Privacy Policy

NexGate ("we", "us", "our") operates the NexGate API gateway and dashboard at nexgate.app. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your data.

We keep data collection to the minimum necessary to provide the Service and run a secure, reliable product. We do not sell your personal data or your API request content to third parties.

If you have questions, contact us at support@nexgate.app.

We collect the following categories of data:

Account data: Email address, name (if provided), and authentication identifiers. These are collected when you register via Clerk, our authentication provider.

API keys: When you generate an API key, we store a bcrypt-hashed version of the key. The plaintext key is displayed once and never stored.

Usage data: For each API request made through NexGate, we store operational metadata including: model identifier, token counts (prompt + completion), estimated cost, actual cost, latency (ms), HTTP status code, timestamp, and the API key prefix (not the full key). We do not store the content of your prompts or completions.

Credit and transaction data: Credit balance, transaction amounts, payment references, and timestamps. Card details are handled entirely by DodoPayments and never reach our servers.

IP addresses: We log client IP addresses for rate limiting, abuse prevention, and security purposes. IPs may be stored in our database for a limited period in connection with usage events.

Device and browser metadata: When you use the dashboard, standard web server logs may capture browser type, OS, and referring URL. We do not use tracking pixels or fingerprinting.

Communication data: If you contact us by email, we retain those communications to assist with support and account resolution.

We use the data we collect for the following purposes:

• Providing and operating the Service: Processing API requests, managing credit balances, authenticating users, and generating invoices.

• Security and abuse prevention: Rate limiting, detecting fraudulent activity, protecting API keys, and enforcing acceptable use policies.

• Billing accuracy: Calculating per-request costs, deducting credits, and reconciling payment records.

• Account management: Sending verification emails, password resets, and service notifications.

• Analytics and improvement: Aggregated, anonymized usage metrics to understand system performance and model demand. These are never tied to individual identifiable users.

• Legal compliance: Retaining records as required by applicable law, including financial and audit records.

We do not use your API request content (prompts or responses) for model training, product analytics, or any purpose other than routing the request to the selected upstream provider.

When you make an API request, your prompt is forwarded to the upstream model provider you selected (e.g. OpenAI, DeepSeek, xAI). This is necessary to generate a response.

NexGate acts as a pass-through proxy. We do not inspect, store, or analyze the semantic content of your prompts or model outputs. Only the operational metadata listed in Section 2 is retained in our systems.

Each upstream provider has their own privacy policy and data handling practices. You are responsible for ensuring your use of upstream models complies with those providers' terms and any applicable laws (e.g. not sending personal health data to a provider that does not support HIPAA compliance).

Authentication is powered by Clerk (clerk.com). When you sign up or sign in, Clerk collects and processes your email address, name, and OAuth identity (if you use Google or GitHub login).

Clerk acts as a data processor on our behalf. Their data practices are governed by the Clerk Privacy Policy at clerk.com/privacy.

NexGate receives from Clerk a unique user identifier (Clerk User ID) and email address, which we associate with your credit balance, API keys, and usage records.

Payments are processed by DodoPayments. When you purchase credits, you are redirected to a DodoPayments checkout page. NexGate does not receive, process, or store your card number, CVV, or bank details.

We receive from DodoPayments a payment confirmation, transaction reference ID, and the amount paid. This is used to credit your account balance.

DodoPayments' data practices are governed by their own privacy policy. By making a payment, you agree to DodoPayments' terms.

If you create or join an organization on NexGate, the following applies:

• Organization admins can view aggregate usage and credit balances for the organization.

• Individual request logs are associated with the API key used, not the individual user.

• Organization owners can remove members, which ends their access to the org but does not delete their personal account.

• When you join an organization, your Clerk User ID is associated with that organization in our database. Organization admins cannot access your personal account data (e.g. personal credit balance or personal API keys).

We share data only as necessary to provide the Service or comply with law:

Upstream model providers: Your API request content is forwarded to the provider you selected. See Section 4.

Clerk: Authentication and user identity management. See Section 5.

DodoPayments: Payment processing. See Section 6.

Hosting and infrastructure: NexGate runs on cloud infrastructure (including Vercel for the web app and a managed PostgreSQL database). These providers process data subject to their own terms and security standards.

Analytics and monitoring: We use PostHog (product analytics), Google Analytics 4 (aggregate website traffic), and Vercel Web Analytics (first-party page-view metrics) to understand usage and improve the Service, and Sentry for error and performance monitoring. These tools process usage, device, and diagnostic data under their own terms. They are environment-gated and may not be active in every deployment.

Legal requirements: We may disclose data if required to do so by law, court order, or government request. We will make reasonable efforts to notify you unless legally prohibited.

We do not sell, rent, or trade your personal data or API content to any third party for marketing or commercial purposes.

We retain data for as long as your account is active and for a reasonable period thereafter:

Usage logs: Retained indefinitely to support billing history, dispute resolution, and abuse investigation, unless you request deletion.

API keys (hashed): Retained until revoked or account deletion.

Transaction records: Retained for a minimum of 5 years for financial and audit purposes, as required by applicable law.

Account data: Retained until account deletion. Upon deletion, personal identifiers are removed or anonymized; aggregated billing records may be retained for legal compliance.

You may request deletion of your account and associated personal data at any time (see Section 11).

We take security seriously and implement appropriate technical and organizational measures:

• All API keys are bcrypt-hashed before storage. Plaintext keys are never stored.

• All data in transit is encrypted via TLS.

• Database access is restricted to production services with strict credential management.

• Rate limiting and IP-based controls are applied to prevent abuse and brute-force attacks.

• Clerk's invisible bot protection is enabled on sign-up to prevent automated account creation.

No system is perfectly secure. If you discover a security issue, please report it responsibly to support@nexgate.app.

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.

Correction: Request correction of inaccurate or incomplete data.

Deletion: Request deletion of your account and associated personal data. Note that some data (e.g. financial records) may be retained for legal compliance.

Portability: Request your usage and billing data in a machine-readable format.

Restriction: Request that we restrict processing of your data in certain circumstances.

Objection: Object to processing based on legitimate interests.

To exercise any of these rights, email support@nexgate.app with the subject "Privacy Request" and describe your request. We will respond within 30 days. We may need to verify your identity before processing the request.

If you are located in the European Economic Area (EEA) or the UK, you also have the right to lodge a complaint with your local data protection authority.

NexGate uses cookies and analytics sparingly:

Authentication cookies: Set by Clerk to maintain your signed-in session. These are strictly necessary for the Service to function.

Analytics cookies and identifiers: We use privacy-conscious analytics to measure usage and improve the Service — PostHog (product analytics), Google Analytics 4 (aggregate website traffic), and Vercel Web Analytics (first-party page-view metrics). These may set cookies or use similar identifiers. They are environment-gated and may not be active in every deployment.

We do not use advertising cookies, and we do not sell your data or track you across unrelated third-party websites for advertising purposes.

The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact support@nexgate.app and we will delete it promptly.

NexGate serves users globally. Your data may be processed and stored on infrastructure located in the United States and other countries. We take steps to ensure that transfers comply with applicable data protection law, including using service providers with appropriate data transfer mechanisms.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via email or dashboard notice.

Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy. If you do not agree, you may close your account.

For privacy requests, questions, or concerns:

Email: support@nexgate.app

Subject line for privacy requests: "Privacy Request"

Response time: Within 30 days

For general support or billing questions, you may also use the same email address.