List a project

Privacy policy

Last updated 2026-04-30 · Effective 2026-04-30

Short version: we collect the minimum needed to run the marketplace. We do not sell your data. You can read, export, or delete what we have at any time. The long version below is the actual policy and is what we agree to be bound by.

1. Who we are

Failedups is operated by Digital Envision LLC, a Delaware limited liability company with its registered office at 16192 Coastal Highway, Lewis, DE 19958, United States. References to "we", "us", and "our" mean Digital Envision LLC. References to "you" mean any visitor or registered user of failedups.com. We are the data controller for the personal information described in this policy.

2. Information we collect

We collect different categories of information for different parts of the service. Each category is listed below with its source and purpose.

2.1 Account information

When you create an account we store your email address, hashed password (we never see the plaintext), full name, and the user identifier issued by our authentication provider. When you sign in via Google or GitHub OAuth instead, we receive your email, name, and avatar URL from that provider, plus the provider identifier.

2.2 Profile information

Anything you fill in on your profile: display name, avatar image, short bio, X (Twitter) handle, GitHub handle, and personal website URL. All of these are optional. The fields you fill in appear publicly on listings you publish, on the founder card next to those listings, and on the public version of your profile if you have published listings.

2.3 Listing content

When you create a listing we store everything you submit: project name, slug, short and long descriptions, vision, reason for selling, asking price, monthly running costs, total invested, completion percentage, status (for sale, looking for cofounder, both), tech stack, included assets, live URL, source code repository URL, build tool used, traction stage, and a contact email. You also upload a cover image and optionally additional gallery images. Image bytes are stored in our hosted object storage. Once you publish a listing it becomes publicly visible and indexable. See section 4 of our Terms of Service for the marketing license that attaches to published listings.

2.4 Communications

When a buyer or potential cofounder contacts you through a listing's inquiry form, we relay the message to your contact email through our email service provider with the sender's email set as Reply-To. We log the sender's name, email, the subject of their message, and a timestamp in our internal email log so administrators can audit activity and so we can show you inquiry counts on your dashboard. We do not store the body of inquiry messages after delivery; we only retain the metadata.

Messages you send via the general /contact form are stored in our database so we can respond.

2.5 Payments

When you purchase a Boost we use Stripe as our payment processor. Stripe receives your card details directly; we never see, store, or have access to the card number, expiration, or CVC. Stripe returns to us a customer identifier, a payment intent identifier, the amount paid, the currency, and the success or failure status. We retain that information as a payment audit record. We also store the customer identifier on your profile so you can reuse the saved payment method via the Stripe Customer Portal.

2.6 Newsletter

If you subscribe to the Failedups newsletter we store your email address, the page you subscribed from (the source), the timestamp of your sign up, the timestamp of your double opt in confirmation, and a one click unsubscribe token. Confirmed subscribers are also synchronized to a managed audience at our email service provider so digest sends use one consistent reputation. Unsubscribing immediately marks the address as unsubscribed in both systems and stops all future newsletter sends.

2.7 Reviews

When you mark a listing sold or matched with a cofounder we offer a short review form. If you submit a review we store the rating, the body text, your role on the deal (seller or buyer), and a link to your profile. Reviews appear publicly on the listing's revived page and contribute to aggregate rating signals exposed to search engines.

2.8 AI agent connections

Failedups exposes a Model Context Protocol (MCP) server so AI coding agents can list, browse, and contact founders on your behalf. When you authorize an agent through OAuth we store the client name, the scopes you granted, the issued access and refresh tokens (hashed at rest with a server-side pepper), the issuance and expiration timestamps, and the IP address and user agent of the issuing browser. You can review and revoke any active connection at any time from /account/connections.

2.9 Technical data

Like most web servers, ours record the IP address, user agent, request path, and timestamp of every request in standard server logs. These logs are retained on our infrastructure provider and rotate out within 30 days. We do not use these logs for advertising or tracking across other sites. We use Vercel Web Analytics for aggregated, cookieless page view counts and a small number of custom product events (for example, "a listing was published" or "a boost was purchased"). The custom events are stripped of any field whose name suggests personal information (email, full name, token, secret, address) before being sent. Vercel Web Analytics does not set cookies, does not track you across sites, and is GDPR friendly by default.

2.10 Cookies and similar technologies

We set the following cookies, and only the following cookies:

  • A session cookie issued by our authentication provider when you sign in. It is HttpOnly, SameSite=Lax, marked Secure in production, and lets you stay signed in across page loads. It expires when you sign out or after a long idle period.
  • A 24 hour shuffle cookie named fu_shuffle that holds a random visitor seed. It controls the order cards appear on the home page, browse, collections, and related lists, and stays consistent for you across pagination. It is HttpOnly, SameSite=Lax, and contains no personal information.
  • Cookies that one of the OAuth providers (Google, GitHub) may set on its own domain during sign in. We do not control those cookies; their privacy policies apply to them.

We do not use third party advertising cookies, tracking pixels, or fingerprinting. There is no Failedups ad network.

3. How we use your information

We use the categories of information above to:

  • Operate the marketplace: render your listings, surface them in search and collections, route inquiries to your inbox, process Boost purchases, and so on.
  • Authenticate you and keep your account secure (sign in, password reset, email change confirmation, security event notifications).
  • Send transactional email triggered by your actions: confirm a sign up, confirm a Boost purchase, notify a founder of a new inquiry, notify the team that a listing is awaiting moderation, notify you that your listing was approved or rejected, and similar.
  • Send the Failedups newsletter if and only if you have opted in.
  • Run aggregated analytics so we can see which pages and which features get used.
  • Moderate the marketplace and enforce our Terms of Service. This includes manually reviewing newly submitted listings and reviewing reports of policy violations.
  • Promote and market the service. Listings you publish may appear in promotional surfaces under the marketing license described in our Terms.
  • Comply with our legal obligations and respond to lawful requests from authorities.

We do not use your personal information for automated decision making that produces legal effects on you. We do not sell or rent your personal information. We do not share it with advertisers.

4. Service providers we share data with

We rely on a small number of third party services to run the platform. Each receives only the data needed for its specific role and is contractually required to handle that data on our behalf. They are:

  • Supabase hosts our database, authentication service, and object storage. All of the data described in section 2, except for items handled by the providers below, lives on Supabase infrastructure.
  • Vercel hosts and serves the Failedups website and provides web analytics and cron infrastructure.
  • Stripe processes Boost payments. Stripe is an independent data controller for payment card data and applies its own privacy policy at stripe.com/privacy.
  • Resend delivers our transactional email and newsletter sends and hosts the audience of confirmed subscribers.
  • Google and GitHub handle the OAuth sign in flow when you choose to sign in with one of those providers.
  • Cloudflare serves DNS and acts as a network edge in front of some of our other providers.

Beyond the providers above, we share information when required by law (subpoena, court order, valid legal process), to investigate suspected fraud or abuse, to protect the rights and safety of users or the public, or in connection with a corporate transaction such as a merger, acquisition, or asset sale. In a corporate transaction the receiving party becomes bound by this policy or one substantially similar.

5. Public listing content

Anything you publish as part of a listing is, by definition, public. That includes the listing's name, descriptions, vision, reason for selling, asking price, completion percentage, tech stack, included assets, build tool, contact email, live URL, source repository URL, founder display name, and any images you upload. Public listings are indexed by search engines, summarized in our LLM friendly surfaces (llms.txt, llms-full.txt, project Markdown twins), exposed in our public JSON feed and RSS feed, and may be referenced by third party crawlers, AI agents, and aggregators outside of our control. Removing or unpublishing a listing stops further distribution from our side, but copies that were already cached, indexed, or republished by third parties remain outside of our control. Treat anything you publish as if it will travel beyond Failedups, because it can.

6. Email and marketing communications

We separate transactional email from marketing email. Transactional emails are triggered by your actions and we cannot turn them off; examples include the sign up confirmation, the password reset, a new inquiry on your listing, your Boost activation receipt, and security notifications when your password or email is changed. The Failedups newsletter is the only marketing channel we run, and it is opt in only via double opt in. Every marketing email contains a one click unsubscribe link.

7. Your rights and choices

Depending on where you live, you may have one or more of the rights below. Many of them apply to everyone regardless of jurisdiction because we choose to extend them. To exercise any of them, email hello@failedups.com from the email address on your account. We respond within 30 days.

  • Access: ask for a copy of the personal information we hold about you.
  • Correction: ask us to fix anything that is wrong or out of date. Most fields you can edit yourself in the dashboard at /account.
  • Deletion: ask us to delete your account and the personal information attached to it. We complete deletions within 7 days. Listings you have published are removed from the public site at the same time. We retain payment audit records (anonymized to the extent practical) for the period required by tax and accounting law, typically 7 years.
  • Export: ask for a portable copy of your data in a machine readable format (JSON).
  • Withdraw consent: where we relied on your consent (the newsletter, optional analytics), you can withdraw it at any time. Unsubscribe links and the /account/connections revoke buttons are the fastest ways to do this for the channels we run.
  • Object to processing: ask us to stop using your personal information for a specific purpose. We will honor the request unless we have an overriding legal basis to continue.
  • Lodge a complaint: residents of the European Economic Area, the United Kingdom, and Switzerland have the right to complain to a local data protection authority. We would prefer to hear from you first so we can fix anything that is wrong.

California residents have additional rights under the California Consumer Privacy Act, including the right to know, the right to delete, the right to correct, and the right to opt out of "selling" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law.

8. Data retention

We keep account information for as long as your account is active, plus 30 days after you delete the account to allow for accidental deletions and finish any in flight email queue work. Email logs are retained for 12 months for moderation and abuse review, then truncated. Server access logs are retained for up to 30 days. Payment audit records are kept for 7 years to comply with tax and accounting obligations. Newsletter subscriber rows are kept until you unsubscribe; we keep the unsubscribe record (without your email) so we do not accidentally re-add you in the future. Public listing rows that have been marked sold or cofounder found are kept indefinitely on the Revived page so the marketplace's history is honest and auditable.

9. Security

We take reasonable technical and organizational measures to protect your information. These include: encryption in transit using TLS, encryption at rest for the database and object storage, hashed passwords with industry standard parameters, hashed OAuth tokens with a server side pepper, row level security on every database table so users can only read or write what they own, database triggers that prevent privilege escalation, audit logs of every email sent and every payment processed, scoped access tokens for AI agent connections, and rate limiting on sensitive endpoints. No system is perfectly secure. If you believe your account has been compromised, email hello@failedups.com immediately and we will lock the account and reset credentials.

10. International transfers

Failedups is operated from the United States and our service providers run infrastructure in multiple countries. If you access the service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries that may have different data protection laws than your own. Where required, we rely on Standard Contractual Clauses or other lawful transfer mechanisms with our providers.

11. Children's privacy

Failedups is not directed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you are a parent or guardian and believe your child has provided personal information to us, contact hello@failedups.com and we will delete the data and the account.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. For material changes that affect how we use or share personal information, we will give you at least 30 days notice via email to your account address and a banner on the site. Continued use of Failedups after the change takes effect constitutes acceptance of the updated policy.

13. Contact

For questions about this policy, to exercise any of the rights described in section 7, or to report a privacy or security issue, contact us at:

Digital Envision LLC
Attn: Privacy
16192 Coastal Highway
Lewis, DE 19958
United States
hello@failedups.com