Privacy Policy

Effective: 2025-01-01Last updated: 2026-04-16v2.0
Terms of ServiceAcceptable UsePrivacyDMCA / Abuse

1Who is responsible

This Privacy Policy describes how Gatefare ("we", "us") processes personal data when you visit the Gatefare site, create an account, register an API, or send requests through a Proxy URL.

Gatefare is the controller for data about its own account holders (Publishers) and for the operational metadata we collect to run the Service. When we route a Consumer's request to a Publisher's Target API, Gatefare acts as a proxy (processor): the Publisher is the controller of any personal data the Consumer sends to, or receives from, the Target API.

2What we collect

2.1 Account data (Publishers)

  • Email address, password hash (bcrypt), optional display name;
  • Wallet addresses you provide for payouts;
  • Timestamp of Terms acceptance.

2.2 API listing metadata

  • Slug, name, description, price, Target URL, forwarded headers (including any API keys you configure) — encrypted at rest where feasible;
  • Counters: total requests, revenue, earnings, platform fees, payouts.

2.3 Operational logs

  • Request timestamp, slug, HTTP method, response status code, bytes transferred, latency;
  • Client IP address and user-agent string, truncated or hashed where feasible;
  • Payment envelope metadata: chain, scheme, amount, transaction hash, facilitator response;
  • Audit log of security-relevant actions (login, registration, suspension, admin access).
Request/response bodies: Gatefare streams request and response bodies between Consumers and Target APIs in memory. We do not persistently store request payloads or response bodies. Upstream Publisher servers may log them independently.

2.4 Cookies & tokens

We use a JWT issued to your browser (stored in localStorage) for authentication. We do not use third-party advertising cookies. We may use privacy-preserving analytics (self-hosted, aggregate, no cross-site tracking) to measure product usage.

3Why we process it (legal bases)

  • Contract (art. 6(1)(b) GDPR): operating the account, registering APIs, routing requests, calculating payouts.
  • Legitimate interest (art. 6(1)(f) GDPR): security, fraud/abuse prevention, system monitoring, abuse-report handling.
  • Legal obligation (art. 6(1)(c) GDPR): tax, accounting, sanctions screening, responding to law-enforcement requests, DMCA and CSAM reporting.
  • Consent (art. 6(1)(a) GDPR): optional analytics or marketing communications (opt-in only).

4Sharing

We share personal data only with:

  • Infrastructure providers (hosting, database, email, RPC, x402 facilitator) under data-processing agreements;
  • Blockchain networks (Base, Base Sepolia) — wallet addresses, transaction hashes, and amounts become public on-chain by design;
  • Law enforcement and regulators where required by valid legal process;
  • Trusted safety partners (NCMEC, IWF, Stop NCII, INHOPE) when reporting illegal content.

We do not sell personal data and do not share it for third-party advertising.

4ACookies & browser storage

We use a small, named set of browser storage. Strictly-necessary items run on legitimate interest / contract; everything else requires explicit consent via our cookie banner. You can review or change your choice anytime via Cookie preferences in the footer.

NameTypePurposeLifetimeCategory
gf_sessionCookie (HttpOnly, Secure, SameSite=Strict)Authenticated session JWT7 daysStrictly necessary
tokenlocalStorageBearer token for client-side fetch calls (mirrors session cookie)Until sign-outStrictly necessary
gatefare:theme, gatefare:accentlocalStorageRemembers dark/light + accent color choiceUntil clearedStrictly necessary (UI preferences)
gatefare:catalog:recentlocalStorageLast few catalog searches for the search-box dropdownUntil clearedStrictly necessary
gatefare:settings:tablocalStorageActive dashboard Settings tab on reloadUntil clearedStrictly necessary
gatefare:consentlocalStorageRecords your cookie-banner choiceUntil you reset itStrictly necessary (the consent record itself)
gf:wv:sidsessionStorageRandom ID grouping Web Vitals samples for one tab session. Not linked to your account.Tab sessionAnalytics — opt-in

We do not embed third-party trackers, ad networks, or cross-site analytics. Web Vitals are sent to our own /api/metrics/web-vitals endpoint only when you opt in. We do not sell, share, or otherwise process this data for advertising.

5Retention

  • Account data: while the account is active, plus up to 12 months after deletion for fraud prevention and legal claims;
  • Audit logs: up to 24 months;
  • Financial / tax records: as required by applicable law (typically 5-10 years);
  • On-chain data is immutable and outside our control.

6Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, etc.), you may:

  • Access the personal data we hold about you;
  • Request correction or deletion;
  • Object to, or restrict, certain processing;
  • Receive your data in a portable format;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with your local data-protection authority.

Exercise requests: [email protected]. We handle data-rights requests in line with applicable law (e.g. GDPR Art. 12 sets a one-month default with extensions available for complex cases) and reply as soon as is reasonably practicable.

7Security

We apply industry-standard protections: TLS in transit, encrypted disks at rest, bcrypt password hashing, scoped access controls, audit logging, and rate-limiting. No system is fully secure; report suspected vulnerabilities to [email protected] (PGP key on request).

8International transfers

We may transfer personal data outside your country of residence to our infrastructure providers. Where required, we use Standard Contractual Clauses (EU), UK IDTA, or equivalent safeguards.

9Children

Gatefare is not intended for users under 18 and we do not knowingly collect personal data from minors. If you believe a child has provided personal data to us, contact us and we will delete it.

10Changes

We may update this Privacy Policy. Material changes will be announced via email or dashboard notice. The "Last updated" date at the top reflects the latest version.

Privacy contacts

Data requests: [email protected]

Security: [email protected]

General: [email protected]