Privacy Policy

1. Introduction

OPENGATE TECHNOLOGY LTD. ("Company", "we", "us", "our") is committed to protecting your privacy and the privacy of data processed through the Hippocortex platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our platform, APIs, SDKs, and related services (the "Services").

We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

The data controller for personal data processed through the Hippocortex platform is:

When you use the Services to process personal data on behalf of your end users or through your AI agents, you act as the data controller and we act as a data processor. The terms of our data processing relationship are governed by our Data Processing Agreement.

3. Information We Collect

3.1 Account Information

When you register for an account, we collect your email address, display name, and hashed password. If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe), including payment method details, billing address, and transaction history. We do not store raw credit card numbers on our systems.

3.2 Customer Data (Agent Events)

When you use the capture API, you submit agent interaction events that may contain personal data depending on your use case. These events include:

• •Message events (user and assistant conversation content)
• •Tool call events (tool names and input parameters)
• •Tool result events (tool execution output)
• •File edit, test run, command execution, browser action, and API result events

This data is processed through our capture pipeline (queued via Redis, persisted to PostgreSQL), optionally compiled into knowledge artifacts through the learn endpoint, and made available for retrieval through the synthesize endpoint. You control what data is submitted and are responsible for ensuring compliance with applicable data protection laws for any personal data included.

3.3 Usage and Telemetry Data

We automatically collect data about how you interact with the Services, including: API call volumes and endpoint usage, event counts by type, compilation frequency, synthesis request patterns, error rates, and response times. This data is aggregated and used to improve service quality, capacity planning, and abuse detection.

3.4 Technical Data

When you access the Services (including the website and dashboard), we collect: IP addresses, browser type and version, device information, operating system, referring URLs, and access timestamps. This data is collected through standard web server logs.

4. How We Process Agent Event Data

Agent event data submitted through the capture API follows this processing flow:

1. 1.Ingestion: Events are received by the API, validated, and queued to Redis (BullMQ) for asynchronous processing.
2. 2.Persistence: Background workers persist events to PostgreSQL with tenant-scoped isolation. Events are stored with their type, session ID, payload, and metadata.
3. 3.Compilation: When you trigger the learn endpoint, a compilation worker analyses accumulated events and extracts patterns. Patterns are compiled into knowledge artifacts (task schemas, failure playbooks, causal patterns, decision policies).
4. 4.Synthesis: The synthesize endpoint searches across memories and artifacts using semantic search (pgvector), assembles relevant context entries, and returns them within a token budget.

All processing occurs within your tenant's isolated scope. Cross-tenant data access is architecturally impossible due to tenant ID filtering at the database query level.

5. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

• •Performance of contract (Article 6(1)(b)): Processing account information and Customer Data is necessary to provide the Services you have contracted for.
• •Legitimate interests (Article 6(1)(f)): Processing usage data for service improvement, security monitoring, and abuse prevention. Our legitimate interests do not override your fundamental rights and freedoms.
• •Consent (Article 6(1)(a)): Where we use non-essential cookies or process data for marketing purposes, we obtain your explicit consent. You may withdraw consent at any time.
• •Legal obligation (Article 6(1)(c)): Processing required to comply with tax, accounting, or regulatory obligations.

6. Data Retention

We retain data for the following periods:

Upon deletion, data is permanently removed from all active systems within 30 days and from all backup systems within 90 days.

7. Sub-processors

We use the following third-party service providers (sub-processors) to deliver the Services. Each sub-processor is bound by data processing agreements that provide protection consistent with this Privacy Policy.

We will notify you of changes to our sub-processor list at least 30 days before engaging a new sub-processor. You may object to a new sub-processor within 14 days of notification.

8. International Transfers

OPENGATE TECHNOLOGY LTD. is based in England. Some of our sub-processors operate in the United States. Where personal data is transferred outside the United Kingdom or the European Economic Area, we ensure appropriate safeguards are in place, including:

• •UK and EU adequacy decisions for the recipient country
• •Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK Information Commissioner's Office (ICO)
• •The EU-US Data Privacy Framework and UK Extension, where applicable

You may request a copy of the relevant transfer safeguards by contacting privacy@hippocortex.dev.

9. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• •Right of access: Request a copy of the personal data we hold about you.
• •Right to rectification: Request correction of inaccurate or incomplete personal data.
• •Right to erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• •Right to restriction: Request that we restrict processing of your personal data in certain circumstances.
• •Right to data portability: Request your personal data in a structured, commonly used, machine-readable format.
• •Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• •Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, contact privacy@hippocortex.dev. We will respond to your request within 30 days. We may need to verify your identity before processing your request. Complex or numerous requests may take up to 60 days, in which case we will notify you of the extension and the reasons.

10. Cookies

We use the following types of cookies:

• •Essential cookies: Required for authentication, session management, and security. These cannot be disabled as they are necessary for the Services to function.
• •Analytics cookies: Used to understand how visitors interact with the website. Only deployed with your explicit consent. We do not use analytics cookies on the API.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the dashboard.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• •Encryption in transit (TLS 1.3) and at rest (AES-256)
• •Multi-tenant isolation at the database, cache, and application layers
• •API key hashing (SHA-256) with scoped permissions
• •Password hashing with Argon2id
• •Rate limiting per API key and per tenant
• •Regular security assessments and monitoring

For full details, see our Security Policy.

12. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@hippocortex.dev and we will take steps to delete such data.

13. Data Sharing

We do not sell personal data. We do not share personal data for advertising purposes. We may share personal data only in the following circumstances:

• •With sub-processors as listed in Section 7, under appropriate data processing agreements
• •When required by valid legal process (court order, subpoena, or regulatory request)
• •In connection with a merger, acquisition, or sale of assets, with prior notice to affected users
• •To protect the rights, property, or safety of our users, the public, or ourselves

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated at least 30 days before they take effect via email to the address associated with your account or through a notice in the dashboard.

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top of this page indicates the most recent revision.

15. Complaints and Supervisory Authority

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority. For the United Kingdom, the relevant authority is:

If you are located in the European Union, you may also contact your local data protection authority.

16. Contact

For privacy-related inquiries: