Privacy Policy
How we handle your data
This page explains what data GreenGate collects, why we use it, and how we protect it. It is written in plain English and covers what is legally required under the EU General Data Protection Regulation (GDPR).
Last updated: 14 May 2026
Who we are
GreenGate is currently operated by its founders, Johan Lindén and Anton, as a pre-incorporation project based in Gothenburg, Sweden. When a Swedish aktiebolag is registered to operate the product, this page will be updated to name that entity as the controller.
You can contact us about anything in this policy at hello@ggate.app.
What we collect, and when
When you visit ggate.app
We do not run analytics, tracking pixels, or marketing cookies on the public site. We do not set any cookies of our own on the marketing pages. Our hosting provider (Railway) keeps short-lived server logs (IP address, timestamp, request path, user agent) for operational and security purposes; these logs are retained for up to 30 days.
When you use the public demo chat on the homepage
We generate a random session identifier (a UUID stored in your browser's local storage) and use it to track the number of demo tokens you have used so we can enforce a free-tier limit. We do not store the content of your messages or the AI's responses. Your message is sent to our AI provider (Anthropic) to generate a reply and is not retained by us after the response is returned to your browser.
When you sign in or create an organisation
Authentication is handled by Clerk. When you sign up, Clerk stores your email address, name, optional profile picture, and the organisation you belong to. We receive these from Clerk so we can identify you and your organisation when you use the dashboard. See Clerk's privacy policy for full details on their processing.
When your application calls our /v1/track endpoint
The tracking endpoint accepts the model name, input token count, output token count, and an optional team_id string. We log these together with your organisation identifier and a timestamp. We do not receive, see, or store the content of prompts, completions, or any other part of your AI request — the GreenGate endpoint is not in your request path and never touches that data.
Legal basis for processing
| Purpose | Legal basis under GDPR |
|---|---|
| Operating the dashboard for authenticated users | Performance of contract — Art. 6(1)(b) |
| Running the public demo chat | Consent — Art. 6(1)(a) (implicit when you choose to send a message) |
Recording usage at /v1/track | Performance of contract — Art. 6(1)(b) |
| Server access logs and abuse prevention | Legitimate interest in security and reliability — Art. 6(1)(f) |
Who we share data with (subprocessors)
| Subprocessor | Purpose | Region |
|---|---|---|
| Clerk | Authentication and user/organisation management | United States (EU-US Data Privacy Framework) |
| Railway | Application hosting, database, server logs | EU (Amsterdam) |
| Anthropic | Demo chat completions only | United States (EU-US Data Privacy Framework) |
No other parties receive your data. We do not sell or share data for advertising.
International transfers
Some subprocessors (Clerk, Anthropic) operate in the United States. We rely on the EU-US Data Privacy Framework where the recipient is certified. Where that coverage is unavailable we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism.
How long we keep your data
| Data | Retention |
|---|---|
| Demo session token counts | 24 hours |
/v1/track usage records | 24 months (so you can produce CSRD reports covering a full reporting period) |
| Authentication identifiers | For as long as your organisation has an active GreenGate account |
| Railway server access logs | Up to 30 days |
When you delete your organisation, all associated usage records are deleted within 30 days.
Your rights
Under GDPR you have the right to:
- Request a copy of the personal data we hold about you (right of access)
- Correct inaccurate personal data (right to rectification)
- Request deletion of your personal data (right to erasure)
- Restrict or object to processing
- Receive your data in a portable, machine-readable format (right to data portability)
- Withdraw any consent you previously gave, where consent is the legal basis
To exercise any of these, email hello@ggate.app. We will respond within 30 days, normally much faster.
You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or with the data protection authority of your country of residence.
Updates to this policy
We will update this page when our data practices change. Substantive changes will be communicated to active organisation administrators by email at least 30 days before they take effect.