ProofGate

Privacy Policy

Effective date: 2026-02-06

ProofGate provides software and APIs for deterministic consequence rails: policy gates, signed approvals, signed receipts, and audit truth. This policy explains what we collect, why we collect it, and how you control it.

1) What we collect

We collect the minimum data required to operate an authenticated SaaS product and an API service.

  • Account data: email address, account/workspace identifiers, membership/role.
  • Authentication data: one-time magic-link tokens (stored as hashes), session identifiers (stored as hashes), login timestamps, basic security metadata.
  • Billing data: Stripe customer and subscription IDs, plan, status, and renewal dates. We do not store raw payment card details; Stripe processes payments.
  • API key data: API keys are shown once; we store only a secure hash, key prefix, last4, and last-used timestamps.
  • Usage and audit events: request counts, action types (DECIDE/APPROVE/EXECUTE), timestamps, and minimal metadata needed for billing, rate limits, and security forensics.
  • Support communications: messages you send to support, and our replies.

2) What we do not collect

  • We do not sell personal data.
  • We do not store your passwords (ProofGate uses magic links).
  • We do not store your raw API keys (only secure hashes).
  • We do not intentionally ingest sensitive content unless you send it to the API; even then, we recommend you avoid sending secrets and rely on ProofGate’s constraint model (policy + routing).

3) How we use data

  • Provide and secure authentication sessions (magic link + cookies).
  • Operate the API and enforce plan limits, rate limits, and abuse prevention.
  • Generate signed receipts and maintain audit truth.
  • Support billing, subscriptions, invoices, and account management.
  • Debug incidents and investigate security issues.

4) Legal bases (where applicable)

  • Performance of a contract (providing the service you requested).
  • Legitimate interests (security, fraud prevention, system integrity).
  • Compliance with legal obligations (billing and tax records where required).

5) Sharing and subprocessors

We share data only with service providers needed to run ProofGate. Typical providers include: Stripe (payments), email delivery provider for magic links (e.g., Resend), hosting provider (e.g., Vercel), and a database provider (e.g., managed Postgres). Each provider is used for a specific operational purpose.

We may disclose information if required by law, or to protect ProofGate, our users, or the public from fraud, abuse, or security threats.

6) Data retention

We retain personal data only as long as necessary to provide the service and meet legal obligations. Some logs and audit records may be retained longer to preserve security integrity and prove historical actions. You can request deletion where legally permitted.

7) Security

ProofGate is built around constraints and proof. We use standard measures such as encryption in transit, secure hashing for sensitive tokens/keys, least-privilege access, and audit logging. No system is perfectly secure; if you suspect unauthorized access, contact us immediately.

8) Your choices

  • Access, update, or delete your account information (where applicable).
  • Rotate or revoke API keys at any time.
  • Cancel your subscription in the billing portal.
  • Request data export or deletion via support.

9) International transfers

Depending on where you are located, your data may be processed in other countries. We rely on reputable service providers and take appropriate safeguards.

10) Changes to this policy

We may update this policy from time to time. If we make material changes, we’ll update the effective date and, where appropriate, provide additional notice.

11) Contact

If you have questions about privacy or data practices, contact us at support@proofgate.dev.

© 2026 ProofGate