← Back
Legal

Privacy Policy

Last updated: May 10, 2026

1. Introduction

Valegate Systems, Inc. (“Valegate,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our regulatory compliance platform (the “Service”). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Account Information: When you create an account, we collect your name, email address, institution name, and password. Passwords are immediately converted into a one-way cryptographic hash (bcrypt) and only the hash is stored. Your plain-text password is never written to disk, logged, or retained in any form. No one at Valegate — including engineers, developers, and system administrators — can view, retrieve, or reverse your password.

Usage Data: We collect information about how you interact with the Service, including pages viewed, features used, actions taken, timestamps, and IP addresses. This data is used to improve the Service and for security monitoring.

Demo Requests: If you request a demo, we collect your email address to respond to your inquiry.

3. Your Compliance Data

Valegate does not collect, access, or use your compliance data. Policies, regulatory mappings, gap analyses, remediation records, evidence files, and audit logs that you upload or generate within the Service are your organization’s property.

Your compliance data is stored in a tenant-isolated environment. It is encrypted at rest and scoped to your organization. No other customer can access your data, and Valegate personnel cannot access your compliance data without your explicit written authorization.

Valegate employees do not have standing access to customer compliance data. Our admin tools are scoped to the operator’s own organization. There is no internal dashboard, support tool, or backdoor that allows Valegate staff to view, search, or export your policies, findings, or audit records.

When you initiate an AI-powered analysis, your regulatory text and policy excerpts are processed by our AI provider (Anthropic) solely to generate the analysis result. This data is not retained by the AI provider and is not used to train AI models. See Section 5 for details.

4. How We Use Your Information

We use your account and usage data (not your compliance data) to:

  • Provide, maintain, and improve the Service.
  • Authenticate your identity and manage your account.
  • Process and respond to demo requests and support inquiries.
  • Monitor for security threats, unauthorized access, and abuse.
  • Comply with legal obligations, including regulatory record-keeping requirements.
  • Send transactional communications related to your account (e.g., password resets, security alerts).

5. AI Processing

Valegate uses third-party AI services (Anthropic) to power gap analysis, remediation planning, and policy language generation. When you initiate an AI-powered analysis:

  • Regulatory text and your policy excerpts are sent to the AI provider for processing.
  • AI providers are contractually prohibited from using your data to train their models.
  • AI inputs and outputs are logged internally for audit purposes.
  • You may disable AI-powered features at any time in Settings.

6. Cookies and Tracking

We use the following cookies:

  • Authentication cookies (strictly necessary): httpOnly cookies that manage your session. These cannot be disabled as they are required for the Service to function.
  • CSRF protection cookie (strictly necessary): Prevents cross-site request forgery attacks.
  • Theme preference (functional): Stores your light/dark mode preference in localStorage.

We do not use advertising cookies, third-party tracking pixels, or analytics services that track you across other websites.

7. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service providers: Third-party vendors who assist in operating the Service, including Vercel (frontend hosting), Railway (backend infrastructure and database hosting), Anthropic (AI processing), and Stripe (payment processing). All providers are bound by contractual data protection obligations.
  • Legal compliance: When required by law, subpoena, court order, or regulatory request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.
  • With your consent: When you explicitly authorize us to share information with a third party.

8. Data Retention

We retain your data as follows:

  • Account data: Retained while your account is active and for 30 days after termination to allow for data export.
  • Compliance data and audit logs: Retained for the period configured by your organization (default: 7 years) to align with banking regulatory requirements (GLBA, BSA/AML).
  • Backups: Encrypted backups are retained for up to 35 days (automated) and up to 7 years (archival).

9. Data Security

We implement industry-standard security measures including: TLS 1.2+ encryption in transit, encryption at rest, httpOnly cookie-based authentication, CSRF protection, role-based access control, multi-tenant data isolation, account lockout protections, and immutable audit logging. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Zero knowledge of passwords: User passwords are hashed with bcrypt before storage. Valegate employees, engineers, and infrastructure administrators cannot access, view, or recover user passwords. If you forget your password, it must be reset — it cannot be retrieved by anyone, including Valegate staff.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your personal data, subject to applicable retention obligations.
  • Export: Request a portable copy of your data in a standard format.
  • Objection: Object to processing of your personal data for certain purposes.

To exercise any of these rights, contact us. We will respond within 30 days.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose.
  • Request deletion of your personal information.
  • Opt out of the sale of your personal information (we do not sell personal information).
  • Not be discriminated against for exercising your privacy rights.

12. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. By using the Service, you consent to such transfer and processing.

13. Children’s Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the Service or by email at least 30 days before the changes take effect. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact

Questions about this Privacy Policy? Email us at support@valegate.app or use our contact form.

This privacy policy should be reviewed by qualified legal counsel before reliance.