Privacy Policy | GatewayHost

GatewayHost is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our messaging gateway service, API, dashboard, and related services.

1. Information We Collect

1.1 Information You Provide

Account Information:

Email address
Name or organization name
Password (stored in hashed form)
Billing information (processed by third-party payment providers)
Team member information (if applicable)

Communication Data:

Support requests and correspondence
Feedback and survey responses

1.2 Information Collected Automatically

Usage Data:

API request logs (endpoints called, timestamps, response codes)
Message metadata (sender identifiers, recipient identifiers, timestamps, message counts)
Dashboard activity logs
Feature usage patterns

Technical Data:

IP addresses
Browser type and version
Device information
Operating system
Referring URLs

Analytics Data:

Service performance metrics
Error logs and debugging information
Aggregated usage statistics

1.3 Information We Do NOT Collect

Message Content:

The XMTP network uses end-to-end encryption with the Messaging Layer Security (MLS) protocol. We cannot read, access, or store the content of messages transmitted through our Service. Message content is encrypted on the sender's device and can only be decrypted by intended recipients.

Wallet Private Keys:

We never collect or store your cryptographic private keys.

2. How We Use Your Information

2.1 Provide and Maintain the Service

Process and route messages through the XMTP network
Authenticate your access to the Service
Manage your account and subscription
Process payments and billing

2.2 Improve and Develop the Service

Analyze usage patterns to improve functionality
Identify and fix bugs and technical issues
Develop new features and services
Conduct research and analytics

2.3 Communicate with You

Send service-related notifications
Respond to your inquiries and support requests
Provide important updates about the Service
Send marketing communications (with your consent)

2.4 Ensure Security and Compliance

Detect and prevent fraud, abuse, and security threats
Enforce our Terms of Service
Comply with legal obligations
Protect the rights and safety of our users

3. How We Share Your Information

We do not sell your personal information.

We may share your information in the following circumstances:

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

Cloud hosting providers (e.g., Cloudflare, Vercel)
Payment processors (e.g., Stripe)
Analytics providers (e.g., PostHog)
Customer support tools
Email service providers

These providers are contractually obligated to protect your information and use it only for the services they provide to us.

3.2 XMTP Network

To deliver messages, we interact with the decentralized XMTP network. The network processes:

Encrypted message payloads
Sender and recipient identifiers
Message routing information

The XMTP network is decentralized and operates independently. Please review XMTP's documentation for information about network-level data handling.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities, including:

Court orders or subpoenas
Government or regulatory requests
Law enforcement investigations

3.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

3.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

4. Data Retention

We retain your information for as long as necessary to:

Provide the Service to you
Comply with legal obligations
Resolve disputes
Enforce our agreements

Data Type	Retention Period
Account Data	While account is active + reasonable period
Usage Logs	Up to 90 days
Billing Records	7 years (legal requirement)
Aggregated Data	Indefinitely (anonymized)

Upon account deletion, we will delete or anonymize your personal information within 30 days, except where retention is required by law.

5. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

Encryption in transit (TLS 1.3)
Encryption at rest for stored data
Access controls and authentication
Regular security assessments
Employee security training
Incident response procedures

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your Rights and Choices

Depending on your location, you may have the following rights:

6.1 Access and Portability

You can request a copy of your personal information in a structured, machine-readable format.

6.2 Correction

You can update or correct inaccurate personal information through your account settings or by contacting us.

6.3 Deletion

You can request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements).

6.4 Restriction and Objection

You can request that we restrict processing of your information or object to certain processing activities.

6.5 Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

6.6 Marketing Communications

You can opt out of marketing communications by:

Clicking "unsubscribe" in our emails
Updating your communication preferences
Contacting us directly

To exercise these rights, please contact us at privacy@gatewayhost.dev.

7. International Data Transfers

We operate globally and may transfer your information to countries other than your country of residence. When we transfer data internationally, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data processing agreements with service providers
Compliance with applicable data transfer frameworks

8. Specific Jurisdictional Rights

8.1 European Economic Area (EEA), UK, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent laws:

Legal Bases for Processing:

Contract: To provide the Service you requested
Legitimate Interests: For analytics, security, and service improvement
Consent: For marketing communications
Legal Obligation: For compliance with laws

Data Protection Authority: You have the right to lodge a complaint with your local data protection authority.

8.2 California Residents

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), California residents have the following rights:

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out: Opt out of the sale or sharing of personal information
Right to Non-Discrimination: Receive equal service regardless of exercising your rights

We do not sell personal information as defined under the CCPA/CPRA.

Category	Examples	Collected
Identifiers	Email, name, IP address	Yes
Commercial Information	Transaction history, subscription details	Yes
Internet Activity	Usage logs, analytics data	Yes
Professional Information	Organization name, role	Yes
Sensitive Personal Information	N/A	No

9. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly. If you believe we have collected information from a child, please contact us.

10. Third-Party Links and Services

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

Authenticate users and maintain sessions
Remember your preferences
Analyze usage patterns
Improve the Service

Types of Cookies:

Essential Cookies: Required for the Service to function
Analytics Cookies: Help us understand how you use the Service
Preference Cookies: Remember your settings and choices

You can control cookies through your browser settings. Disabling certain cookies may affect Service functionality.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website
Updating the "Last Updated" date
Sending you an email notification (for material changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Data Processing Addendum

For customers who require a Data Processing Addendum (DPA) for GDPR compliance or other regulatory requirements, please visit our DPA page or contact us at legal@gatewayhost.dev.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Privacy Inquiries: privacy@gatewayhost.dev

General Contact: support@gatewayhost.dev

Response Time: We aim to respond to privacy-related inquiries within 30 days.

Summary of Key Points

Topic	Summary
Message Content	End-to-end encrypted; we cannot read your messages
Data We Collect	Account info, usage data, technical data
Data Sharing	Service providers, legal requirements only
Data Sales	We do not sell your personal information
Your Rights	Access, correct, delete, port your data
Security	Industry-standard encryption and security measures
Retention	Only as long as necessary
International Transfers	Protected by appropriate safeguards

By using our Service, you acknowledge that you have read and understood this Privacy Policy.