BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.

Privacy Policy

Effective date: April 9, 2026

Draft notice.This Privacy Policy is an operator-authored draft intended to describe GateTest's data-handling posture prior to attorney review. Several sections (in particular the GDPR, CCPA, sub-processor, and data-transfer sections) are marked "DRAFT — requires attorney review" and should not be treated as final until that review is complete.

1. Who We Are

GateTest ("we", "us", "our") operates the website gatetest.ai and provides automated code quality scanning services. This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and your rights regarding your data. It applies to all users of our website, GitHub App, CLI tool, and paid scanning services.

Contact for privacy matters. For any question, complaint, or request relating to this Policy or your personal data, contact us at hello@gatetest.ai. We intend to respond substantively within thirty (30) days, and sooner where required by applicable law.

1A. Controller vs Processor Roles

[DRAFT — requires attorney review. Controller / processor characterisation must be confirmed for each data category and each customer context. Where a business customer uploads repositories that contain personal data of its own end users, GateTest is typically a processor and the customer is the controller; a Data Processing Addendum (DPA) should govern.]

For the purposes of the EU / UK GDPR and analogous laws, GateTest acts as:

  • Controller for personal data that you give us directly to run our business — for example, your account email address, the repository URLs you submit, your payment metadata (receipts, the last four digits of a card, the billing country), and web-server logs.
  • Processor for personal data that may be contained in code, commits, issues, or other repository content submitted to the Service — including any personal data of your users, employees, or third parties that may appear in source files, configuration, comments, or logs you expose to the Service. You remain the controller of that data. If you require a formal Data Processing Agreement (DPA) or Standard Contractual Clauses (SCCs) to govern that processing, contact us.
  • Joint-controller or independent-controller relationships with our sub-processors (for example, Stripe for payment processing, where Stripe is an independent controller for fraud-prevention and regulatory purposes).

2. Data We Collect

2.1 Account and Payment Data

  • Email address (for scan delivery, receipts, and communication)
  • Payment information (processed entirely by Stripe — we never see, store, or have access to your full card number, CVV, or billing address)
  • GitHub username and organisation name (when installing the GitHub App)
  • Repository URLs submitted for scanning

2.2 Repository Data

  • Source code is accessed temporarily in memory during the scan process
  • Source code is NOT permanently stored on our servers, databases, or any persistent storage
  • Source code is NOT copied, cached, backed up, or retained after the scan completes
  • Scan results (pass/fail outcomes, issue descriptions, file paths, line numbers) are stored for report delivery
  • Scan results do NOT contain your actual source code — only metadata about issues found

2.3 Website Data

  • Standard web server logs (IP address, browser type, referring URL, pages visited, timestamps)
  • We do NOT use third-party tracking cookies
  • We do NOT use advertising pixels or retargeting
  • We do NOT use Google Analytics or similar tracking services
  • We do NOT sell, rent, or trade any user data to third parties

2.4 Distilled Fix Recipes (Cross-Customer Learning)

To improve our deterministic fix engine over time, GateTest may store small, anonymised snippets of code patterns that our AI successfully repaired (typically 1–3 KB per pattern). Before storage these snippets are stripped of identifiers, project names, file paths, and other potentially identifying values, and reduced to a generic before/after transformation. The resulting snippets become deterministic rules in our fix engine that benefit all customers — your scan's fixes become faster and cheaper to produce, and so do everyone else's.

Opt-out: you can disable distillation for your runs by setting the environment variable GATETEST_DISTILL_OPT_OUT=1 in your CI environment (or in the request body when calling our APIs directly). When this flag is set, no snippets from your runs are stored, and the corresponding patterns do not feed back into the shared fix-recipe store.

We do NOT store distilled snippets that retain customer identifiers, repository URLs, customer-named symbols, secrets, or any data that could be used to re-identify a specific customer or codebase. We do NOT resell the recipe store as a standalone product, license it to third parties, or use it for any purpose other than improving the fix engine for paying customers of GateTest.

3. How We Use Your Data

We use your data strictly for the following purposes:

  • Performing the code scan you requested and paid for
  • Delivering scan reports and auto-fix pull requests
  • Processing payments via Stripe
  • Sending transactional communications (scan status, receipts)
  • Responding to support enquiries
  • Improving scan accuracy and module quality (using aggregate, anonymised data only)

We absolutely DO NOT:

  • Sell, rent, lease, or trade your personal data or code to any third party
  • Use your source code for training AI models or machine learning
  • Share your code or scan results with other customers
  • Use your data for advertising, profiling, or marketing to third parties
  • Access your repositories outside the scope of the requested scan
  • Retain your source code after the scan is complete

4. AI Code Review Data Handling

If your scan includes the AI-powered code review module, relevant code snippets from the files being reviewed are sent to the Anthropic Claude API for analysis. This data handling is governed by the following:

  • Anthropic's API usage policy explicitly prohibits using API inputs for model training
  • Code sent for AI review is processed in real-time and is not stored by Anthropic after analysis
  • Only files selected for review are sent — not your entire repository
  • You may opt out of AI review by selecting a scan tier that does not include it

5. GitHub App Data

If you install the GateTest GitHub App on your account or organisation:

  • We receive webhook events for push and pull request activities on connected repositories
  • We receive temporary read access to repository contents for the purpose of scanning
  • We do not access repositories that are not connected to the App
  • We do not access any repositories after the App is uninstalled
  • You can revoke access at any time by uninstalling the App from your GitHub settings
  • Uninstallation is immediate and irrevocable — we lose all access instantly

6. Data Retention Schedule

[DRAFT — requires attorney review. Retention windows should be confirmed against NZ tax law, the Financial Reporting Act 2013, the Privacy Act 2020 storage-limitation principle, and counterpart retention-limitation rules under GDPR (Art. 5(1)(e)) and CCPA / CPRA. Where scan results are retained "indefinitely while paid account active", counsel should confirm the documented lawful basis and storage- limitation justification.]

  • Source code: NOT stored. Accessed in memory during the scan window, discarded immediately upon scan completion. Zero persistent retention.
  • Scan results (metadata — findings, file paths, line numbers, severity, summary): retained for thirty (30) days for free-tier scans, and for the duration of an active paid account (while the account is in good standing), for historical reference, trend analysis, and re-download. On account deletion or downgrade below a retaining tier, scan results are purged within thirty (30) days.
  • AI code-review output: retained on the same schedule as the related scan report. The input snippets sent to the AI provider are not retained by us after the response is received.
  • Session tokens and authentication cookies: retained for thirty (30) days of inactivity, then expired.
  • Server logs: retained for thirty (30) days for security, abuse detection, and debugging, then deleted on rotation.
  • Account records (email, GitHub account link, subscription status):retained while your account is active. On deletion, purged from production systems within thirty (30) days, with backups rotating out on our normal schedule.
  • Payment records: retained as required by New Zealand tax and financial-reporting law (currently seven (7) years), and for equivalent statutory periods in any other applicable jurisdiction.
  • Transactional email: delivery logs retained for thirty (30) days; content retained by our email-delivery sub-processor per its retention policy.
  • Support correspondence: retained for three (3) years from last contact, then deleted.
  • Deleted-account data: purged from production systems within thirty (30) days of deletion request. Short-lived backups may persist for the backup-rotation window and are then deleted.

7. Data Security

  • All connections to gatetest.ai are encrypted via TLS 1.2+ (HTTPS)
  • Payment processing is handled entirely by Stripe (PCI-DSS Level 1 compliant)
  • Repository access uses GitHub's authenticated API with time-limited installation tokens
  • Minimal permissions requested — read-only for contents, write only for PR comments and commit statuses
  • No source code is written to disk, databases, or persistent storage at any point
  • Infrastructure hosted on Vercel with SOC 2 Type II compliance

7A. Cookies and Local Storage

[DRAFT — requires attorney review. The strictly-necessary-by-default posture, and the opt-in model for any non-essential analytics, should be confirmed against EU/UK ePrivacy rules and the Privacy and Electronic Communications Regulations.]

We use the minimum set of cookies and local-storage items necessary to operate the Service. By default, only strictly necessary cookies are set:

  • Session / authentication cookies — required to keep you logged in and to protect against CSRF. Flagged Secure, HttpOnly, and SameSite=Lax or Strict.
  • Checkout state — a short-lived cookie set by Stripe during the checkout session to complete the payment flow.
  • Consent cookie — records your cookie-banner preferences where a banner is shown.

We do not set advertising, retargeting, or cross-site tracking cookies. Any non-essential analytics (for example, aggregate page-view telemetry to improve the product) will be opt-in and will not run unless you have given explicit consent in regions that require it (EU, UK, EEA, Switzerland).

8. Your Rights

[DRAFT — requires attorney review. The timeline commitments and verification process should be confirmed against the Privacy Act 2020 (NZ), GDPR Articles 12-23, UK GDPR, and CCPA/CPRA response windows.]

Regardless of your location, you have the following rights regarding your personal data. Some of these rights are absolute; others are subject to conditions and exemptions under applicable law.

  • Right to access: request confirmation of whether we hold personal data about you, and a copy of that data.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): request permanent deletion of your data. We will delete within thirty (30) days unless retention is required to meet a legal obligation (for example, tax records), to establish, exercise, or defend a legal claim, or for other lawful grounds recognised by applicable law.
  • Right to portability: request your data in a structured, commonly-used, machine-readable format.
  • Right to restrict processing: request that we stop certain processing while a dispute is resolved.
  • Right to object: object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent: where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to solely automated decisions: scan results are informational tools, not automated decisions with legal effect.
  • Right to lodge a complaint: complain to your local data-protection authority (see Section 13).

How to exercise a right. Email hello@gatetest.ai with a clear description of the right you wish to exercise and the account email or identifier we should use to locate your data. We may ask for reasonable information to verify your identity before acting on a request, to protect you against unauthorised access.

Response timeline. We intend to acknowledge your request within five (5) business days and respond substantively within thirty (30) days, or within the shorter period required by applicable law (including twenty (20) working days under the New Zealand Privacy Act 2020, one (1) month under GDPR Art. 12(3), and forty-five (45) days under the CCPA / CPRA, in each case extendable only where permitted by the applicable law). Requests are handled without charge except where they are manifestly unfounded, excessive, or repetitive, in which case a reasonable fee may apply or we may refuse the request, as permitted by applicable law.

9. International Data Transfers and Safeguards

[DRAFT — requires attorney review. Counsel should confirm that the listed transfer mechanisms (SCCs, adequacy decisions) are each in effect with the relevant sub-processor at launch, and should assess whether supplementary measures under Schrems II are required for any US-bound transfer.]

Because our infrastructure providers and sub-processors operate in the United States (and, in some cases, the European Union, United Kingdom, and other jurisdictions), your personal data may be transferred to, stored in, and processed in countries outside your home jurisdiction. Those countries may not have data-protection laws considered equivalent to those in your country.

Transfer mechanisms we rely on:

  • EU / UK / Swiss transfers:the European Commission's Standard Contractual Clauses (SCCs) (as updated June 2021), the UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs, and the Swiss Federal Data Protection and Information Commissioner's approved clauses, each as implemented in sub-processor DPAs.
  • Adequacy decisions: where the destination country benefits from an adequacy decision issued by the European Commission or the UK Secretary of State (including the EU-US and UK-US Data Privacy Frameworks for certified recipients), we rely on that decision as the transfer basis.
  • New Zealand transfers: where applicable, we rely on the transfer mechanisms permitted under Part 1B of the New Zealand Privacy Act 2020, including comparable-safeguards agreements with sub-processors.
  • Other jurisdictions: we apply equivalent contractual and organisational safeguards, and perform a transfer-impact assessment where applicable law requires one.

You may request a copy of the transfer mechanism we rely on for your data by emailing hello@gatetest.ai.

10. Children's Privacy (COPPA and GDPR Article 8)

[DRAFT — requires attorney review. The COPPA threshold (13) and GDPR Article 8 Member State age (13-16) must be confirmed for each applicable jurisdiction.]

The Service is not directed at children and is intended for users aged eighteen (18) or older (see Terms of Service, Section 24). We do not knowingly collect personal data from:

  • Children under thirteen (13) in the United States (in accordance with the Children's Online Privacy Protection Act, COPPA).
  • Children under sixteen (16) in the European Economic Area, Iceland, Liechtenstein, and Norway, or under the applicable Member State age threshold (which may be as low as thirteen (13) in some Member States) pursuant to Article 8 of the GDPR, without verifiable parental or guardian consent.
  • Children under the applicable age threshold in any other jurisdiction (for example, under the UK Age Appropriate Design Code).

If we become aware that we have inadvertently collected personal data from a child below the applicable threshold without verifiable parental or guardian consent, we will delete that data as soon as reasonably practicable. A parent or guardian who believes a child has provided data to us should contact hello@gatetest.ai.

11. Sub-Processors and Third-Party Services

[DRAFT — requires attorney review. The sub-processor list and the DPA references below must be confirmed current at launch. For each sub-processor, counsel should confirm (i) the DPA or equivalent in force, (ii) the lawful transfer mechanism for EU / UK data (typically SCCs plus supplementary measures or a valid adequacy decision), and (iii) the minimum data actually shared.]

We rely on the following sub-processors to operate the Service. For each, we list what they see, why, and the data-protection framework we rely on. This list is updated when sub-processors change; material changes are notified in advance where required by applicable law or your DPA.

  • Stripe, Inc. (United States / Ireland) — payment processing, fraud-prevention, tax calculation.
    Sees: payment-method token, card BIN / last four, billing country, customer email, amount, currency, GateTest scan metadata (scan ID, tier).
    Governed by:Stripe's Data Processing Addendum and Standard Contractual Clauses (SCCs) for EU/UK transfers where applicable.Privacy Policy.
  • GitHub, Inc. (a Microsoft company) (United States) — repository access via the GitHub REST API and GitHub App webhook delivery.
    Sees: your GitHub account identifier, organisation identifier, repository name, and repository contents at read time (during the scan window).
    Governed by:GitHub Customer Terms, GitHub Data Protection Agreement, and Microsoft's EU Data Boundary / SCCs.Privacy Statement.
  • Anthropic, PBC (United States) — AI code-review processing via the Claude API.
    Sees:only the specific code snippets sent for review (not your whole repository). Anthropic's commercial API Terms prohibit training on your inputs.
    Governed by: Anthropic Commercial Terms of Service and Data Processing Addendum with SCCs for EU/UK transfers where applicable.Privacy Policy.
  • Vercel, Inc. (United States) — website, serverless function hosting, edge network, analytics (in aggregate form only where enabled).
    Sees: HTTP request metadata (IP, path, user-agent, timestamp), any in-memory state during function execution.
    Governed by: Vercel Data Processing Addendum with SCCs for EU/UK transfers.Privacy Policy.
  • Cloudflare, Inc. (United States) — DNS, edge network, DDoS mitigation, TLS termination (where applicable).
    Sees: HTTP request metadata (IP, request headers, TLS handshake data) for routing and abuse-mitigation purposes.
    Governed by: Cloudflare Data Processing Addendum with SCCs for EU/UK transfers.Privacy Policy.
  • Neon, Inc. (United States / EU, region-dependent) — managed Postgres database used for scan metadata, scan queue state, and account records.
    Sees: account email, scan IDs, scan results metadata (findings, file paths, line numbers — not source code), account subscription state.
    Governed by: Neon Data Processing Addendum with SCCs for EU/UK transfers where applicable.Privacy Policy.
  • Functional Software, Inc. (Sentry) (United States) — application error tracking and performance monitoring for the gatetest.ai website and APIs.
    Sees: stack traces of uncaught exceptions and unhandled rejections, HTTP request metadata (URL, method, IP, user-agent, response code), browser session replay samples (sampled, with form input masking), and release / deployment tags. Local-variable values captured at the point of failure are passed through an automated scrubber that strips request bodies, prompts, file contents, repository URLs, API keys, tokens, secrets, cookies, and authorization headers BEFORE they leave the GateTest process. We never intentionally send customer source code, Claude prompts, or scan output to Sentry.
    Governed by: Sentry Data Processing Addendum and Standard Contractual Clauses for EU/UK transfers where applicable.Privacy Policy.
  • Email delivery provider — transactional email delivery (scan receipts, status, password resets). Provider identity to be confirmed at launch (e.g. Resend, Postmark, or SendGrid).
    Sees: recipient email address, email subject and body.
    Governed by:provider's Data Processing Addendum with SCCs for EU/UK transfers.

We do not sell, rent, trade, or otherwise transfer your personal data to any third party outside the sub-processors listed above, except: (i) to comply with a valid legal obligation, court order, or enforceable government request; (ii) to a successor entity in connection with a merger, acquisition, or sale of assets, subject to this Privacy Policy; or (iii) with your explicit consent. Each sub-processor receives only the minimum data required to perform its function.

12. Data Breach Notification

[DRAFT — requires attorney review. The 72-hour commitment aligns with GDPR Article 33 and the NZ Privacy Act 2020 "as soon as practicable" standard; counsel should confirm the shorter windows required by specific US state breach-notification laws (e.g. Florida <30 days, Texas <60 days) and whether a commitment should be framed as "statutory timeframe or sooner" to avoid inconsistency.]

We maintain an incident-response plan aimed at detecting, containing, and notifying affected parties of security incidents involving personal data. In the event of a data breach that meets the notification threshold under applicable law, we intend to:

  • Regulator notification. Notify the competent supervisory authority without undue delay and, where feasible, within seventy-two (72) hoursof becoming aware of the breach, consistent with GDPR Article 33. For New Zealand, notify the Office of the Privacy Commissioner in accordance with Part 6 of the Privacy Act 2020. For US states, notify within the statutory timeframe for each state where affected residents reside.
  • Affected-user notification. Notify affected users via email to the address associated with the account, as soon as reasonably practicable after the scope of the breach is understood, with a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed.
  • Cooperation. Cooperate with your controller obligations where we act as your processor (including providing the information you need to meet your own notification obligations under your DPA).
  • Remediation. Take reasonable steps to contain the breach, remove attacker access, rotate compromised credentials, and reduce the likelihood of recurrence.

13. Jurisdiction-Specific Disclosures

[DRAFT — requires attorney review. PRIORITY FLAG. Each sub-section (GDPR Art. 13 disclosures, UK-GDPR specifics, CCPA / CPRA consumer-rights language, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, NZ Privacy Act 2020) should be reviewed by counsel for completeness. The current draft covers GDPR and California but is not a full multi-state US compliance pack.]

13.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / Swiss FADP). If you are located in the EEA, UK, or Switzerland, we process your personal data on the following lawful bases (Art. 6 GDPR):

  • Performance of a contract (Art. 6(1)(b)) — to provide, bill for, and support the Service you purchased.
  • Legitimate interests (Art. 6(1)(f)) — to operate and secure the Service, prevent fraud and abuse, maintain audit logs, improve scan accuracy in aggregate, and defend legal claims. We have assessed our legitimate interests against your rights and freedoms.
  • Consent (Art. 6(1)(a)) — for any non-essential cookies or analytics, and for any marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — to meet tax, accounting, regulatory, and lawful-process obligations.

Required Art. 13 disclosures: the controller is GateTest (contact: hello@gatetest.ai); the recipients are the sub-processors listed in Section 11; your data may be transferred internationally under the safeguards in Section 9; the retention periods are in Section 6; you have the rights in Section 8 plus the right to lodge a complaint with a supervisory authority; where we rely on legitimate interests, you may request further details and object; the provision of account data is required to contract with us, but providing any specific optional data is voluntary; we do not use solely automated decision-making with legal or similarly significant effect on you.

13.2 California (CCPA / CPRA) — Notice at Collection and Consumer Rights.If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it.
  • Right to delete your personal information, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information.We do not sell or share your personal information as those terms are defined in the CCPA / CPRA. We do not offer financial incentives in exchange for personal information.
  • Right to limit use of sensitive personal information. We do not collect or use sensitive personal information for purposes that require providing the right to limit under the CCPA / CPRA.
  • Right to non-discrimination for exercising your CCPA / CPRA rights.

To exercise a CCPA / CPRA right, email hello@gatetest.ai with the subject line "CCPA Request". We will verify your identity before acting. An authorised agent may submit a request on your behalf with your signed permission.

13.3 Other US state laws. Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with comprehensive privacy laws have rights substantially similar to those described for California above (right to access, correct, delete, opt out of targeted advertising and sale). We do not engage in targeted advertising or the sale of personal information as defined in these laws. To exercise a right, email hello@gatetest.ai.

13.4 New Zealand (Privacy Act 2020). If you are in New Zealand, this Privacy Policy operates alongside the Information Privacy Principles of the Privacy Act 2020. You may complain to the Office of the Privacy Commissioner (privacy.org.nz) if you believe we have not handled your data in accordance with the Act.

13.5 Data Processing Agreement (DPA). Business customers who require a formal Data Processing Agreement, a Data Protection Addendum, Standard Contractual Clauses, or a sub-processor disclosure may request one by contacting hello@gatetest.ai. Where we act as processor for your end-user personal data, we intend to offer a DPA incorporating GDPR Article 28 obligations and the EU-approved SCCs.

14. Data Security

All data in transit is encrypted using TLS 1.2 or higher. Scan reports stored in our database are encrypted at rest. Payment information is handled exclusively by Stripe and never touches our servers. Source code is processed in-memory and is not written to persistent storage. We conduct periodic security reviews of our infrastructure and follow the principle of least privilege for all system access.

15. Governing Law

This Privacy Policy is governed by the laws of New Zealand, including the Privacy Act 2020.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — for example, a new category of data collection, a new sub-processor handling personal data, a change to retention periods, or a change that expands the ways we use your data — we intend to provide at least thirty (30) days'advance notice via email to the address associated with your account, via a prominent banner or in-app notice on the Service, or both. Non-material changes (such as clarifications, formatting, or updates to contact details) may take effect without advance notice. The "Effective date" at the top of this page indicates the latest revision. Your continued use of the Service after the effective date of material changes constitutes your acceptance, subject to any opt-out right or additional consent required by applicable law.

17. Contact

For privacy questions, data requests, or concerns, contact us at hello@gatetest.ai.

← Back to gatetest.ai