groeneweg 17, 9320 Aalst, Belgium

BCE/KBO: BE1011.024.466

For legal notices: legal@getfoundi.com

Supervisory authority:

Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)

Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium

www.autoriteprotectiondonnees.be