Gated
── Legal

Privacy Policy

This policy explains what data Gated collects, how we use it, and the choices you have. It covers gated.cc, gated.dev, and the Gated scanning product. If you are in Brazil or the EU/EEA, the sections on your rights apply to you under the LGPD and GDPR respectively.

── Last updated · May 24, 2026── Questions · legal@gated.cc

01Controller and contact

Controller: Gated. Contact: privacy@gated.cc.

02Data we collect

  • Account data. Name, email, organization, and authentication details, managed through our auth provider (Clerk).
  • Scan data. The targets you submit, scan configurations, results, findings, and operational logs generated when a scan runs.
  • Usage and technical data. Standard logs — IP address, browser, timestamps, and product interactions — used to operate and secure the service.
  • Billing data. Handled by our payment processor. We do not store full card numbers.

03How we use data

We use your data to:

  • Provide the scanning service and deliver results to you.
  • Operate, secure, monitor, and debug the service.
  • Improve Gated — including its checks, detection accuracy, and remediation guidance. This means we process scan results, findings, and logs to make the product better.
  • Communicate with you about your account, scans, and service changes.
  • Meet legal and compliance obligations.

We do not sell your personal data.

04Legal bases (LGPD / GDPR)

We process data to perform our contract with you, for our legitimate interests in operating and improving the service, to comply with legal obligations, and — where required — with your consent.

05Sharing

We share data only with subprocessors that help us run Gated, each under contract and only as needed. We may disclose data if required by law. We do not share identifiable scan data with advertisers or data brokers.

06Subprocessors

The current list of subprocessors used to operate Gated:

  • Amazon Web Services. Hosting, storage, networking, KMS-managed encryption keys, and Bedrock-hosted models used by adversarial scans.
  • Clerk. User authentication, organization, and membership management.
  • Cloudflare. Edge network, DNS, and proxying of analytics traffic.
  • PostHog. Product analytics and usage telemetry.
  • Sentry. Application error monitoring and crash reporting.
  • Stripe. Subscription billing and payment processing.

Material changes to this list are posted here. Questions: privacy@gated.cc.

07Retention

We retain account and scan data for as long as your account is active, and afterward as needed to meet legal, security, and operational requirements. You can request deletion as described below.

08Storage and security

Data is encrypted in transit and at rest. Target credentials get an additional layer of envelope encryption with per-organization AWS KMS keys, decryptable only by the scan worker. Infrastructure runs on private subnets. See the Security page for detail.

09Your rights

Depending on your jurisdiction, you can request to access, correct, export, or delete your data, object to or restrict certain processing, and withdraw consent. To exercise these rights, email privacy@gated.cc. Under the LGPD you may also contact the ANPD; under the GDPR, your local supervisory authority.

10International transfers

Gated is hosted in the United States. If you access it from elsewhere, your data is transferred and processed in the US under appropriate safeguards.

11Changes

We’ll update this page when our practices change and revise the date above. Material changes will be communicated to account holders.

12Contact

Questions: privacy@gated.cc.