This policy describes how NovaGate ("we", "our", "us") collects, uses, and protects information when you use novagate.dev and the NovaGate gateway service.
1. What We Collect
Account information: your name, email address, and hashed password when you register.
Gateway telemetry: request metadata sent by your gateway node — method, path, status code, latency, request ID, and consumer ID. We do not collect request bodies, response bodies, query parameters, or any personally identifiable information from your API traffic.
Usage metadata: which dashboard pages you visit, when routes and services are created or modified, and error events generated by your gateway.
2. What We Do Not Collect
We never see your API request or response payloads. Your traffic flows directly between your clients and your downstream services through the gateway node running on your server.
We do not collect full IP addresses in metric labels or log fields.
We do not read your JWT tokens or API keys beyond validating their hashed form for authentication.
3. How We Use Your Data
To provide the NovaGate service: authenticating your account, delivering config updates to your gateway, and displaying observability data in your dashboard.
To improve the product: aggregate, anonymised usage patterns help us understand which features are used and where users encounter friction.
We do not sell your data to third parties. We do not use your data for advertising.
4. Data Storage and Retention
Account data is stored in PostgreSQL hosted in the EU (or region you select at registration).
Request logs are retained for 7 days on the free plan. Enterprise plans may configure up to 90 days.
Error events are retained for 30 days.
Metrics snapshots are retained for 7 days (hourly), 30 days (daily).
You can request full data export or deletion at any time by emailing privacy@novagate.dev.
5. Security
All data in transit is encrypted with TLS 1.2 or higher.
Passwords are hashed with bcrypt (cost factor 10) and never stored in plaintext.
Database access requires authenticated connections. Tenant data is schema-isolated.
See our Security page for a full account of our security practices.
6. Third-Party Services
We use a transactional email provider (SMTP) to send password reset emails. Only your email address is shared with this provider.
We do not use third-party analytics services, advertising platforms, or data brokers.
7. Your Rights
You may request access to all data we hold about your account.
You may request deletion of your account and all associated data.
You may request correction of incorrect account information.
To exercise these rights, email privacy@novagate.dev. We will respond within 30 days.
8. Changes to This Policy
We will notify registered users by email at least 14 days before any material changes to this policy take effect.
Continued use of the service after that date constitutes acceptance of the updated policy.