GFoundry Intelligence — Privacy and Data Protection (OpenAI & Google Gemini)

Legal · GFoundry Intelligence

GFoundry Intelligence — Privacy & Data Protection

Version 2.0Last updated June 28, 2026Responsible entity GFoundry Lda

GFoundry Intelligence is the service that aggregates a set of features and AI agents — Gi Learn (learning design), Gi Practice (role-play coaching), Gi Admin (people analytics), Gi Talent (talent strategy) and the GiBot assistant — that use generative AI to operate. It is powered by two AI subprocessors: OpenAI and Google Gemini. This document ensures that GFoundry, through GFoundry Intelligence, complies with the GDPR by protecting the privacy and security of personal data processed for content generation, incorporating the terms of the Data Processing Agreements (DPAs) with OpenAI and with Google.

1Entity responsible for processing

GFoundry Lda, headquartered in Valença (Portugal), at Avenida Tito Flores, nº 71, with a share capital of €55,000.00, registered at the Odivelas Registrar of Companies under single registration and VAT number PT510809510, hereinafter referred to as GFOUNDRY, is the entity responsible for GFoundry Intelligence. This policy outlines how GFOUNDRY ensures the protection, privacy, and security of personal data processed via GFoundry Intelligence, in compliance with the General Data Protection Regulation (GDPR).

2Scope of GFoundry Intelligence

GFoundry Intelligence encompasses two primary areas:

  • Production of general educational content: using generative AI to create content across broad skill and competency areas.
  • Production of educational content using client data: processing client documents to generate tailored educational content. This policy particularly addresses the second area, ensuring that client data is handled privately and securely, and deleted promptly after content generation.

3Collection and processing of personal data

GFOUNDRY processes personal data strictly necessary for:

  • Providing information and operating GFoundry Intelligence.
  • Processing client documents to generate educational content.

Data processed may include direct or indirect personal identifiers, such as names, email addresses, and document content. Users or clients will be informed about the necessity of such data to use GFoundry Intelligence’s functionalities.

4Legal basis for data processing

GFOUNDRY ensures that personal data is processed lawfully under the following conditions:

  • With the explicit consent of the data subject.
  • For the performance of a contract to which the data subject is a party.
  • In compliance with legal obligations.
  • To protect vital interests of the data subject or another person.
  • For tasks carried out in the public interest or in the exercise of official authority.

5Data protection measures

GFOUNDRY employs robust technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest.
  • Access controls and authentication measures.
  • Regular security audits and vulnerability assessments.
  • Prompt deletion of personal data after content generation.

6User rights

Data subjects have the following rights under GDPR: right to access, rectification, erasure, restriction of processing, data portability, and objection. Requests to exercise these rights can be addressed to the Data Protection Officer at GFOUNDRY through the contact details below.

7Data retention and deletion

GFOUNDRY retains personal data only as long as necessary to fulfill the purposes for which it was collected. Personal data used in GFoundry Intelligence for content generation is deleted immediately after the content is produced, ensuring no residual data remains.

8International data transfers

Any transfer of personal data to third countries or international organizations complies with GDPR requirements, including the use of Standard Contractual Clauses (SCCs) and other legally approved mechanisms.

Furthermore, GFOUNDRY ensures that all data uploaded by clients (e.g., PDFs and learning materials) is stored and processed in cloud infrastructure located within the European Union (Google Cloud), minimizing exposure to external jurisdictions. Only essential and anonymized textual prompts are transmitted to the AI subprocessors (OpenAI and Google Gemini) for content generation, and these providers do not retain or use this data for training purposes.

9Contact information

For any questions, concerns, or requests related to this policy or the processing of personal data, please contact:

  • Email: [email protected]
  • Address: Rua do Instituto Industrial 16, 1200-225 Lisboa – Portugal

10Updates to this policy

GFOUNDRY may update this Privacy and Data Protection Policy to reflect changes in practices or legal requirements. Updates will be published in relevant channels to ensure transparency and inform Users and Customers.

11OpenAI — specific terms

The following specific terms apply to the use of OpenAI as an AI subprocessor of GFoundry Intelligence, under the Data Processing Agreement (DPA) between GFoundry Lda and OpenAI.

1. Processing requirements

As a Data Processor, OpenAI processes Customer Data only on the Customer’s behalf to provide and support OpenAI’s Services (including insights, reporting, analytics, and abuse/trust and safety monitoring), complies with the Customer’s written instructions, provides the privacy protection required by Data Protection Laws, and does not “sell” or “share” Personal Data as defined by U.S. Privacy Laws.

2. Notice to Customer

OpenAI informs the Customer of any legally binding disclosure request by a law enforcement authority (unless prohibited), any notice or investigation by a Supervisory Authority, and any complaint or request from the Customer’s data subjects.

3. Assistance to Customer

OpenAI provides reasonable assistance with data-subject requests (access, rectification, erasure, restriction, portability, objection, blocking, deletion), investigating security breaches affecting Customer Data, and preparing data protection impact assessments.

4. Required processing

If required by Data Protection Laws to process Customer Data for a reason unrelated to the Agreement, OpenAI informs the Customer in advance, unless legally prohibited.

5. Security

OpenAI maintains reasonable and appropriate organizational and technical security measures, ensures its personnel protect the confidentiality of Customer Data, and notifies the Customer of any Personal Data Breach without undue delay.

6. Obligations of Customer

The Customer warrants it has the necessary rights, consents and authorizations to provide Customer Data, complies with applicable Data Protection Laws, cooperates on data-subject requests, and provides Customer Data only through agreed mechanisms.

7. International data transfers

OpenAI processes Customer Data originating in the EEA or Switzerland in accordance with the Standard Contractual Clauses adopted by the EU Commission.

8. Term; data return and deletion

The DPA remains in effect while OpenAI processes Customer Data on the Customer’s behalf. On termination, OpenAI deletes Customer Data within thirty (30) days, unless prohibited by law. (Exhibit A — parties: data exporter is the Services customer; data importer is OpenAI OpCo, LLC. Exhibit B — technical and organizational security measures maintained by OpenAI.)

12Google Gemini — specific terms

GFoundry Intelligence also uses Google’s Gemini API (paid tier) as an AI subprocessor for content generation and assistance. Google’s processing of personal data is governed by the Gemini API Additional Terms of Service and, for paid services, the Data Processing Addendum for Products Where Google is a Data Processor.

1. Processor status

On the paid tier, Google does not use prompts (including system instructions, cached content, and files) or responses to train or improve its products, and processes them as a data processor under the DPA referenced below.

2. Data location

Client data processed through GFoundry Intelligence is stored within the European Union (Google Cloud). Only essential, anonymized prompts are transmitted for generation.

3. Security

Google maintains organizational and technical security measures and notifies of any Personal Data Breach without undue delay, as set out in its DPA.

4. International data transfers

Transfers of data originating in the EEA or Switzerland are made under the Standard Contractual Clauses adopted by the EU Commission.

5. References

Gemini API Additional Terms of Service · Data Processing Addendum for Products Where Google is a Data Processor.

↑ Back to top