← VantaGate

Privacy Policy

Last updated: June 5, 2026

1. Controller Identity & Liability Scope

DAMIAN KUSIK, ul. 21 Stycznia 20/60 14-100 Ostróda, Poland (NIP: 7412160455) acts as the Data Controller solely for account management data. For all API payload data, we act strictly as a Processor under the GDPR. We expressly disclaim liability for the legal basis of data you transmit to our infrastructure.

2. Data We Process (Pursuant to Art. 6 GDPR)

We process the following minimal categories of personal data strictly for the performance of a contract (Art. 6(1)(b)) and our legitimate technical interests (Art. 6(1)(f)):

  • Email address, name, and OAuth identifiers (necessary for authentication and service delivery).
  • Payment metadata and billing history (processed entirely by Stripe — VantaGate holds zero liability for payment data breaches, as we never touch or store raw card details).
  • System usage metrics, IP addresses, and operational timestamps required to prevent abuse and ensure platform stability.
  • Cryptographic audit trails: masked identities, HMAC signatures, and SHA-256 one-way hashes used exclusively for verification.

3. The Purge Clause (Absolute Zero-Retention Protocol)

VantaGate's core architecture is designed to fundamentally eliminate data liability. All payload data submitted to the /v1/checkpoint endpoint is:

  • Instantly encrypted in memory using AES-256-GCM prior to ephemeral database insertion.
  • Irrevocably and permanently wiped from all physical and logical storage blocks the exact millisecond a human decision (any option selected or expired) is executed.
  • Replaced permanently by an irreversible SHA-256 hash, ensuring zero possibility of data reconstruction.

Due to this strict Zero-Retention technical reality, VantaGate cannot disclose, recover, or be held liable for the loss, breach, or exfiltration of payload data after a decision is made, as the data ceases to exist on our servers. You explicitly accept this irreversible deletion mechanism.

4. Strictly Necessary Cookies

We deploy only strictly necessary cookies required for core authentication, session integrity, and security (HttpOnly, Secure, SameSite=Lax). Because we deploy zero analytics, marketing, or cross-site tracking cookies, the ePrivacy Directive exempts us from requiring a cookie consent banner. By using the service, you accept these operational cookies.

5. Third-Party Sub-processors

  • Supabase — Cloud database infrastructure and authentication routing (EU region).
  • Hetzner — Bare-metal and cloud server infrastructure hosting (Germany).
  • Stripe — PCI-DSS compliant payment processing and subscription management.
  • Resend — Transactional email delivery and notification dispatch protocols.

6. Your Rights & Limitation of Scope (GDPR Art. 15–22)

You possess the statutory right to access, rectify, erase, and port your personal account data by contacting [email protected]. However, due to the Zero-Retention Protocol, rights to access or port specific payload data are technically impossible to fulfill post-decision and are therefore exempt under GDPR provisions regarding technically unfeasible requests.

7. Data Retention Cycles

Core account data is retained for the duration of the active contract. Cryptographic audit logs (hashes only) are retained strictly according to your tier: Free (7 days), Pro (90 days), Scale (365 days). Upon expiration, this metadata is permanently purged without any possibility of recovery or liability for its destruction.