Data Privacy

PRIVACY POLICY foundfield.com In accordance with the EU General Data Protection Regulation (GDPR) 2016/679 Last updated: April 2025 | Version 1.0

1. Data Controller

The entity responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Company Name: INCOMMUNIO LTD Registered Address: 56 Battery Street, Valletta, VLT 1223, Malta VAT ID: MT28895033 Company Register No.: C101068 Managing Director: Elias Berthold Website: foundfield.com Phone: +49 30 692038118 Email: contact@foundfield.com

2. Scope and Purpose of this Privacy Policy

This Privacy Policy explains how INCOMMUNIO LTD ("we", "us", "our") collects, uses, stores, and protects personal data when you visit or use our website foundfield.com and any associated services. It sets out your rights under the GDPR and applicable Maltese data protection law.

This policy applies to all data subjects whose personal data we process, including website visitors, registered users, customers, and correspondents. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.

3. Legal Bases for Processing

We process personal data only where a valid legal basis exists under Article 6 GDPR. Depending on the processing activity, we rely on one or more of the following:

Article 6(1)(a) – Consent: Where you have freely given, specific, informed and unambiguous consent to processing (e.g. newsletter subscriptions, non-essential cookies).
Article 6(1)(b) – Contract: Where processing is necessary for the performance of a contract to which you are a party, or to take pre-contractual steps at your request.
Article 6(1)(c) – Legal obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g. tax and accounting requirements).
Article 6(1)(f) – Legitimate interests: Where processing is necessary for the purposes of our legitimate interests or those of a third party, except where your interests, rights and freedoms override those interests.

4. Categories of Personal Data We Collect

4.1 Data You Provide Directly

When you interact with our website or contact us, we may collect:

Identity data: first name, last name, username or similar identifier
Contact data: email address, telephone number, postal address
Account data: login credentials, preferences and settings
Communication data: content of messages or enquiries you send to us
Transaction data: details of services you have purchased or enquired about

4.2 Data Collected Automatically

When you visit foundfield.com, our servers and analytics tools automatically collect:

Technical data: IP address (anonymised where possible), browser type and version, operating system, device type
Usage data: pages visited, time and date of visit, time spent on pages, referring URL, click paths
Cookie data: unique identifiers stored on your device (see Section 9)

4.3 Special Categories of Data

We do not intentionally collect or process special categories of personal data (sensitive data) as defined in Article 9 GDPR, such as data concerning health, racial or ethnic origin, political opinions, religious beliefs, or biometric data. Please do not submit such data through our website or contact forms.

5. Purposes of Processing

We use your personal data for the following purposes, under the indicated legal basis and retention period:

Providing and improving our services — Art. 6(1)(b) Contract — Duration of service + 3 years
Responding to enquiries and support — Art. 6(1)(b)/(f) — 3 years from last contact
Account management and authentication — Art. 6(1)(b) Contract — Until account deletion + 1 year
Sending service-related communications — Art. 6(1)(b) Contract — Duration of service
Marketing and newsletters — Art. 6(1)(a) Consent — Until consent withdrawal
Website analytics and performance — Art. 6(1)(f) Legitimate interest — 13 months (anonymised)
Legal and regulatory compliance — Art. 6(1)(c) Legal obligation — Up to 10 years
Fraud prevention and security — Art. 6(1)(f) Legitimate interest — 3 years from incident

6. Recipients and Transfers of Personal Data

6.1 Internal Sharing

Your personal data is accessible only to those employees and contractors of INCOMMUNIO LTD who need it to fulfil the purposes described in this Policy. All staff are bound by confidentiality obligations.

6.2 Third-Party Service Providers (Processors)

We engage carefully selected third-party processors who provide services on our behalf, including but not limited to cloud hosting and infrastructure providers, email delivery services, payment processing providers, analytics and website optimisation tools, and customer relationship management (CRM) systems. All processors are contractually bound by Data Processing Agreements (DPAs) in accordance with Article 28 GDPR, ensuring they process data only on our documented instructions and apply appropriate security measures.

6.3 International Transfers

INCOMMUNIO LTD is established in Malta (EU member state) and primarily processes data within the European Economic Area (EEA). Where transfers to third countries outside the EEA are necessary, we ensure an adequate level of protection by relying on an adequacy decision of the European Commission pursuant to Article 45 GDPR, Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR, or other appropriate safeguards in accordance with Article 46 GDPR. You may request a copy of applicable transfer mechanisms by contacting us at contact@foundfield.com.

6.4 Legal Disclosure

We may disclose personal data to courts, regulators, law enforcement authorities or other public bodies where required or permitted by law, including for the prevention, detection or investigation of criminal offences, fraud, or for tax and compliance purposes.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal, accounting or regulatory obligations, and to resolve disputes and enforce our agreements. Specific retention periods are indicated in Section 5.

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with an identifiable individual. Anonymised data may be retained for statistical and research purposes. You may request information about the retention period applicable to your personal data at any time by contacting us at contact@foundfield.com.

8. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR, exercisable free of charge:

8.1 Right of Access (Art. 15 GDPR) You have the right to obtain confirmation as to whether or not we process personal data concerning you, and if so, to receive a copy of that data along with information about the processing.

8.2 Right to Rectification (Art. 16 GDPR) You have the right to obtain without undue delay the rectification of inaccurate personal data and to have incomplete personal data completed.

8.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR) You have the right to request deletion of your personal data where it is no longer necessary for the purposes collected, you withdraw consent, you object to processing, the data has been unlawfully processed, or erasure is required by law. This right is subject to exceptions where processing is necessary for legal compliance or the establishment, exercise or defence of legal claims.

8.4 Right to Restriction of Processing (Art. 18 GDPR) You have the right to request restriction of processing where you contest the accuracy of the data, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.

8.5 Right to Data Portability (Art. 20 GDPR) Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit it to another controller.

8.6 Right to Object (Art. 21 GDPR) You have the right to object at any time to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds, or for the establishment, exercise or defence of legal claims. Where data is processed for direct marketing, you have an unconditional right to object.

8.7 Right to Withdraw Consent (Art. 7(3) GDPR) Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You may withdraw consent by contacting us or using opt-out mechanisms provided (e.g. unsubscribe links).

8.8 Rights Related to Automated Decision-Making (Art. 22 GDPR) You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. We do not currently engage in such processing.

8.9 Right to Lodge a Complaint

If you believe we have processed your personal data in violation of applicable law, you have the right to lodge a complaint with the competent supervisory authority. As INCOMMUNIO LTD is established in Malta, the lead supervisory authority is:

Information and Data Protection Commissioner (IDPC) Level 2, Airways House, High Street, Sliema SLM 1549, Malta Website: idpc.org.mt | Email: idpc.info@gov.mt | Phone: +356 2328 7100

You may also contact the supervisory authority in your EU member state of habitual residence or place of work.

8.10 How to Exercise Your Rights

To exercise any of your rights, please contact us in writing: Email: contact@foundfield.com (subject line: "Data Subject Request") Post: INCOMMUNIO LTD, 56 Battery Street, Valletta, VLT 1223, Malta

We will respond within one calendar month. This period may be extended by two further months for complex or numerous requests; we will inform you of any extension within one month of receipt. We may need to verify your identity before processing your request.

9. Cookies and Similar Technologies

9.1 What are Cookies? Cookies are small text files placed on your device by a website, used to make sites work, improve efficiency, and provide usage information. Similar technologies include web beacons, pixels, and local storage.

9.2 Categories of Cookies We Use

Strictly Necessary: Essential for the website to function. Cannot be disabled. Legal basis: Art. 6(1)(b)/(f).
Functional / Preferences: Remember your settings and preferences. Legal basis: Art. 6(1)(a) Consent.
Analytics / Performance: Collect aggregated information about how visitors use our site to help us improve it. Legal basis: Art. 6(1)(a) Consent.
Marketing / Targeting: Deliver relevant advertising and measure campaign effectiveness. May involve third-party cookies. Legal basis: Art. 6(1)(a) Consent.

9.3 Managing Your Cookie Preferences

You can manage or withdraw consent to non-essential cookies at any time through our Cookie Consent banner, which appears on your first visit, or via your browser settings. Disabling certain cookies may affect website functionality. For more information, visit www.allaboutcookies.org.

10. Data Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These include encryption of data in transit (TLS/SSL) and at rest, access controls and authentication requirements, regular security assessments and penetration testing, staff training on data protection and information security, incident response procedures for detecting and reporting personal data breaches, and regular backups and business continuity measures.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours in accordance with Article 33 GDPR and, where required, notify you directly under Article 34 GDPR.

11. Third-Party Links and Services

Our website may contain links to third-party websites, plug-ins, and applications. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

12. Children's Privacy

Our website and services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we may have done so, please contact us at contact@foundfield.com and we will promptly delete such data.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of material changes by posting the updated Policy with a revised "Last updated" date and, where appropriate, by direct notification. We encourage you to review this Policy periodically.

14. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing activities:

INCOMMUNIO LTD 56 Battery Street, Valletta, VLT 1223, Malta Email: contact@foundfield.com Phone: +49 30 692038118 Website: foundfield.com Managing Director: Elias Berthold

We aim to respond to all data protection enquiries within 5 business days. For formal data subject rights requests, the statutory one-month response period applies (Art. 12(3) GDPR).