Privacy Policy

Gated Labs, Inc. is the data controller for information processed through the Gated website and Probe. For consulting engagements, data handling is governed by the applicable statement of work and DPA.

We process three categories of data:

• Account data. Email, name, organization, and billing details. Used to operate your account and bill the service.
• Scan data. Metadata from Probe scans you initiate — target, timestamp, check identifiers, pass/fail — and the minimum response excerpts needed to prove findings.
• Operational data. Request traces, crash logs, and usage metrics we use to operate the Service. Scrubbed of payload data.

We process personal data for the following purposes: to provide and operate the Service; to bill and account for it; to protect the Service, our customers, and third parties from abuse; to comply with our legal obligations; and — only where you’ve opted in — to send you product updates.

We rely on the performance-of-contract basis to operate the Service for you, the legitimate-interest basis to protect and improve the Service, the legal-obligation basis where applicable, and consent where we’ve asked for it (e.g., product-update email).

Default retention:

• Scan metadata: for the life of your account, unless you delete it.
• Finding bodies: 90 days on Pro; configurable on Team and Enterprise plans.
• Operational logs: 30 days, then purged.
• Billing records: 7 years, as required by accounting and tax law.
• Revoked credentials: deleted within 5 minutes.

Tenant purge is available at any time from the app and completes within 24 hours. Backups containing your data age out of the backup window within 35 days.

We operate primarily from AWS us-east-1 (Virginia). EU residency (eu-west-1, Ireland) is available on Team and Enterprise plans, with customer data pinned to that region and not replicated out. Brazilian customers on LGPD contracts can opt into São Paulo residency on request.

We use a short list of sub-processors to operate the Service: AWS (infrastructure), Stripe (payments), Postmark (transactional email), Plausible (privacy-friendly analytics), and Sentry (error monitoring). The full, current list with purposes and data categories is available on request at privacy@gated.sh.

You have the right to access, correct, and delete the personal data we hold about you; to port it to another provider; to object to processing; and to withdraw consent where consent was the basis. To exercise any of these, email privacy@gated.sh. We’ll respond within 30 days.

If you’re in the EU, you also have the right to lodge a complaint with a supervisory authority; if you’re in Brazil, with the ANPD.

Our technical and organizational controls are summarized on our Security page. For an in-depth review, our security questionnaire and — once available — SOC 2 report are offered on request.

The marketing site uses no advertising cookies. We set a single session cookie on app.gated.sh to keep you logged in, and use first-party Plausible analytics without cookies.

The Service is not for children under 16, and we do not knowingly collect personal information from them.

Data protection questions: privacy@gated.sh. Our Data Protection Officer reviews every request personally.