Privacy Policy

Last updated: June 10, 2026

1. Who We Are

GateStack is operated by Beltech Corp Holdings ("Beltech," "we," "us," or "our"), headquartered in Chicago, Illinois, United States. Beltech is the data controller for personal data processed through the Service.

For privacy inquiries, contact our privacy team at privacy@getgatestack.com.

2. Information We Collect

2.1 Information You Provide:

  • Account information (name, email address, organization name)
  • Payment information (processed by Stripe, Inc. — we do not store card numbers)
  • Project configurations, scope contracts, and governance settings
  • Session logs, gate approval history, and audit trail data
  • Communications with our support team

2.2 Information Collected Automatically:

  • Usage metrics (session duration, actions approved/rejected, feature usage)
  • Device information (browser type, operating system, screen resolution)
  • IP address and approximate geographic location
  • Cookies and similar tracking technologies (see our Cookie Policy)
  • Referral source and pages visited

2.3 Information We Do NOT Collect:

  • We do not read, store, or analyze the content of your generated code
  • We do not use your project data to train AI models
  • For Sovereign (on-premise) deployments, we collect no data whatsoever — the software runs entirely in your environment

3. Lawful Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the Service you subscribed to (account management, session governance, audit logging).
  • Legitimate interests — improving the Service, preventing fraud, ensuring security, and communicating service updates. We balance these interests against your rights and do not use this basis for direct marketing without consent.
  • Consent — where required, such as for non-essential cookies and marketing communications. You may withdraw consent at any time.
  • Legal obligation — processing required to comply with applicable laws (tax records, fraud prevention, legal proceedings).

4. How We Use Your Information

  • To provide, operate, and maintain the Service
  • To process payments and manage subscriptions
  • To improve the Service, including Watchman monitoring accuracy (using anonymized, aggregated data only)
  • To communicate service updates, security notices, and account-related information
  • To enforce our Terms of Service and protect against fraud or abuse
  • To respond to your support requests
  • To comply with legal obligations

5. Your Code and Projects

Code generated in your GateStack sessions is yours. We do not use your code, project configurations, or build artifacts to train AI models. Session data used for Watchman improvement is anonymized and aggregated — your individual project content is never exposed. You may delete your project data at any time, and you may export all data in vendor-independent formats (see our Terms of Service, Section 8).

6. Data Sharing and Third Parties

We do not sell your personal information. We do not share your personal data for third-party advertising purposes.

We share data only with:

  • Service providers — hosting (DigitalOcean, Vercel), payment processing (Stripe), error monitoring (Sentry), and email (Resend). These providers process data on our behalf under data processing agreements and are prohibited from using your data for their own purposes.
  • AI model providers — Anthropic, OpenAI, or other providers as configured, solely to process your governance requests. We do not permit model providers to use your data for training. See our Agent Access Policy.
  • Legal requirements — when required by law, legal process, or government request, or to protect the rights, safety, or property of Beltech, our users, or the public.
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for essential functionality, analytics, and preference storage. For complete details, including how to manage or disable cookies, see our Cookie Policy.

8. Data Security

We implement industry-standard security measures including encryption in transit (TLS) and at rest, role-based access controls, HMAC-signed audit logs, regular security assessments, and dependency vulnerability scanning. No method of transmission or storage is 100% secure; we cannot guarantee absolute security but are committed to protecting your data using commercially reasonable measures.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we delete your personal data within thirty (30) days, except where retention is required by law (e.g., tax records, fraud prevention) or for legitimate business purposes (e.g., resolving disputes). Anonymized, aggregated data that cannot identify you may be retained indefinitely for analytics and Service improvement.

10. Your Rights

10.1 All Users:

  • Access — request a copy of your personal data
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your data
  • Export — export your data in standard formats
  • Opt-out — opt out of non-essential communications

10.2 EEA/UK Residents (GDPR):

  • Right to restrict processing — request that we limit how we process your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw at any time
  • Right to lodge a complaint — file a complaint with your local data protection supervisory authority

10.3 California Residents (CCPA/CPRA):

  • Right to know — request disclosure of what personal information we collect, use, and share
  • Right to delete — request deletion of your personal information
  • Right to opt-out of sale — we do not sell personal information. No opt-out is needed because no sale occurs.
  • Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights
  • Authorized agent — you may designate an authorized agent to submit requests on your behalf with proper verification

To exercise any of these rights, contact privacy@getgatestack.com. We respond to all requests within thirty (30) days (or forty-five days for CCPA if an extension is needed, with notice).

11. International Data Transfers

If you are located outside the United States, your personal data may be transferred to and processed in the United States where our servers and service providers are located. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers. You may request a copy of the applicable SCCs by contacting privacy@getgatestack.com.

Sovereign deployments:For on-premise / Sovereign-tier customers, no data leaves the customer's own environment. International transfer provisions do not apply because Beltech never receives or processes customer data.

12. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify affected users within seventy-two (72) hours of becoming aware of the breach, as required by GDPR and applicable law. Notification will include:

  • The nature and scope of the breach
  • Categories of data affected
  • Measures taken to address the breach
  • Recommendations for protecting yourself
  • Contact information for further inquiries

We will also notify the relevant supervisory authority where required by law.

13. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete that data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least thirty (30) days before they take effect. The "Last updated" date at the top reflects the most recent revision.

15. Contact

Privacy inquiries: privacy@getgatestack.com

General legal: legal@getgatestack.com

Security: security@getgatestack.com

Beltech Corp Holdings · Chicago, Illinois, United States