Privacy Policy

This Privacy Policy applies to personal data processed by Gateway Creative LLC in connection with websites, hosted tools, account dashboards, billing surfaces, storage surfaces, support channels, and provider-backed workflows that Gateway operates. Gateway Creative LLC is the data controller for the personal data described here unless a separate written agreement states otherwise.

Gateway Creative LLC

1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States

Support: info@gateway-creative.com

Privacy: info@gateway-creative.com

Legal: info@gateway-creative.com

• Account and identity data, including email address, display name, account status, authentication identifiers, security events, and account recovery data.
• Billing and transaction data, including subscription plan, pricing tier, invoice references, transaction metadata, payment state, refund state, dispute state, billing country, and tax-related records.
• Content and workflow data, including prompts, uploaded files, generated outputs, asset metadata, project metadata, request parameters, moderation results, and technical processing metadata.
• Device and network data, including IP address, browser and operating system data, session identifiers, cookies, anti-abuse telemetry, and service diagnostics.
• Communications data, including support tickets, legal complaints, rights requests, billing review messages, operational notices, and related metadata.

Gateway collects personal data directly from you, automatically through your use of the Service, from payment and fraud-prevention providers, from hosting or storage providers, from authentication or queueing systems, from support interactions, and from lawful third-party sources used for account protection, billing reconciliation, legal compliance, or abuse investigation.

• To create, operate, secure, troubleshoot, and administer Accounts and Service access.
• To process subscriptions, credit purchases, invoices, renewals, refunds, disputes, support escalations, and account lifecycle decisions.
• To store Inputs, route requests, process generation workflows, return Outputs, and maintain storage and delivery surfaces.
• To detect, investigate, prevent, and document fraud, chargebacks, sanctions risk, copyright complaints, provider abuse, policy violations, and security incidents.
• To communicate with users about transactions, account changes, legal notices, support matters, and service health matters.
• To improve operational reliability, queue integrity, abuse detection, moderation consistency, and service diagnostics.

Where required by applicable law, Gateway processes personal data on one or more of the following legal bases: performance of a contract; compliance with legal obligations; Gateway's legitimate interests in operating, securing, supporting, improving, defending, and monetizing the Service; and consent, where consent is required and obtained. If you withdraw consent for a processing activity that depends on consent, Gateway will stop that specific processing unless another lawful basis applies.

Gateway may disclose personal data to payment processors, hosting providers, object storage providers, database providers, queueing providers, AI workflow providers, moderation or security providers, analytics or monitoring providers, professional advisors, insurers, auditors, regulators, courts, rights holders, and authorities where legally required, operationally necessary, or reasonably appropriate to protect Gateway and the Service.

Gateway may also disclose personal data in connection with a merger, financing, restructuring, asset sale, or similar transaction. Gateway does not promise that the exact provider mix will remain unchanged over time.

See our Subprocessors and Third-Party Services page for a current baseline summary of provider categories.

Because the Service includes provider-backed creative workflows, Inputs and related account metadata may be transmitted to or processed by Third-Party Providers acting on Gateway's behalf or under Gateway's workflow orchestration. Such providers may process request content, technical parameters, moderation data, and output artifacts to the extent needed to store, route, transform, moderate, return, retry, or troubleshoot a request.

Gateway does not state that every Third-Party Provider follows identical retention, region, or training rules. Gateway therefore does not recommend submitting content unless you are comfortable with the possibility of third-party processing under the safeguards and limitations described in this Privacy Policy and the relevant provider path.

Gateway does not publish a blanket promise that no third-party provider will ever retain, review, or otherwise process request data for purposes beyond immediate inference unless that promise is supported by the exact provider path and contract in use. Gateway itself may review or process content for safety, moderation, abuse prevention, support, legal review, and operational reliability. If Gateway materially changes its own data-use position in a way that legally requires additional notice or consent, Gateway will update this Privacy Policy and associated product flows as required by law.

Gateway retains personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy and for as long as required for billing, tax, accounting, legal, sanctions, audit, dispute-handling, fraud-prevention, queue integrity, security, and recordkeeping purposes. Gateway applies the following baseline internal criteria unless a longer period is required by law, dispute posture, or legitimate defense need: account profile and account-state records while the Account is active and for a reasonable post-closure period; billing, invoice, tax, and payment integrity records for up to seven years; operational logs for approximately ninety days unless needed for security or legal defense; security and abuse investigation evidence for up to one year or longer where necessary; and deleted-content tombstones, deletion records, and audit evidence for as long as necessary to document compliance, fraud prevention, or legal defense.

Stored content, outputs, and uploaded files may be deleted sooner, later, or in stages depending on account status, deletion workflow, dispute posture, provider state, operational failures, or legal hold requirements. Gateway does not guarantee immediate hard deletion of all replicas, logs, backups, audit trails, or provider-side artifacts.

Account deletion is a product workflow, not an automatic universal erasure event. Gateway may delay or partially limit deletion where billing debt, disputes, refund review, sanctions review, fraud review, moderation review, or legal compliance requires retention. Gateway may retain a reduced post-closure record set sufficient to defend claims, prevent abuse, document transactions, preserve deletion evidence, and comply with law.

Personal data may be processed outside your home jurisdiction, including outside the EEA, United Kingdom, or Switzerland. Where required, Gateway relies on adequacy decisions, standard contractual clauses, contractual safeguards, or other lawful transfer tools intended to support compliant cross-border processing. Because Gateway uses multiple providers, transfer mechanics may differ by workflow path and provider category.

Gateway uses administrative, technical, and organizational measures designed to protect personal data and the integrity of the Service. These measures may include authentication controls, payment review controls, rate limits, abuse detection, access restrictions, logging, and provider-level safeguards. No system is perfectly secure, and Gateway cannot guarantee absolute security or uninterrupted operation.

If Gateway becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, Gateway will take steps that Gateway believes are required under applicable law, including notifying supervisory authorities and affected individuals where legally required. For EEA-governed processing, Gateway aims to follow the timing and substantive requirements imposed by GDPR and related law.

Depending on your location and applicable law, you may have the right to request access, correction, deletion, restriction, portability, objection, or withdrawal of consent in relation to some personal data. You may also have the right to lodge a complaint with a supervisory authority. Gateway may require identity verification before acting on a request and may deny, limit, or defer a request where law permits, including where records must be retained for billing, legal, security, abuse-prevention, or dispute reasons.

Gateway expects rights requests to be sent through the published privacy or legal contact channel with enough information to identify the Account and the nature of the request. Gateway will respond within the timeline required by applicable law where such law applies.

If you are in the EEA, the UK, or another jurisdiction with comparable privacy rights, you may also have the right to complain to the supervisory authority competent for your residence or place of work. Gateway does not appoint a public-facing representative in every jurisdiction by default and will update this section if a representative appointment becomes legally required for Gateway's processing posture.

Gateway uses cookies and similar technologies for authentication, security, session continuity, account preferences, fraud prevention, payment integrity, infrastructure reliability, and, where enabled, analytics or communications measurement. Non-essential cookies should not be activated for jurisdictions that require prior consent until the user has made an affirmative consent choice through an available consent tool.

See our Cookie Notice for additional detail.

The Service is not intended for unlawful collection of children's data. Where local law requires parental or guardian authorization below the local age of digital consent, you must not use the Service without such authorization. Gateway may disable Accounts or restrict access where Gateway believes a user is below the legally relevant age or where payment-enabled use appears incompatible with applicable law.

Gateway may update this Privacy Policy from time to time to reflect legal requirements, operational changes, provider changes, workflow changes, security needs, or business decisions. The effective date on the published version controls. Where required by law, Gateway will provide additional notice or request additional consent before certain changes take effect.