Privacy Policy

Last updated 2026-05-09. This is a plain-English summary of what we collect, why, and how to control it.

This document is a working draft. It accurately describes our current data practices but is not legal advice. Consult counsel before relying on it.

Who we are

ModelGates is operated by ModelGates Inc. ("we", "us"). Reach us at privacy@modelgates.ai for any data-related question.

What we collect

  • Account info: email, name, hashed password, OAuth IDs (Google / GitHub if you sign in that way).
  • Billing info: Stripe customer ID, payment intent IDs, top-up history. Card numbers are never stored on our servers — Stripe holds them.
  • API usage data: per-request metadata (model, token counts, cost, latency, status). The first 500 characters of prompt and response are stored for support / abuse review (configurable).
  • Affiliate data: referral code you generated, who you referred, payout amounts, Stripe Connect account ID if you opted in.
  • Operational logs: IP address, user agent, request timestamps for rate limiting, fraud detection, and incident response.

What we DON'T collect

  • Card numbers, CVCs, bank credentials.
  • Full prompt / response bodies (only first 500 chars by default).
  • Browser fingerprints, third-party tracking pixels, analytics cookies beyond functional ones.
  • Data from API requests routed to providers — we proxy, we don't archive.

How we use it

  • To provide the API service and bill you accurately.
  • To respond to support requests, including reading your prompt preview if you ask us about a specific call.
  • To detect abuse, fraud, and runaway billing.
  • To send transactional email (receipts, low-balance alerts, security notifications). We do not send marketing email.

Who we share with

We share data only with service providers necessary to operate ModelGates:

  • Upstream model providers(via OpenRouter): your prompts and the model's responses, in real time, to fulfill API requests.
  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Sentry (if enabled) — error monitoring; payloads are scrubbed of API keys and prompt content before transmission.

We do not sell, rent, or share user data with advertisers or data brokers.

How long we keep it

  • Account info: while your account is active + 30 days after deletion.
  • API request metadata: 180 days.
  • Billing records: 7 years (tax / accounting).
  • Stripe webhook event log: 30 days.
  • Operational logs: 90 days.

Your rights

Subject to applicable law (GDPR, CCPA, etc.), you can:

  • Request a copy of your data.
  • Request deletion of your account and associated data.
  • Export your transaction history at any time from /settings/credits.
  • Withdraw consent for marketing email (we don't send any — but you can confirm).

Email privacy@modelgates.ai for any of the above. We respond within 30 days.

Cookies

We use only essential cookies: an Auth.js session cookie, your theme preference, and the affiliate referral cookie (mg_ref) when you arrive via a referral link. No analytics or advertising cookies.

International transfers

Our infrastructure is hosted in the United States. By using ModelGates from outside the US, you consent to your data being processed in the US under standard contractual safeguards.

Changes

We'll update the "Last updated" date at the top when this policy changes. Material changes (e.g., new categories of shared data) will be emailed to active users 30 days in advance.