Footstep AI Ltd ("Footstep", "we", "us") is a company registered in England and Wales. We operate footstep.ai, the hosted MCP server at mcp.footstep.ai, and the REST API at api.footstep.ai.

We are the data controller for personal data processed through our marketing site and our self-serve console. Where customers process their own users' data through our APIs, we act as a processor under a separate Data Processing Agreement.

Contact: privacy@footstep.ai.

Account data. Name, email address, organisation, billing details, and the contents of API keys you create.

Usage data. Per-key request counts, response status codes, latency, and the endpoint called. We retain a sample of request and response payloads for a short window to support debugging and abuse prevention. We do not retain payload contents long-term unless required for an investigation.

Technical data. IP address, user agent, and timestamps for requests to our APIs and marketing site.

Marketing-site analytics. Aggregate page views, referrers, and device class via Google Analytics (GA4). No payload data from your API requests is sent to analytics providers.

• Contractual necessity. To deliver the API and MCP service you signed up for, meter usage, and bill correctly.
• Legitimate interests. To operate, debug, and secure the service. To prevent abuse. To improve our products against aggregated, non-identifying metrics.
• Legal obligation. To comply with tax, accounting, and other statutory requirements.
• Consent. For optional marketing email, where you have explicitly opted in.

Our APIs accept geographic inputs (coordinates, place names, addresses) and return geocoding, routing, terrain, and probability outputs. We treat the contents of your API requests and responses as confidential.

We do not use your API request or response payloads to train machine-learning models. We do not share payloads with third parties except as necessary to operate the service (for example, a hosting provider executing the request on our behalf under contract).

A short-window log of request metadata and a sampled payload is kept for debugging and abuse prevention. Customers on enterprise plans can request a written log-retention agreement covering specific shorter windows or no retention.

We use a small set of named sub-processors to operate the service. The current list is available on request to privacy@footstep.ai. We do not sell, rent, or commercially exploit personal data.

We may disclose data when legally required by court order or regulator, when necessary to protect our rights or the safety of others, or in the event of a merger, acquisition, or sale of assets, in which case we will notify affected customers.

We primarily process data within the UK and the EEA. Where transfers to other regions are necessary, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms under UK GDPR.

• Account data: until account closure plus the period required by tax and accounting law (typically 6 years in the UK).
• Usage metadata: 12 months by default, after which it is aggregated.
• Sampled payload data: up to 30 days, unless a specific incident requires longer retention.
• Marketing analytics: 14 months (GA4 default).

Under UK GDPR you have the rights to:

• access the personal data we hold about you
• correct inaccurate or incomplete data
• request erasure of your data
• restrict or object to processing
• receive your data in a portable format
• challenge any decision based solely on automated processing that produces a legal or similarly significant effect on you

To exercise these rights, email privacy@footstep.ai. We respond within one calendar month.

• TLS in transit and encryption at rest for stored data
• Per-key access controls with environment scoping
• Audit logs for administrative actions
• Regular dependency and infrastructure scanning
• Documented incident-response procedures

The marketing site uses cookies for essential functionality (session persistence, preference storage), aggregate analytics (Google Analytics), and a customer-data tool used for sales enquiries (HubSpot). You can control cookies via your browser settings; disabling essential cookies may break parts of the site.

Our service is for business and professional use only. We do not knowingly collect personal data from anyone under the age of 18.

We may update this policy. Material changes will be communicated via email or in-product notification. The version date below shows the current version.

Please contact us first at privacy@footstep.ai. You also have the right to complain to the UK Information Commissioner's Office.