Privacy Policy

This Privacy Policy explains how Gate Bridge ("Gate Bridge," "we," "our," or "us") collects, uses, shares, and protects personal information. It applies to gatebridge.com, the Gate Bridge web and mobile applications, and any other product or service we provide that links to this policy (collectively, the "Service").

Gate Bridge is a customer relationship management ("CRM") platform built for photographers.

Plain-language summary. We collect what we need to run a CRM: your account information, the data you enter (clients, shoots, galleries, invoices, contracts), and basic usage telemetry. You own your data — we process it on your behalf. We do not sell personal information. We use a small set of named sub-processors (Supabase, Stripe, Resend, Cloudflare, Vercel) to run the Service. You can export or delete your data at any time. The full policy below has the detail.

This policy is not legal advice. If you have questions, please contact us at privacy@gatebridge.com.

1. Two important roles: controller and processor

The Service is designed so that you are the data controller for information about your clients (the couples, families, and businesses you photograph) that you store in Gate Bridge — and we are the data processor for that information.

In practical terms:

• You decide what client information to collect, what to do with it, and how long to retain it.
• We process that information on your instructions, only to provide the Service to you.
• If a client of yours wants to exercise data-protection rights (access, deletion, correction), the request belongs to you to respond to as their controller. We will support you with the technical means to do so.

This matches the controller / processor distinction in Article 4 of the EU and UK GDPR and equivalent definitions in other privacy frameworks. For information about your own account (your email, your subscription, your usage), Gate Bridge is the controller.

2. Information we collect

2.1 Account information

When you sign up for Gate Bridge:

• Email address
• Password (stored as a salted hash; we never see the plaintext)
• Workspace name and URL slug
• Optional profile details you add (studio name, contact information)

If you sign in via a social provider when available (Google, Apple), we receive the basic profile information you authorize: email and display name.

2.2 Service content

Whatever you enter into Gate Bridge while running your studio:

• Clients — names, email addresses, phone numbers, addresses, tags, notes, pipeline stage.
• Shoots — dates, venues, package names and prices, notes.
• Galleries— links to third-party gallery hosts (Pixieset, Pic-Time, etc.), optional gallery passwords (stored using AES-256-GCM encryption with a key we hold separately from the encrypted data), and preview metadata fetched from each host's public OpenGraph data.
• Invoices — line items, amounts, currencies, status, payment records.
• Contracts — contract bodies you draft, recipient identification, and signature data when a client signs through our public signing link: typed name, IP address, browser user-agent, and timestamp. These are recorded as evidence of electronic acceptance under the U.S. ESIGN Act, EU eIDAS, UK Electronic Communications Act, and analogous law in other jurisdictions.
• Posts— any blog content you publish under your studio's public blog.

We never access your service content except to provide, secure, troubleshoot, or improve the Service — and then only as your processor, under your instructions, or where required by law.

2.3 Payment information

We use Stripeto process subscription payments to Gate Bridge and, when you enable it, to generate Stripe Payment Links for your own client invoices. Payment card information is collected and stored directly by Stripe under Stripe's privacy policy and PCI-DSS compliance — Gate Bridge does not see, store, or process raw card numbers. We retain transactional metadata (subscription tier, charge IDs, invoice amounts) to manage your account.

2.4 Integration data

If you connect external accounts to Gate Bridge:

• Google (Gmail / Calendar)— when you authorize Gate Bridge via OAuth, we receive access and refresh tokens with the scopes you grant, plus email-message and calendar-event content within those scopes. Tokens are encrypted at rest. We use this data only to surface emails and events to you inside the Service. We do not use any data accessed via Google APIs to develop, improve, or train generalized AI/ML models. This use complies with Google's API Services User Data Policy, including the Limited Use requirements.
• DocuSeal (when used as an alternative e-signature provider) — contract submission identifiers and signed-document URLs.

2.5 Usage and telemetry

• Server logs — IP address, requested URL, user-agent, timestamp, response code.
• Product analytics — aggregate page views and feature usage. We do not include the content of client records in analytics events.
• Crash and error reports — to diagnose issues.

2.6 Marketing website visits

When you visit gatebridge.com while logged out, we collect standard web analytics (page, referrer, device class). We do not use third-party advertising trackers and we do not run cross-site retargeting.

3. How we use information

We use personal information to:

• Provide and maintain the Service (account, billing, support)
• Process payments for your subscription
• Communicate with you about your account, security, and service updates
• Improve the Service based on aggregate, de-identified usage patterns
• Comply with legal obligations and respond to lawful requests
• Protect against fraud, abuse, and unauthorized access

We do not use your data — yours or your clients' — to train generalized AI/ML models. We do not sell personal information.

4. Legal bases (GDPR / UK GDPR)

Where applicable EU or UK law applies, we rely on the following legal bases:

• Contract performance — to deliver the Service you signed up for (Article 6(1)(b))
• Legitimate interests— to operate, secure, and improve the Service in ways that don't override your rights (Article 6(1)(f))
• Consent — for optional analytics cookies and marketing communications (Article 6(1)(a))
• Legal obligation — to retain financial records and respond to lawful requests (Article 6(1)(c))

For data you store about your own clients, you are the controller and you are responsible for identifying your own legal basis for processing them. If you process EU/UK personal data of your clients, we are happy to enter into a Data Processing Addendum (DPA) with you — email privacy@gatebridge.com.

5. Sub-processors

We engage the sub-processors listed below to run the Service. Each is bound by a Data Processing Agreement requiring them to handle data in compliance with applicable law.

We will update this list when sub-processors change. If you have an active paid subscription you can request advance notice of material sub-processor changes by emailing privacy@gatebridge.com.

6. International data transfers

Gate Bridge primarily stores data in the United States (Supabase region us-east-1 by default). If you access the Service from outside the U.S., your information may be transferred to, stored, and processed in the U.S.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) with our sub-processors to provide a lawful basis for cross-border transfer. You can request a copy of the relevant SCCs by emailing privacy@gatebridge.com.

7. Data retention

• Active accounts — we retain account data and service content for as long as your account is active.
• Cancelled accounts — after cancellation, we retain your data for 30 days so you can re-activate, then delete it from primary systems within 60 days. Backups are purged within 90 days thereafter.
• Financial records — we retain invoice and subscription records for at least seven years to comply with tax and audit obligations.
• Server logs — 90 days.
• Signed contracts — retained as long as you keep your account as evidence of acceptance; deletable on request.
• Marketing data — retained until you opt out.

You may request earlier deletion at any time — see Section 9.

8. Security

We protect your data with:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for database backups
• AES-256-GCM encryption for sensitive fields including gallery passwords and integration tokens
• Role-based access controls enforced at the database layer with row-level security policies
• Least-privilege access for our personnel and contractors
• Regular security reviews and dependency monitoring

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the relevant regulators within the timeframes required by applicable law (e.g., within 72 hours under GDPR Article 33 where applicable).

9. Your rights

Depending on where you reside, you may have the following rights regarding your personal information:

• Access — request a copy of what we hold about you
• Correction — correct inaccurate information
• Deletion — request that we delete your information
• Portability — receive your information in a structured, machine-readable format
• Restriction — restrict how we process your information
• Objection — object to processing based on legitimate interests
• Withdrawal of consent — withdraw consent where consent is the legal basis
• Complaint — lodge a complaint with your supervisory authority

California residents (CCPA / CPRA): you also have the right to know, delete, correct, opt out of sale or sharing (we do not sell or share), and not be retaliated against for exercising these rights.

Other jurisdictions: comparable rights are granted by PIPEDA (Canada), LGPD (Brazil), POPIA (South Africa), and many others.

To exercise any of these rights, email privacy@gatebridge.com. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before fulfilling certain requests.

10. Cookies and similar technologies

You can configure your browser to refuse cookies. Refusing essential cookies will prevent you from signing in.

11. Marketing communications

We may send you transactional emails (security alerts, account notifications, service updates) using our legitimate interest in delivering the Service you signed up for. We will send marketing emails (product news, photography workflow tips, new feature announcements) only with your consent, and you can unsubscribe from any marketing email at any time using the link in the message footer.

12. Children

Gate Bridge is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at privacy@gatebridge.com and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top indicates when changes took effect. For material changes affecting how we use your information, we will notify you by email or in-app at least 30 days before the change takes effect, where reasonable.

14. Contact

For privacy questions, requests, or complaints:

Email: privacy@gatebridge.com
Mailing address: Gate Bridge — mailing address to be added prior to public launch.

For users in the EU or UK, we are happy to designate a representative under Article 27 GDPR upon request; please contact privacy@gatebridge.com.

This policy is provided for transparency and as a baseline. Real legal compliance requires review by a lawyer who knows your jurisdiction and your business specifics. Gate Bridge encourages every photographer using the Service to maintain their own client- facing privacy policy that reflects the data they collect.