Privacy Policy

Data Controller: CodeGateway (WHITEDIT LTD). Registered Address: United Kingdom (WHITEDIT LTD, registered in England and Wales). Contact Email: support@codegateway.dev. If you have any questions about how we handle your data, please contact us at the email above.

We only collect the minimum information necessary to provide our services:

• Account Information: Your email address provided during registration.
• Usage Data: API call logs (model ID, token usage, timestamps) for billing and service monitoring.
• Technical Data: Browser type, IP address (used solely for security and abuse prevention).

We do NOT collect: Your real name, phone number, physical address, or payment card details (payments are processed by our third-party payment provider Stripe, Inc.; we never store card numbers).

Our core commitment: CodeGateway operates as a jurisdiction-aware AI Gateway aggregating multiple AI model providers (e.g., Anthropic, OpenAI), routing requests based on the user's jurisdictional context and selected model. For content transmitted through our service, we NEVER store, log, or cache your conversation content (prompts) or model responses (completions).

Specifically:

• We do not store your prompt or completion text
• We do not use your conversation data to train any models
• We do not share your conversation data with any third parties
• API requests are purged from memory immediately after forwarding

We only log request metadata (model ID, token counts, timestamps) for billing purposes.

Under the General Data Protection Regulation (GDPR), our legal bases for processing your data are:

• Contract Performance (Art. 6(1)(b)): Processing your account information and API usage data to fulfill our service contract.
• Legitimate Interest (Art. 6(1)(f)): IP address and browser data used for security and abuse prevention.
• Consent (Art. 6(1)(a)): Non-essential cookies require your explicit consent.

Regarding special category data: We do not process any special categories of personal data as defined in GDPR Article 9.

Under GDPR and other applicable data protection laws, you have the following rights:

• Right of Access (Art. 15): You have the right to know what personal data we hold about you.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten").
• Right to Restriction (Art. 18): In certain circumstances, you can request that we restrict processing of your data.
• Right to Data Portability (Art. 20): You have the right to receive your data in a structured format.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests.
• Right to Withdraw Consent: You may withdraw consent for non-essential cookies at any time.

To exercise your rights: Please email support@codegateway.dev. We will respond to your request within 30 days.

Our data processors are layered into "Direct Data Processors" and "Sub-Processors via Cloudflare AI Gateway" under GDPR Article 28 / UK GDPR Article 28.

6.1 Direct Data Processors (with whom we have entered into DPAs or equivalent contractual arrangements):

• Cloudflare, Inc. (Delaware, USA) and Cloudflare Pte. Ltd. (Singapore) — Role: Data Processor. Purpose: AI Gateway routing and Unified Billing (initiating calls to upstream AI model providers on our behalf and settling billing), edge compute (Workers), D1 database and KV storage, CDN, WAF, DDoS protection, DNS. Scope: request/response traffic, usage metadata, billing data. Deployment: US / EEA / Singapore / global edge.
• Stripe, Inc. (Delaware, USA) and Stripe Payments Europe Ltd (Dublin, Ireland) — Role: Data Processor. Purpose: processes subscriptions, top-ups, refunds and maintains transaction records (see Refund Policy). Stripe Payments Europe Ltd serves as contracting counterparty for UK/EEA users. Stripe independently stores cardholder data under its own privacy policy and PCI-DSS controls; we do not handle card numbers.

6.2 Sub-Processors via Cloudflare AI Gateway (transparent disclosure):

Through the Cloudflare AI Gateway Unified Billing arrangement, Cloudflare forwards your requests to the following AI model providers as its sub-processors. CodeGateway does NOT hold a direct contractual relationship with these providers; Cloudflare is responsible for ensuring GDPR Article 28 / UK GDPR Article 28 compliance for these sub-processors under the Cloudflare Customer DPA that we have signed.

• Anthropic, PBC (United States) — provides Claude family AI models via Cloudflare AI Gateway Unified Billing. Anthropic processes data under its own privacy policy and Anthropic Business Terms and does not train on data submitted via the API.
• OpenAI, LLC / OpenAI Ireland Limited — provides GPT family AI models (including the Responses API) via Cloudflare AI Gateway Unified Billing. OpenAI does not use API-submitted content for training by default.
• Google LLC / Google Ireland Limited — provides Gemini family AI models via Cloudflare AI Gateway Unified Billing (where enabled).
• (Additional model providers Cloudflare adds in future follow the same path.)

Cloudflare's authoritative sub-processor list and Customer DPA are available at:

• https://www.cloudflare.com/cloudflare-customer-dpa/
• https://www.cloudflare.com/cloudflare-sub-processors/

6.3 Other Direct Processors (where applicable):

• Google LLC (United States) — Google Tag Manager (GTM) and Google Analytics, consent-gated (see Cookie Policy §4).
• (This sub-section will be updated as we add other direct processors.)

All Direct Data Processors above are bound by written contracts (DPAs, SCCs, or equivalent). Cloudflare's compliance obligations toward its sub-processors (§6.2) are backstopped by the Cloudflare Customer DPA.

• Account Data: Retained for the duration of your account and deleted within 30 days after account deletion.
• API Usage Logs: Retained for 90 days for billing and reconciliation, then automatically deleted.
• Conversation Content: NOT retained (see "We Never Store Your Conversation Content" section).
• Cookie Data: Managed per our Cookie Policy; you can clear them at any time.

Our servers are deployed on Cloudflare's global network. Your data may be processed outside your country of residence. For personal data transferred from the EU/EEA or the United Kingdom to a third country, we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA) as the primary transfer basis; for transfers to processors that have self-certified under the EU-US Data Privacy Framework (DPF), the DPF may serve as a supplementary basis. If the DPF adequacy decision is invalidated or withdrawn, all relevant transfers will automatically fall back to SCCs / UK IDTA as the sole basis.

Specific cross-border transfer paths:

• Anthropic, PBC (United States): SCCs + UK IDTA as primary transfer basis, EU-US DPF as supplementary basis (where Anthropic's self-certification is in effect).
• OpenAI OpCo, LLC (Delaware, USA): transfers from OpenAI Ireland Limited (EEA / UK contracting counterparty) to OpenAI OpCo, LLC rely on SCCs + UK IDTA as primary transfer basis, EU-US DPF as supplementary basis.
• Stripe, Inc. (Delaware, USA): transfers from Stripe Payments Europe Ltd (UK / EEA contracting counterparty) to Stripe, Inc. rely on SCCs + UK IDTA as primary transfer basis, EU-US DPF (where Stripe holds valid certification) as supplementary basis.
• Cloudflare, Inc. (United States): SCCs + UK IDTA as primary transfer basis, EU-US DPF as supplementary basis.

Data residency scope: CodeGateway does not currently operate any service node within mainland China, nor does it offer the Services to data subjects in mainland China (see Terms of Service "Geographic Restrictions"). If, in the future, services are launched under mainland China jurisdiction, we will separately publish, under Phase 4 (Issue #95), the lawful bases for cross-border transfer under the Personal Information Protection Law (PIPL) — one of: security assessment, personal-information-protection certification, or standard contract (PIPL Article 38).

We take reasonable technical and organizational measures to protect your data:

• All data in transit is encrypted using TLS (HTTPS)
• API Keys are stored with encryption
• Access controls limit data access permissions
• Regular security audits and vulnerability assessments

While we strive to protect your data, no method of Internet transmission or storage is 100% secure.

Our services are not directed to children under 16. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it immediately.

We may update this Privacy Policy from time to time. For significant changes, we will notify you via email or a notice on our website. Continued use of our services constitutes acceptance of the updated policy.

The most recent update date is shown at the top of this page. This amendment takes effect on June 15, 2026, after a 30-day notice period.

If you have any questions or concerns about this Privacy Policy, please contact us:

• Email: support@codegateway.dev

If you believe we have mishandled your data, you have the right to lodge a complaint with the data protection authority in your jurisdiction (EU users: your member-state DPA; UK users: the ICO).

Data Protection Officer (DPO): Pursuant to GDPR Article 37(1), CodeGateway as a small organization (fewer than 250 employees) is not required to designate a DPO. For data protection inquiries or to exercise your rights, please contact: support@codegateway.dev

As of the effective date of this Privacy Policy, CodeGateway does not offer the Services to data subjects located in mainland China (see Terms of Service "Geographic Restrictions"). Accordingly, this Privacy Policy does not, at present, set out PIPL-specific compliance terms.

When CodeGateway formally launches mainland-China-jurisdiction services under Phase 4 (see transformation roadmap Issue #95), specific PIPL clauses will be added to this Section, including without limitation:

• Separate consent mechanisms (PIPL Articles 14, 23, 39);
• Minimum-necessary disclosure of purposes, methods, scope, and retention of personal information processing (PIPL Article 17);
• Lawful bases for cross-border provision of personal information (PIPL Article 38: one of security assessment / personal-information-protection certification / standard contract, with the specific pathway determined by the then-applicable data scale and sensitivity);
• Obligations of the personal information processor, and a summary of the Personal Information Protection Impact Assessment (PIPIA);
• Data subject rights to access, copy, correct, delete, port, and obtain explanation of personal information (PIPL Articles 44–50);
• Establishment of a mainland-China representative and contact information (if applicable).

Until Phase 4 is implemented, the Services are not offered to data subjects in mainland China, and the Terms of Service "Geographic Restrictions" clause shall apply.