01Legal

Privacy policy for a high-trust grants network.

Fundroid exists to make capital flows more transparent, structured, and trustworthy. That only works if the information moving through the platform is handled with discipline across public discovery, private workspaces, proposal review, and grant execution.

Privacy policyTerms of service
Section 01

What this policy covers

Fundroid is the operating system for the global grants ecosystem: a marketplace and workflow product where donors, foundations, organisations, reviewers, and partners discover one another, collaborate on funding opportunities, and manage grants from origination through reporting and closure.

This policy explains how we handle information across public discovery surfaces, workspace-internal tools, cross-workspace grant collaboration, and trust-and-safety processes. It applies to visitors, account holders, workspace members, invited reviewers, and organisations represented on the platform.

Section 02

Information we collect

We collect information you provide directly, including account details, workspace and profile details, showcase content, proposals, reports, uploaded documents, and communications sent through Fundroid workflows.

We also collect operational data such as sign-in events, browser and device information, IP-based security signals, workspace actions, and usage logs needed to maintain performance, enforce permissions, and produce defensible audit trails in donor procurement contexts.

  • Account and identity data: name, email address, authentication method, workspace role, and invitation history.
  • Workspace and profile data: legal entity details, claimed domains, verification materials, team profiles, geography and theme tags, media, blogs, and downloadable artefacts.
  • Transactional data: RFPs, open proposals, submissions, reviews, grant workspaces, reports, indicators, deliverables, disbursement schedules, and attached evidence files.
  • Trust and compliance data: verification state, fraud reports, sanction-screening outcomes, audit entries, and security event logs.
Section 03

How we use information

We use information to operate the service you asked for: creating and securing accounts, displaying public profiles and RFPs, supporting search and matching, powering proposal and grant workflows, and maintaining billing, administration, and customer support.

We also use information to protect the integrity of the marketplace. That includes verification checks, abuse prevention, procurement audit trails, suspicious-activity detection, and security monitoring designed to keep high-trust funding workflows defensible and reliable.

  • To provide search, semantic matching, recommendations, and explainable ranking outputs.
  • To support collaboration across donors, organisations, reviewers, affiliate workspaces, and consortium partners.
  • To verify entities, evaluate fraud signals, and enforce seat limits, role permissions, and workspace access controls.
  • To send service communications such as sign-in links, deadline reminders, report notifications, and policy updates.
Section 04

Public, shared, and sensitive data categories

The PRD distinguishes among public, workspace-internal, cross-workspace shared, and sensitive information. That separation shapes how Fundroid stores, displays, and protects data throughout the platform.

Verified public profiles, published RFPs, and public showcase content may be visible on public discovery surfaces. Drafts, deliberation notes, and unverified profiles stay internal to the relevant workspace unless explicitly shared. Submitted proposals and grant workspaces may be shared with counterparties involved in the funding relationship.

  • Public: verified organisation and donor profiles, published RFPs, public showcase content, and public dissemination outputs.
  • Workspace-internal: drafts, internal comments, reviewer deliberations, billing information, and unverified workspace records.
  • Cross-workspace shared: submitted proposals, awarded grant workspaces, reports, and collaboration threads necessary to execute a grant.
  • Sensitive: KYC documents, financial statements, and identifiable beneficiary data. These are strictly access-controlled and are never exposed for model training.
Section 05

AI, search, and matching

Fundroid uses structured and semantic systems to improve discovery and matching between opportunities and implementers. Only information necessary to generate relevant results is indexed for those purposes. Sensitive files and high-risk documents are excluded from training and exposure pathways.

Matching outputs are designed to be explainable. Donors and organisations should understand why a match appears, which reduces opaque decision-making and supports procurement defensibility rather than replacing human judgment.

  • We minimise the personally identifiable information included in indexing pipelines.
  • Sensitive data is not used to train foundation models or shared with third-party model providers for generalized reuse.
  • Users remain responsible for reviewing AI-assisted drafts, summaries, and match explanations before acting on them.
Section 06

When we share information

We share information when that is necessary to provide the platform, carry out the workflow you initiated, comply with law, or protect the platform and its users. We do not sell personal information or operate pay-to-rank disclosure models that would undermine platform trust.

Where vendors or subprocessors help us host, secure, monitor, or deliver the service, they receive only the access required for those functions and are bound by confidentiality and security obligations.

  • With counterparties you choose to work with, such as donors reviewing a submission or grant partners collaborating inside a shared workspace.
  • With infrastructure, storage, analytics, authentication, and support providers acting on our instructions.
  • With regulators, courts, or enforcement bodies where disclosure is legally required or necessary to prevent fraud, abuse, or imminent harm.
Section 07

Retention, security, and your rights

Fundroid is designed to be GDPR-ready. We support access, correction, export, and deletion requests, subject to lawful retention obligations and the recordkeeping needs of active or recently closed grant workflows.

Security commitments in the PRD include TLS 1.3 in transit, encryption at rest, managed secret storage, annual penetration testing, and an incident response process with a 24-hour breach notification commitment. We retain information only as long as needed for product operations, contractual obligations, dispute resolution, and procurement auditability.

  • Individual users may request access, correction, deletion, or export of personal information associated with their account.
  • Organisation-level records may be retained longer where tied to active grants, procurement history, audit obligations, or anti-fraud reviews.
  • You may manage optional marketing communications separately from essential service notifications.