Privacy Policy
Last updated: March 3, 2026
This Privacy Policy explains how Outgate AI ("we", "us", "our"), operated by Gatewise UG (haftungsbeschränkt), collects, uses, and protects your personal data when you use our AI gateway platform at console.outgate.ai and related services (collectively, the "Service"). We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
1. Controller
The data controller responsible for the processing of your personal data is:
Gatewise UG (haftungsbeschränkt)
Berlin, Germany
Email: support@outgate.ai
2. Data We Collect
2.1 Account Data
When you register for or use the Service, we collect:
- Email address
- Full name
- Password (stored as a cryptographic hash, never in plain text)
- Organization name and membership
- User role and permissions
2.2 Authentication Data
If you sign in using Google OAuth, we receive:
- Your Google email address
- Your Google display name
- Your Google profile picture URL
We do not receive or store your Google password. Authentication is handled entirely by Google's identity services.
2.3 Payment Data
Payment processing is handled entirely by Stripe, Inc. We do not collect, store, or process credit card numbers, bank account details, or other payment credentials. We store only:
- Stripe customer ID (a reference identifier)
- Subscription status and plan type
- Billing period dates
Stripe's privacy policy applies to all payment data: stripe.com/privacy.
2.4 Usage Data
We collect technical data necessary for operating the Service:
- API request logs (timestamps, endpoint paths, response codes)
- IP addresses (for rate limiting and security)
- Browser type and version (from HTTP headers)
- Session identifiers
2.5 Support Data
When you contact support, we collect the information you provide in your ticket (name, email, description of the issue).
3. Legal Basis for Processing
We process your personal data based on the following legal grounds under Article 6(1) GDPR:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| Service operation and API routing | Performance of contract (Art. 6(1)(b)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Security, fraud prevention, abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Usage analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Support ticket handling | Performance of contract / Legitimate interest |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Data Processors and Third Parties
We use the following third-party services that process personal data on our behalf:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, compute | EU (Frankfurt, eu-central-1) | EU data residency, AWS DPA |
| Stripe, Inc. | Payment processing | USA | EU-US Data Privacy Framework, Standard Contractual Clauses |
| Google LLC | OAuth authentication | USA | EU-US Data Privacy Framework, Standard Contractual Clauses |
We have entered into Data Processing Agreements (DPAs) with all processors as required by Article 28 GDPR. Where data is transferred outside the EU/EEA, appropriate safeguards are in place as indicated above.
5. Data Retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- API logs and usage data: Retained for 90 days, then automatically deleted.
- Payment records: Retained for 10 years as required by German tax law (Abgabenordnung, § 147 AO).
- Session data: Automatically expires after 7 days.
- Support tickets: Retained for 2 years after resolution, then deleted.
6. Cookies and Local Storage
The Service uses only strictly necessary session cookies and browser local storage to maintain your authentication state and application preferences. We do not use tracking cookies, advertising cookies, or third-party analytics services.
Data stored in your browser's local storage includes:
- Authentication tokens (for maintaining your session)
- User preferences (selected region, UI state)
- Organization context
As these are strictly necessary for the operation of the Service, no consent is required under Article 5(3) of the ePrivacy Directive and § 25(2) TTDSG.
7. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You may request correction of inaccurate personal data.
- Right to erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
- Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): You may object to processing based on legitimate interest at any time.
- Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, please contact us at support@outgate.ai. We will respond within one month as required by the GDPR.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our operations is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61, 10555 Berlin
Website: datenschutz-berlin.de
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption at rest and in transit (TLS 1.2+)
- Password hashing using industry-standard algorithms
- Two-factor authentication (2FA) option for all accounts
- API key encryption for stored provider credentials
- Access controls and role-based permissions
- Regular security reviews
10. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the Service or by email. Your continued use of the Service after such notification constitutes acceptance of the updated policy.
12. Contact
For any questions about this Privacy Policy or our data practices, please contact:
Gatewise UG (haftungsbeschränkt)
Email: support@outgate.ai
Or use our support form.