Legal // Privacy
Privacy Policy
Effective: June 16, 2026
This Policy explains how Nextera Consulting (“we,” “us”) handles personal data for Gatekeeper. For account and usage metadata we act as a data controller. For the content you route through the gateway, we act as a data processor on your behalf and on your instructions.
1. Data We Collect
- ▸Account data: email and authentication data needed to provide access and billing.
- ▸Usage & gateway logs: tenant/App ID, user identifier, model or service, method, path, token counts, cost estimate, status, latency, timestamp. We do not store the bodies of your AI prompts/responses or REST request/response payloads.
- ▸Credentials you upload: third-party API keys, stored encrypted at rest (AES-256-GCM) and decrypted only server-side at call time. They are never returned to the browser — only a masked tail is shown.
- ▸Session cookie: a signed “gk_session” cookie set on login, expiring after 24 hours.
- ▸IP address: used transiently for rate limiting and abuse prevention.
2. How We Use Data & Legal Bases
We use data to operate the Service, authenticate you, enforce budgets, rate limits and quotas, display telemetry, prevent abuse, bill you, and comply with law. Where GDPR applies, our legal bases are: performance of a contract (providing the Service), legitimate interests (security, abuse prevention, improving the Service), legal obligation, and consent where required. We do not sell your personal data or share it for cross-context behavioral advertising.
3. Subprocessors & Recipients
- ▸Supabase — database for configs, logs, and encrypted credentials
- ▸Upstash — ephemeral rate-limit counters
- ▸Vercel — application hosting and platform logs
- ▸Stripe — payment processing for paid plans (handles your payment details directly)
- ▸Sentry — error monitoring; receives error messages, stack traces, and session context (e.g. user ID, page) when an error occurs. Auth headers are scrubbed before send.
- ▸Resend — transactional email delivery (welcome, billing, and budget-alert emails); receives your email address
- ▸PostHog — product analytics, active only after you accept analytics cookies; receives anonymized usage events
- ▸Upstream APIs you configure (e.g. OpenAI, Anthropic, or any REST service) — receive the requests you route, under their own terms
4. International Transfers
The Service is operated in the United States and data may be processed there and in other countries where our subprocessors operate. Where required, transfers from the EEA/UK rely on appropriate safeguards such as the Standard Contractual Clauses.
5. Data Retention
Usage and gateway logs are retained for up to 12 months and then purged automatically. Encrypted credentials are kept until you delete them or close your account. Account and billing records are retained as required for legal and tax purposes. You may request earlier deletion (see Section 7).
6. Security
We use encryption in transit (TLS) and at rest (AES-256-GCM for stored credentials), hash inbound gateway keys, enforce service-role access controls, and apply rate limiting. No system is perfectly secure; we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify you and authorities as required by law.
7. Your Rights (GDPR, UK GDPR, CCPA/CPRA)
Depending on where you live, you may have the right to access, correct, delete, restrict, or port your personal data, to object to certain processing, and to withdraw consent. California residents may request to know, delete, and correct personal information, and to opt out of “sale”/“sharing” (we do neither); we will not discriminate against you for exercising these rights. To exercise any right, contact consulting.nextera@gmail.com; we may verify your identity. EEA/UK users may also lodge a complaint with their supervisory authority. A Data Processing Addendum is available to business customers on request.
8. Children & Sensitive Data
The Service is for businesses and is not directed to children under 16, and we do not knowingly collect their data. Do not route special-category or highly sensitive personal data through the Service unless you are authorized and have a lawful basis to do so.
9. Cookies
We use functional cookies required for authentication (the “gk_session” cookie and Supabase session cookies) and a preference value that remembers your cookie choice. With your consent, PostHog sets analytics cookies to measure product usage; these activate only after you click “Accept” on our cookie banner and never run if you decline. We do not set advertising or cross-site tracking cookies. Full details are in our Cookie Policy.
10. Changes & Contact
We may update this Policy and will revise the effective date for material changes. Questions or requests: Nextera Consulting — consulting.nextera@gmail.com.