Privacy Policy

Effective date: 2026-01-01 · Last updated: 2026-03-27 · Version 1.1

AgentGate ("we", "us", or "our") is operated by Bakhrom and provides the AgentGate Compliance-as-a-Service API at agengate.com. This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have — in plain language, in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Data We Collect

Account data — your email address and company name when you create an account. Passwords are stored as bcrypt hashes; we never store plaintext passwords.
API usage logs — request timestamps, HTTP method, endpoint path, response status, duration in milliseconds, and a truncated prefix of your API key for tracing. We store SHA-256 hashes of agent output content — never the raw text itself.
Payment information — plan name, billing cycle, subscription status, invoice IDs, and payment confirmation tokens. Full card numbers are processed exclusively by Stripe or Multicard Mesh; we never receive or store raw card data.
Technical metadata — IP address, HTTP user agent, and X-Request-Id correlation headers collected for security, abuse prevention, and debugging.

2. What We Do Not Collect

The raw text of any AI agent output you submit for validation — only its SHA-256 hash is stored.
Biometric data, precise geolocation, or social profile information.
Data about your end-users unless you explicitly include it in API request fields.
Tracking cookies, advertising identifiers, or third-party analytics data.

3. Legal Basis for Processing (GDPR)

We rely on the following lawful bases under GDPR Article 6:

Contract (Art. 6(1)(b)) — processing your email, API keys, and usage logs to provide the service you signed up for.
Legitimate interests (Art. 6(1)(f)) — server logs and IP addresses retained for security, fraud prevention, and abuse detection. Our interest does not override your rights.
Legal obligation (Art. 6(1)(c)) — billing records retained for 7 years to comply with tax and accounting law.
Consent (Art. 6(1)(a)) — marketing and lifecycle email sequences. You may withdraw consent at any time by clicking "Unsubscribe" in any email or emailing bakhrom@agengate.com.

4. How We Use Your Data

Provision and operate the AgentGate API and dashboard.
Issue and rotate API keys; enforce plan quotas and rate limits.
Send transactional emails: account confirmation, password reset, payment receipts, and usage alerts.
Send the onboarding email sequence (you may unsubscribe at any time).
Detect abuse, prevent fraud, and enforce our Terms of Service.
Improve quality gate models and compliance mappings using aggregated, anonymised statistics only — never individual user content.

5. Data Processors & Sub-processors

We do not sell your data. We share it only with the following processors under binding data processing agreements (DPAs):

Processor	Purpose	Data location	Data shared
Supabase	Database & auth hosting	`eu-central-1` (Frankfurt, EU)	Account data, API keys (hashed), usage logs, billing records
Hostinger	VPS application hosting	EU (Lithuania)	Application runtime data, server logs
SendGrid (Twilio)	Transactional & lifecycle email	USA (adequacy safeguards: SCCs)	Email address, first name, plan name
Stripe	Card payment processing	USA / EU (SCCs)	Email, plan, billing cycle — no raw card data
Multicard Mesh	Local card payment processing (UZ)	Uzbekistan	Customer ID, invoice amount — no raw card data

We will notify you within 72 hours of discovering any processor breach that affects your personal data.

6. Data Retention

API keys — retained indefinitely while your account is active; deleted within 30 days of account deletion Indefinite / active
API usage logs — rolling window; deleted automatically 90 days
Validation records (hashes, gate outcomes) 12 months
Payment & billing records — required by tax law 7 years
Account data (email, company name) — deleted after account closure 30 days post-closure
Server access logs (IP, user agent) 30 days

7. Your Rights

Under GDPR (EU residents) and CCPA (California residents) you have the following rights. To exercise any of them, email bakhrom@agengate.com with the subject "Data Request". We will respond within 30 days (GDPR) or 45 days (CCPA).

Access

Request a copy of all personal data we hold about you.

Rectification

Ask us to correct inaccurate or incomplete data.

Erasure ("Right to be forgotten")

Request deletion of your data. Billing records retained for 7 years cannot be deleted due to legal obligation.

Portability

Receive your data in a structured, machine-readable format (JSON).

Object

Object to processing based on legitimate interests or for direct marketing.

Restrict Processing

Ask us to pause processing while a dispute is resolved.

You also have the right to lodge a complaint with your supervisory authority. For EU residents, this is typically your national data protection authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany).

DPO: We are not legally required to appoint a Data Protection Officer (fewer than 250 employees, no large-scale systematic monitoring). The privacy contact above handles all data requests.

8. Cookies & localStorage

9. International Data Transfers

Our primary infrastructure (Supabase, Hostinger) is located in the EU. Where data is transferred outside the EU/EEA — specifically to SendGrid (USA) and Stripe (USA) — we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c) as the lawful transfer mechanism.

Multicard Mesh operates in Uzbekistan, which does not have an EU adequacy decision. We transfer only the minimum data necessary (customer ID, invoice amount) and do so under contractual obligations that mirror GDPR-equivalent protections.

10. Security

All data in transit is encrypted with TLS 1.2 or higher.
Data at rest is encrypted with AES-256.
API keys are stored as SHA-256 hashes — we cannot recover a key once issued.
Passwords are hashed with bcrypt (cost factor 12).
Webhook payloads are verified with HMAC-SHA256 signatures.
Evidence chains use SHA-256 chaining to detect any tampering with audit records.
Access to production systems is restricted to named individuals with MFA enforced.

11. Children

AgentGate is a B2B service directed at businesses and developers, not at individuals under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, contact bakhrom@agengate.com and we will delete it promptly.

12. Changes to This Policy

We will notify registered users by email and update the "Last updated" date at the top of this page when we make material changes. Continued use of AgentGate more than 30 days after notification constitutes acceptance of the revised policy. Non-material changes (formatting, typo fixes) take effect immediately without notification.

13. Contact

Privacy enquiries, data requests, and complaints:

bakhrom@agengate.com

AgentGate
Operated by Bakhrom
Tashkent, Uzbekistan

We will acknowledge your request within 72 hours and provide a substantive response within 30 days (GDPR) or 45 days (CCPA). If we need more time we will notify you before the deadline expires.