Privacy Policy
Last updated: April 12, 2026
Introduction & Data Controller
This Privacy Policy describes how Gatefund (the "Company", "we", "us") collects, uses, and protects your personal data when you use our platform. Gatefund acts as the data controller for the personal data of its account holders, and as a data processor for personal data uploaded by users into their workspaces (for example, investor contacts). We comply with the EU General Data Protection Regulation (GDPR) and applicable national laws.
Data We Collect
We collect: (a) account data — name, email, password hash, workspace name, language preference; (b) billing data — billing address, payment method metadata (handled by Stripe; we never store full card numbers); (c) usage data — pages viewed, actions taken, IP address, browser type, device identifiers; (d) content data — anything you upload into your workspace (contacts, organizations, interactions, reports, documents); (e) communications — emails, support tickets, and feedback you send us; (f) Google account information (when you connect Gmail) — your Google account email address, display name, and an OAuth refresh token used solely to send emails you explicitly trigger. We do not access the contents of your Gmail inbox. See section "Google API Services User Data" below for full details.
Purposes & Legal Basis
We process your personal data for the following purposes and legal bases: (i) performing our contract with you — to provide and operate the Service; (ii) legitimate interest — to secure the Service, prevent fraud, and improve the product; (iii) legal obligation — to comply with tax, accounting, and other legal requirements; (iv) consent — for non-essential cookies and marketing communications, where applicable. You may withdraw consent at any time.
Data Retention
We retain account data for as long as your account is active, plus a 30-day grace period after account deletion. Billing records are kept for 10 years to comply with French accounting law. Usage logs are retained for up to 12 months. Content data you upload is deleted when you delete the corresponding records, after the grace period. You may request earlier deletion where permitted by law.
International Transfers
Your personal data is primarily stored in the European Union (Supabase EU region, France). Some sub-processors (for example, Stripe) may transfer data outside the EU. Where this occurs, we rely on European Commission adequacy decisions or Standard Contractual Clauses to ensure your data receives an adequate level of protection.
Google API Services User Data
When you connect your Google account to Gatefund (Gmail), our use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
What Google data we access — When you authorize Gatefund to access your Google account, we request the following scopes: openid, email, profile (to identify which Google account is connected and display your account's name and email address inside Gatefund's UI), and https://www.googleapis.com/auth/gmail.send (to send emails on your behalf to the recipients you explicitly choose inside Gatefund). We do not request, and we do not have, the ability to read, modify, or delete any email in your mailbox.
How we use this data — The connected email address and display name are stored encrypted in our database and shown in our UI to confirm the active sending identity (e.g., "Sending as: alice@startup.com"). The OAuth refresh token is stored encrypted using AES-256-GCM with a key held only on our backend servers. It is never logged, never returned in API responses, and never shared with third parties. The refresh token is used solely to send emails you explicitly trigger from inside Gatefund (manual outreach to a contact, scheduled follow-ups you configure, or investor reporting emails you send). We do not pre-emptively send anything.
Limited Use compliance — Gatefund's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve user-facing features of Gatefund visible in our user interface. We do not transfer Google user data to third parties except to provide or improve those user-facing features, or to comply with applicable law. We do not use Google user data for serving ads, including retargeting, personalized, or interest-based advertising. We do not allow humans to read Google user data, except in the following limited cases: (i) with your explicit consent for specific messages, (ii) for security purposes (e.g., investigating abuse), (iii) to comply with applicable law, or (iv) when the data has been aggregated and anonymized.
Data storage and retention — Refresh tokens are stored encrypted at rest. They are deleted immediately upon your disconnect action and revoked at Google's endpoint within 60 seconds of the disconnect request. The connected email address and display name are retained while your Gatefund account is active and deleted on account deletion within 30 days. Sent email content is not retained on our servers after the API call to Gmail completes — only metadata (recipient address, subject, timestamp, send status) is kept as part of the user's CRM history.
Disconnecting and revoking access — You may disconnect your Google account from Gatefund at any time via Settings → Email → Disconnect (this triggers a server-side revoke against Google's endpoint), or directly from https://myaccount.google.com/permissions. Either action immediately invalidates the refresh token on both sides.
Your Rights
Under GDPR you have the right to: (a) access the personal data we hold about you; (b) request rectification of inaccurate data; (c) request erasure (the "right to be forgotten"); (d) restrict processing; (e) data portability — receive your data in a structured, machine-readable format; (f) object to processing based on legitimate interest; (g) withdraw consent at any time; (h) lodge a complaint with your local supervisory authority (in France: the CNIL). To exercise your rights, contact privacy@gatefund.io.
Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular backups, logging and monitoring, and employee confidentiality agreements. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we apply industry-standard practices.
Children's Privacy
The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
Changes to Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or through the Service at least 30 days before they take effect. The "Last updated" date at the top of this policy reflects the most recent revision.
Contact & DPO
For any question about this Privacy Policy or our data practices, or to exercise your rights, contact our privacy team at privacy@gatefund.io. For GDPR-related requests you may also contact our Data Protection Officer at dpo@gatefund.io.