Sovergate
Legal

Privacy Policy

Last updated: May 2026

Sovergate is committed to protecting your personal data. This policy explains what data we collect, why we collect it, how we use it, and what rights you have over it. We are the data controller for personal data you provide to us when using sovergate.com and the Sovergate platform.

1. Who we are

Company: Sovergate

Website: sovergate.com

General contact: hello@sovergate.com

Data protection contact: legal@sovergate.com

2. What data we collect and why

2.1 Account data

When you create an account, we collect your full name, email address, password (stored as a bcrypt hash — we never store your plain text password), and organisation name.

Legal basis: Contract (Article 6(1)(b) GDPR) — this data is necessary to provide you with the Sovergate service.

2.2 Billing data

When you subscribe to a paid plan, we collect your billing name and address, VAT number (if applicable), and payment method details. Payment card details are processed by our payment processor and are never stored on our servers.

Legal basis: Contract (Article 6(1)(b) GDPR) and Legal obligation (Article 6(1)(c) GDPR) for invoicing requirements.

2.3 Usage data

When you use the Sovergate platform, we collect log-in timestamps and IP addresses, features accessed and actions taken, API key creation and usage events, and AI system configuration changes.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — we use this data to operate, improve, and secure the service.

2.4 Support communications

When you contact us by email or through the platform, we collect the contents of your message, your email address, and any attachments you send.

Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — to respond to your enquiry and improve our service.

2.5 What we do NOT collect

Sovergate is built specifically to avoid processing sensitive personal data belonging to your end users. Our SDK scrubs PII locally inside your infrastructure before any data reaches our servers. We never receive, store, or process the original prompts or responses from your AI systems — only the scrubbed versions.

3. How we use your data

We use the data we collect to:

  • Provide and maintain the Sovergate service
  • Process your subscription and issue invoices
  • Send you service notifications (downtime, security alerts, feature updates) — these are not marketing emails
  • Respond to support requests
  • Detect and prevent fraud and abuse
  • Comply with legal obligations

We do not sell your personal data to any third party. We do not use your data for advertising.

4. Who we share your data with

We share your data only with the following categories of recipients, all of whom are bound by data processing agreements:

Infrastructure — Hetzner Online GmbH (Germany)

Our servers, databases, and object storage run on Hetzner infrastructure in Nuremberg and Falkenstein, Germany. Your data never leaves the EU.

Payment processing

We use an EU-based payment processor to handle subscription payments. Payment card data is processed directly by them and is never stored on our servers.

Email delivery

We use a transactional email service to send service notifications and invoices. Only your email address and the content of the notification are shared.

We do not use any US-based cloud services in our critical data path. We do not share your data with advertising networks, analytics companies, or data brokers.

5. International data transfers

All personal data you provide to Sovergate is stored and processed within the European Union. We do not transfer personal data to countries outside the EU or EEA.

We do not rely on Standard Contractual Clauses, Privacy Shield, or any other transfer mechanism because no transfer takes place.

6. How long we keep your data

Data typeRetention period
Account dataDuration of your account + 30 days after deletion
Billing data7 years (legal requirement for invoicing)
Usage logs12 months
Support communications2 years
AI system logs (your compliance data)As configured — minimum 6 months

When your account is deleted, we delete all associated personal data within 30 days and provide a deletion certificate on request.

7. Your rights under GDPR

You have the following rights regarding your personal data:

Right of access (Article 15)

You can request a copy of all personal data we hold about you.

Right to rectification (Article 16)

You can ask us to correct inaccurate data about you.

Right to erasure (Article 17)

You can ask us to delete your personal data. We will do so within 30 days, subject to legal retention requirements (such as invoice records).

Right to restriction (Article 18)

You can ask us to restrict processing of your data in certain circumstances.

Right to data portability (Article 20)

You can request your data in a machine-readable format. We provide CSV export of all your account and log data.

Right to object (Article 21)

You can object to processing based on legitimate interests.

Right to withdraw consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

Right to lodge a complaint

You have the right to lodge a complaint with your national data protection authority. In Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

To exercise any of these rights, contact us at legal@sovergate.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

8. Security

We protect your personal data using:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256)
  • Bcrypt password hashing
  • Access controls limiting who can access production data
  • Regular security reviews

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it.

9. Cookies

We use only essential cookies required for the service to function. See our Cookie Policy for full details. We do not use advertising cookies or cross-site tracking.

10. Changes to this policy

We will notify you by email at least 14 days before making any material changes to this policy. The current version is always available at sovergate.com/privacy.

11. Contact

For any privacy-related questions, email legal@sovergate.com. We respond within 5 business days.