cat ./legal/privacy.md

PRIVACY POLICY — NATIVEFOUNDATION, INC.

Effective: 2026-05-18   ·   Last Updated: 2026-05-18

This Policy describes how NativeFoundation, Inc. (“NativeFoundation,” “we,” “us”) collects, uses, discloses, retains, and protects Personal Data — including Personal Data received in the United States from the European Union, the European Economic Area, the United Kingdom (and Gibraltar), and Switzerland in reliance on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework.

cat ./legal/dpf-adherence.md

1. DPF ADHERENCE STATEMENT

NativeFoundation, Inc. complies with the EU-U.S. Data Privacy Framework program (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (the “Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.

NativeFoundation has certified to the U.S. Department of Commerce that it adheres to:

  • the EU-U.S. DPF Principles with regard to personal data received from the European Union in reliance on the EU-U.S. DPF;
  • the EU-U.S. DPF Principles with regard to personal data received from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and
  • the Swiss-U.S. DPF Principles with regard to personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

ls ./legal/covered-data/

2. SCOPE OF COVERED PERSONAL DATA

2.1 — Non-Human-Resources Data

  • Identifiers — name, email, phone, professional social identifiers, employer identifiers
  • Professional & Educational Data — job title, employment history, skills, qualifications, certifications
  • Public Behavioural Signals — publicly observable activity used to construct behavioural and intent signals
  • Inferred Data — confidence-scored, provenance-tagged attributes derived from the above
  • Customer/Prospect Contact Data — contact details of customer representatives and business prospects
  • Website & Product Usage Data — IP address, device identifiers, browser data, log data, cookies, analytics events

2.2 — Human-Resources Data

Personal Data about employees, contractors, and applicants of NativeFoundation: identifiers, contact details, employment terms, performance records, compensation, tax/benefits information, and right-to-work documentation.

cat ./legal/purposes.md

3. PURPOSES OF PROCESSING

  • --product-delivery   operate the Aether platform (AetherEnrich, AetherIntel, AetherGraph, AetherWatch, AetherLead, AetherSim, AetherVerse)
  • --customer-relationships   sales, onboarding, support, billing, account management
  • --service-improvement   monitor, evaluate, and improve quality, accuracy, and performance
  • --security-fraud-prevention   detect and investigate unauthorised access, abuse, and incidents
  • --legal-compliance   meet legal obligations and respond to lawful requests
  • --hr-administration   administer the employment relationship and payroll/benefits

NativeFoundation does not sell Personal Data.

cat ./legal/choice.md

4. LAWFUL BASES & CHOICE

Where we act as a controller for Personal Data of EU, UK, or Swiss data subjects, we rely on one or more of: legitimate interests, contractual necessity, legal obligation, or consent where required.

4.1 — Opt-Out (Choice Principle)

We offer individuals the opportunity to opt out of (a) disclosures of their Personal Data to third parties that are not acting as our agents, and (b) any use of their Personal Data for a purpose materially different from the purpose(s) for which it was originally collected or subsequently authorised. To exercise these choices, contact us using the details below.

4.2 — Opt-In for Sensitive Data

Where we process sensitive Personal Data (as defined under the DPF Principles — e.g., medical or health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, or criminal records), we will obtain affirmative express consent before such data is disclosed to a non-agent third party or used for a purpose other than that for which it was originally collected or subsequently authorised.

cat ./legal/onward-transfers.md

5. ONWARD TRANSFERS & ACCOUNTABILITY

NativeFoundation may transfer Personal Data to third parties acting as our agents (sub-processors and service providers) for the purposes described above — for example, cloud hosting, communication platforms, payment processors, security tooling, and analytics.

In compliance with the DPF Principles, NativeFoundation is responsible for the processing of Personal Data it receives under the DPF and subsequently transfers to a third party acting as an agent on its behalf. We require all such agents to provide at least the same level of protection as required by the DPF Principles, through written agreements that limit their use of Personal Data to the purposes for which it was transferred and require them to notify us if they can no longer meet this obligation. If we receive such notice, we will take reasonable and appropriate steps to stop and remediate any unauthorised processing.

NativeFoundation remains liable under the DPF Principles if its agents process Personal Data in a manner inconsistent with the Principles, unless NativeFoundation proves that it is not responsible for the event giving rise to the damage.

cat ./legal/disclosures.md

6. DISCLOSURES TO NON-AGENT THIRD PARTIES

NativeFoundation may disclose Personal Data to non-agent third parties:

  • with the individual’s consent;
  • to comply with legal obligations or lawful requests from public authorities, including national security and law enforcement requirements;
  • to enforce our terms or protect our rights, property, or safety, or that of others;
  • in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to confidentiality protections.
cat ./legal/data-integrity.md

7. DATA INTEGRITY & PURPOSE LIMITATION

We limit the Personal Data we process to information relevant for the stated purposes, and take reasonable steps to ensure data is reliable for its intended use, accurate, complete, and current. AetherIntel and AetherEnrich profiles are confidence-scored and provenance-tagged, and we maintain processes to refresh and correct profile data over time.

We retain Personal Data only for as long as it serves the purposes for which it was collected (or for compatible purposes), or as required by law.

cat ./legal/security.md

8. SECURITY

NativeFoundation maintains reasonable and appropriate technical, administrative, organisational, and physical safeguards to protect Personal Data from loss, misuse, unauthorised access, disclosure, alteration, and destruction. These include encryption in transit and at rest, strict access controls, least-privilege provisioning, zero-trust network architecture, audit logging, and regular vendor review.

cat ./legal/rights.md

9. ACCESS, CORRECTION & DELETION

Individuals have the right to access Personal Data we hold about them, and to request that we correct, amend, or delete it where it is inaccurate or has been processed in violation of the DPF Principles — subject to the limitations set out in the Principles (e.g., where the burden or expense of providing access is disproportionate to the risks to the individual’s privacy, or where doing so would violate the rights of others).

To exercise these rights, contact us using the details below. We will respond to verifiable requests within a reasonable period.

cat ./legal/recourse.md

10. RECOURSE, ENFORCEMENT & LIABILITY

10.1 — Independent Recourse Mechanism

In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, NativeFoundation commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (and the Gibraltar Regulatory Authority where applicable), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), with regard to unresolved complaints concerning our handling of human-resources data received in reliance on the DPF in the context of the employment relationship.

For complaints concerning non-HR data, NativeFoundation has chosen JAMS as its independent recourse mechanism. If you have an unresolved privacy or data-use concern that we have not addressed satisfactorily, please contact JAMS at https://www.jamsadr.com/DPF-Dispute-Resolution at no cost to you.

10.2 — FTC Enforcement

The Federal Trade Commission has jurisdiction over NativeFoundation’s compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF.

10.3 — Binding Arbitration

Under certain conditions, more fully described in Annex I of the EU-U.S. DPF Principles, you may invoke binding arbitration where other dispute-resolution procedures have been exhausted.

cat ./legal/international-transfers.md

11. INTERNATIONAL TRANSFERS

NativeFoundation is headquartered in the United States. Personal Data we collect or receive may be transferred to, stored in, and processed in the United States and other jurisdictions where we or our service providers operate. For transfers from the EU, UK, and Switzerland we rely on the DPF as described above and, where applicable, on Standard Contractual Clauses and other lawful transfer mechanisms.

contact --privacy

12. CONTACT

Entity: NativeFoundation, Inc. (Delaware, USA)

Privacy Officer: privacy@nativefoundation.ai

HR Data Requests: people@nativefoundation.ai

General: hello@nativefoundation.ai

We acknowledge verifiable requests promptly and respond substantively within 45 days, except where law or the DPF Principles permit a different timeframe.

cat ./legal/changelog.md

13. CHANGES TO THIS POLICY

We may update this Policy from time to time. Material changes will be communicated by updating the “Last Updated” date and, where appropriate, by additional notice (e.g., email to active customers or a notice on our website). Continued use of our services after a change indicates acceptance of the updated Policy.

cat ./legal/annex-a-hr.md

ANNEX A — HUMAN RESOURCES DATA (DPF)

  • Categories — identification, contact, employment terms, payroll/tax, benefits, performance, right-to-work, emergency contacts
  • Purposes — employment administration, payroll & benefits, performance management, workforce planning, security, legal compliance
  • Disclosures — to agents (payroll, benefits, IT, legal) under DPF-equivalent contractual protection; to public authorities where legally required
  • Access & Correctionpeople@nativefoundation.ai
  • Recourse — competent EU DPA panel / UK ICO (and Gibraltar Regulatory Authority where applicable) / Swiss FDPIC