Privacy Policy

Last updated: May 17, 2026

This Privacy Policy describes how FOATT, Inc. (“FOATT,” “we,” “our,” or “us”) collects, uses, and shares information about you when you use FOATT Planning and the related websites and services (collectively, the “Services”).

This is a plain-language summary of what we do with your information. If anything is unclear, contact us at privacy@foatt.com.

1. Information we collect

1.1 Information you give us directly

• Account information. Your name, email address, and a password (which we store as a one-way salted hash — we never see your plaintext password).
• Workspace data. Company names, organization structure, fiscal calendar, chart of accounts, dimensions, drivers, plans, formulas, comments, and any other content you create inside FOATT.
• Communications. Anything you send to us in support requests, surveys, or feedback.

1.2 Information we collect when you connect a third-party system

You may connect FOATT to third-party systems to import data. When you do, we receive only the data you authorize. The categories of data we receive include:

• Banking data — account names, balances, and transactions for accounts you explicitly connect, retrieved through our banking-integration sub-processor. Your bank credentials are handled by that sub-processor; we never see them.
• Accounting data — chart of accounts, general ledger transactions, classes/departments/locations/projects, and customer/vendor records, retrieved through OAuth or token-based authentication you authorize.
• Files you upload — whatever you choose to upload (typically GL exports, COA, or contact lists).

The specific providers we use to deliver each integration are listed on our Sub-processors page.

Customer and vendor records imported from your accounting system may include personal information about third parties (e.g., names, billing addresses, email addresses of your vendors and customers). You are the controller of that data; we process it on your behalf.

1.3 Information collected automatically

• Session and authentication cookies. Required for sign-in to work; not used for cross-site tracking.
• Server logs. Standard request metadata (IP address, user agent, requested URL, timestamp) retained for security, debugging, and abuse prevention.
• Internal usage events. When you take certain actions inside the app (e.g., editing a plan cell, syncing a connection), we record an event to power the in-app history and audit trail.

What we don't do. We do not run third-party analytics, ad-tech, or session-replay scripts. We do not sell your information to anyone. We do not use Customer Data to train our own AI models, and we contract with any AI providers we use so that they do not use Customer Data to train theirs. Some features in the Services are AI-assisted. When you use one, the relevant inputs and the context needed to produce useful output are sent to an AI provider listed on our Sub-processors page, solely to generate the requested output, on the no-training basis described above. You can also choose to connect your own API key for a supported AI provider, in which case the relevant calls are made under your own contract with that provider.

1.4 Payment information

Subscription billing is processed by our payment sub-processor. Card numbers and bank account numbers are entered directly into the payment sub-processor and are not visible to or stored by FOATT. We retain only the sub-processor's identifiers (customer ID, subscription ID), the plan you're on, and billing-status events. See our Sub-processors page for the current payment provider.

2. How we use information

• To provide, secure, and improve the Services.
• To authenticate you and keep your account safe.
• To process subscription billing and prevent fraud.
• To respond to support requests.
• To send service-related email (account confirmations, password resets, billing notices, security alerts).
• To meet legal obligations (e.g., tax records, lawful requests from regulators).

3. How we share information

We share information only as needed to operate the Services:

• Sub-processors. We use a small number of trusted third-party providers to operate the Services, including (without limitation) cloud infrastructure, payment processing, transactional email, banking and accounting integrations, and AI providers used to power AI-assisted features. The current list of named sub-processors is maintained on our Sub-processors page. We provide reasonable advance notice before adding a new sub-processor that processes Customer Data; email privacy@foatt.com to subscribe to notifications.
• Within your workspace. If you invite teammates to a company or organization, the data inside that workspace is visible to them according to the role and permissions you grant.
• Legal compliance. If we receive a valid legal request, we may disclose information to comply with applicable law. We will push back on overbroad requests where reasonable.
• Business transfers. If FOATT is involved in a merger, acquisition, or sale of assets, your information may be part of that transaction. We will notify you and any successor will be bound by terms at least as protective as these.

4. Security

We take reasonable technical and organizational measures to protect your information. In particular:

• Passwords are stored only as one-way salted hashes using an industry-standard algorithm; we cannot recover or view your plaintext password.
• All traffic between you and FOATT is served over HTTPS (TLS).
• Application data is hosted on a managed cloud database service in the United States that provides encryption at rest by default.
• Access to production systems is restricted to a small number of authorized personnel.
• Authentication credentials for connected third-party services (such as accounting and banking integrations) are stored on the encrypted infrastructure described above, with access restricted to authorized personnel and read-scope OAuth permissions wherever the third-party API supports them.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at security@foatt.com.

5. Data retention

• Active accounts. We retain your information for as long as your account is active.
• Cancelled accounts. When you cancel, we retain your data for 90 days in case you reactivate, then delete or anonymize it. You may request earlier deletion by emailing us.
• Backups. Routine database backups may persist for up to 30 days after deletion before being overwritten.
• Billing and tax records. Some financial records are retained for as long as required by law.

6. Your choices and rights

You can:

• Access and edit most of your data directly in the app.
• Export plans and reports to Excel or CSV at any time.
• Disconnect any third-party integration from the Settings page; we stop receiving new data immediately.
• Cancel your subscription from billing settings.
• Request deletion of your account and associated data by emailing privacy@foatt.com.
• Request a copy of personal information we hold about you. We'll respond within a reasonable time, generally within 30 days.

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) including the right to know what personal information we collect, the right to deletion, and the right to non-discrimination for exercising these rights. We do not sell personal information.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under GDPR / UK GDPR including access, rectification, deletion, restriction, and portability. The lawful basis for our processing is generally performance of our contract with you, or our legitimate interest in operating and securing the Services.

Data Processing Agreement. If you are a customer subject to the GDPR, UK GDPR, or a similar data-protection law that requires a written data processing agreement between you (as controller) and FOATT (as processor) for personal information you upload or import into the Services, we will enter into a reasonable data processing agreement with you on request. Email privacy@foatt.com to request one.

7. International transfers

FOATT is operated from the United States. If you access the Services from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country.

8. Children

FOATT is built for businesses and is not directed to children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. When we make material changes we will update the “Last updated” date and, where appropriate, send you a notice in-app or by email. Your continued use of the Services after a change becomes effective is your acceptance of the change.

10. Contact