Enforgate
Start free

Privacy Policy

Last updated June 15, 2026

This Privacy Policy explains what information Enforgate (“Enforgate,” “we,” “us”) collects when you use our website, dashboard, and gateway service (the “Service”), how we use it, and the choices you have. By using the Service you agree to this policy.

Information we collect

Account information. When you create an account we store your email address and name. If you sign in with Google or GitHub, we store the provider and a provider account identifier. If you use email and password, we store a bcrypt hash of your password — never the password itself.

Configuration you create. Policies, API key metadata, upstream server definitions, notification channels, and email-delivery settings that you configure in the dashboard.

Usage and audit records. For each tool call processed by the gateway we record the upstream server name, the tool name, a hash of the call arguments, the verdict and the rule that produced it, timing, and the outcome. We also keep per-month call counts for usage and plan limits.

What we deliberately do not store

  • Raw tool-call arguments. Arguments are evaluated in memory only. We store a sha256 hash of the canonicalized arguments, never the values. The hash lets us prove two calls were identical without revealing their contents.
  • Raw API keys. A key is shown to you once at creation. We store only a sha256 hash and a short display prefix.
  • Plaintext SMTP passwords. If you configure your own SMTP server, its password is encrypted with AES-256-GCM before storage and is never returned to the interface.

How we use information

  • To provide and operate the Service — authenticate you, evaluate policies, proxy tool calls, and send approval notifications.
  • To show you your audit log, live feed, usage, and account in the dashboard.
  • To secure the Service, prevent abuse, and enforce rate limits.
  • To communicate with you about your account (for example, email verification and password resets).

Cookies and local storage

We use only strictly necessary cookies — the session and CSRF cookies that Auth.js sets to keep you signed in and to protect form submissions. We do not use advertising or third-party tracking cookies, and we do not run analytics that profile you across sites. Because these cookies are essential to operate the Service, they do not require a consent banner under GDPR/ePrivacy.

The dashboard also stores a few non-cookie preferences in your browser's local storage — your light/dark theme choice and whether you've dismissed the onboarding checklist — and uses session storage to briefly hold a newly created API key so it can be shown once. These stay on your device and are not sent to us as cookies. You can clear them at any time from your browser. If we ever introduce analytics or marketing cookies, we will add a consent control before setting them.

How information is shared

We do not sell your personal information. We share data only with service providers that help us operate the Service — for example, our database host, and the email or messaging providers you configure for approval notifications (such as your chosen email provider, Slack, Microsoft Teams, or Telegram). When you set up a notification channel, approval requests are delivered to that destination at your direction. We may disclose information if required by law.

Data retention

We retain your account information for as long as your account is active. Audit and usage records are retained while your account is active so the dashboard's history and usage views function. When you delete your account, we delete or anonymize your personal information and associated records within a reasonable period, except where we must retain it to comply with legal obligations.

Security

We apply the safeguards described above — hashing of arguments and keys, encryption of stored secrets, and a fail-closed design — alongside standard transport encryption and access controls. No method of transmission or storage is completely secure, but we work to protect your information and limit what we hold.

Your choices

You can view and update your configuration in the dashboard at any time, revoke API keys, remove notification channels, and delete your account. Depending on where you live, you may have rights to access, correct, or delete your personal information; contact us to exercise them.

Children

The Service is not directed to children under 16, and we do not knowingly collect their information.

Changes to this policy

We may update this policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice.

Contact

Questions about this policy? Email us at privacy@enforgate.com. See also our Terms of Service.