Privacy Policy

1. Who We Are

GateTest ("we", "us", "our") operates the website gatetest.io and provides automated code quality scanning services. This Privacy Policy explains what personal data we collect, how we use it, how we protect it, and your rights regarding your data. This policy applies to all users of our website, GitHub App, CLI tool, and paid scanning services.

2. Data We Collect

2.1 Account and Payment Data

• Email address (for scan delivery, receipts, and communication)
• Payment information (processed entirely by Stripe — we never see, store, or have access to your full card number, CVV, or billing address)
• GitHub username and organisation name (when installing the GitHub App)
• Repository URLs submitted for scanning

2.2 Repository Data

• Source code is accessed temporarily in memory during the scan process
• Source code is NOT permanently stored on our servers, databases, or any persistent storage
• Source code is NOT copied, cached, backed up, or retained after the scan completes
• Scan results (pass/fail outcomes, issue descriptions, file paths, line numbers) are stored for report delivery
• Scan results do NOT contain your actual source code — only metadata about issues found

2.3 Website Data

• Standard web server logs (IP address, browser type, referring URL, pages visited, timestamps)
• We do NOT use third-party tracking cookies
• We do NOT use advertising pixels or retargeting
• We do NOT use Google Analytics or similar tracking services
• We do NOT sell, rent, or trade any user data to third parties

3. How We Use Your Data

We use your data strictly for the following purposes:

• Performing the code scan you requested and paid for
• Delivering scan reports and auto-fix pull requests
• Processing payments via Stripe
• Sending transactional communications (scan status, receipts)
• Responding to support enquiries
• Improving scan accuracy and module quality (using aggregate, anonymised data only)

We absolutely DO NOT:

• Sell, rent, lease, or trade your personal data or code to any third party
• Use your source code for training AI models or machine learning
• Share your code or scan results with other customers
• Use your data for advertising, profiling, or marketing to third parties
• Access your repositories outside the scope of the requested scan
• Retain your source code after the scan is complete

4. AI Code Review Data Handling

If your scan includes the AI-powered code review module, relevant code snippets from the files being reviewed are sent to the Anthropic Claude API for analysis. This data handling is governed by the following:

• Anthropic's API usage policy explicitly prohibits using API inputs for model training
• Code sent for AI review is processed in real-time and is not stored by Anthropic after analysis
• Only files selected for review are sent — not your entire repository
• You may opt out of AI review by selecting a scan tier that does not include it

5. GitHub App Data

If you install the GateTest GitHub App on your account or organisation:

• We receive webhook events for push and pull request activities on connected repositories
• We receive temporary read access to repository contents for the purpose of scanning
• We do not access repositories that are not connected to the App
• We do not access any repositories after the App is uninstalled
• You can revoke access at any time by uninstalling the App from your GitHub settings
• Uninstallation is immediate and irrevocable — we lose all access instantly

6. Data Retention

• Source code: NOT stored. Accessed in memory during scan, discarded immediately upon completion. Zero retention.
• Scan reports: Retained for 90 days for your reference and re-download, then permanently deleted.
• Payment records: Retained as required by New Zealand tax law and financial regulations (currently 7 years for tax records).
• Email address: Retained until you request deletion or unsubscribe.
• Server logs: Retained for 30 days for security and debugging, then deleted.

7. Data Security

• All connections to gatetest.io are encrypted via TLS 1.2+ (HTTPS)
• Payment processing is handled entirely by Stripe (PCI-DSS Level 1 compliant)
• Repository access uses GitHub's authenticated API with time-limited installation tokens
• Minimal permissions requested — read-only for contents, write only for PR comments and commit statuses
• No source code is written to disk, databases, or persistent storage at any point
• Infrastructure hosted on Vercel with SOC 2 Type II compliance

8. Your Rights

Regardless of your location, you have the following rights regarding your personal data:

• Right to access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to deletion: Request permanent deletion of your data
• Right to portability: Request your data in a machine-readable format
• Right to withdraw consent: Revoke GitHub App access or unsubscribe at any time
• Right to object: Object to specific data processing activities

To exercise any of these rights, contact hello@gatetest.io. We will respond to all requests within 20 working days, as required by the New Zealand Privacy Act 2020.

9. International Data Transfers

Your data may be processed in countries outside your jurisdiction, including the United States (where our infrastructure providers Vercel, Stripe, and GitHub operate). These transfers are necessary to provide the Service. We rely on our providers' compliance frameworks (including SOC 2, PCI-DSS) to ensure adequate data protection.

10. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it immediately.

11. Third-Party Services

We use the following third-party services to operate GateTest:

• Stripe, Inc. — Payment processing.Privacy Policy
• GitHub, Inc. (Microsoft) — Repository access, GitHub App, webhooks.Privacy Statement
• Anthropic, PBC — AI code review processing.Privacy Policy
• Vercel, Inc. — Website and API hosting.Privacy Policy

We do not share your data with any other third parties. The above services receive only the minimum data necessary to perform their function.

12. Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by the New Zealand Privacy Act 2020. We will also notify the Office of the Privacy Commissioner where required.

13. Governing Law

This Privacy Policy is governed by the laws of New Zealand, including the Privacy Act 2020.

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or prominent notice on our website at least 14 days before taking effect. The "Effective date" at the top of this page indicates the latest revision.

15. Contact

For privacy questions, data requests, or concerns, contact us at hello@gatetest.io.