Privacy Policy

GateCtr is an LLM middleware gateway. We sit between your application and LLM providers (OpenAI, Anthropic, Mistral, Gemini) to optimize, route, and enforce budgets on your API calls. GateCtr is operated by GateCtr SAS. For privacy inquiries, contact us at privacy@gatectr.com.

• Service — LLM middleware gateway — routing, budget enforcement, prompt optimization, analytics.
• Data controller — GateCtr SAS, reachable at privacy@gatectr.com.
• Scope — This policy applies to all users of gatectr.com, app.gatectr.com, and the GateCtr API.

We collect only what is necessary to operate the service. We do not collect the content of your prompts or LLM responses.

• Account data — Email address, name, and authentication data provided when you sign up via Clerk (Google OAuth or email).
• Usage metadata — Token counts, request counts, model used, provider, latency, cost estimates, and timestamps. Never the content of prompts or responses.
• Provider keys — Your LLM API keys, stored AES-256 encrypted at rest. We never log, display, or transmit them in plaintext.
• Technical data — IP address, user agent, browser type, and request timestamps — used for security, abuse prevention, and analytics.

We use your data exclusively to:

• Provide the service: route API calls, enforce budgets, compress prompts, and display analytics.
• Send transactional emails: account creation, budget alerts, onboarding completion, and billing events.
• Improve reliability: monitor errors, latency, and system health via Sentry and Vercel Analytics.
• Comply with legal obligations: respond to lawful requests from authorities when required.

We retain data for the minimum period necessary to provide the service.

We use the following sub-processors to operate GateCtr. Each processes data under their own privacy policy and DPA.

• Clerk — Authentication and session management. Processes email and OAuth data.
• Stripe — Payment processing. Processes billing information and invoices.
• Neon — PostgreSQL database hosting (AWS us-east-1). Stores account and usage data.
• Upstash — Redis caching. Stores temporary session and rate-limit data.
• Sentry — Error monitoring. Receives anonymized stack traces and performance data.
• Vercel — Hosting and edge network. Processes all HTTP requests.

We do not share your data with LLM providers. Your API key is used directly from your infrastructure — GateCtr acts as a transparent proxy.

Depending on your jurisdiction, you have the following rights regarding your personal data:

• Right of access — request a copy of all data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your account and associated data.
• Right to portability — export your usage data in CSV format from the dashboard.
• Right to object — opt out of non-essential data processing.

To exercise any of these rights, email privacy@gatectr.com. We will respond within 30 days. Account deletion can also be initiated directly from Settings → Account.

We implement industry-standard security measures: AES-256 encryption for API keys at rest, TLS 1.3 for all data in transit, multi-tenant isolation at the database level, role-based access control (RBAC) for team accounts, and regular security audits. We do not store LLM prompt content. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

GateCtr is hosted on Vercel and Neon infrastructure primarily in the United States (AWS us-east-1). If you are located in the European Economic Area (EEA), your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the dashboard. The date at the top of this page reflects the most recent update. Continued use of GateCtr after changes constitutes acceptance of the updated policy.