Privacy Policy

Privacy Policy.

GARGATE is designed as a no-login AI gateway. We process only the data required to price requests, create QRIS payments, submit AI tasks, display results, prevent abuse, and operate the service reliably.

1. Scope and Controller

This Privacy Policy explains how GARGATE, operated under BSTN Innovation Studio, collects, uses, stores, protects, and deletes information when users access AI models, upload media, create QRIS payments, or check generated results.

By using the service, users acknowledge that AI processing, payment processing, security verification, and result retrieval require limited technical data to be processed by our systems and trusted service providers.

2. Data We Process

We may process AI request inputs, uploaded files or file URLs, selected model identifiers, request configuration, pricing data, Payment ID, process status, QRIS payment metadata, output URLs, error metadata, timestamps, webhook delivery records, and technical audit data.

For abuse prevention and operational security, we may store hashed IP addresses, hashed user-agent values, Turnstile verification metadata, request identifiers, and server-side logs. We do not intentionally store raw IP addresses for user-facing identification.

3. No Login Model and Payment ID Access

GARGATE does not require user accounts. Access to a transaction or generated output is based on possession of the relevant Payment ID or process identifier. Anyone who has that identifier may be able to view the related status and output page.

Users are responsible for storing Payment IDs securely and sharing them only with trusted parties. We cannot verify identity through an account login because the service is intentionally designed without user registration.

4. AI Inputs, Uploads, and Outputs

AI inputs are processed to validate model schemas, calculate pricing, submit tasks to the selected AI provider, and receive results. Uploaded media, including images, video, audio, documents, reference files, and other user-provided assets, may be uploaded or forwarded to the relevant AI provider or media infrastructure required by the selected model.

Once media or prompts are submitted to an AI provider, the provider's own technical capacity, retention rules, safety systems, infrastructure limits, and privacy policies may also apply. GARGATE cannot control every internal processing step performed by upstream AI providers, but we only transmit data that is necessary to perform the user's requested AI task.

Generated outputs are typically stored as URLs or structured metadata so users can retrieve results later. Uploaded media and generated output media are intended to be removed within 30 days, subject to provider availability, infrastructure behavior, operational recovery needs, abuse investigations, or legal preservation requirements.

5. Payments and QRIS Processing

QRIS payments are processed through BSTN Payment Gateway. Payment metadata may include amount, payable amount, admin fee, unique code, payment status, expiry time, payment page URL, and provider response data required for reconciliation and audit.

We do not store card data because the service uses QRIS payment flows. Payment confirmation is received through verified webhooks and may also be refreshed through server-side recovery checks.

6. Security and Abuse Prevention

We use Cloudflare Turnstile, server-side validation, request schema validation, rate-limiting signals, webhook signature verification, server-only API keys, and least-necessary data exposure to protect the service.

Secrets such as AI provider keys, payment gateway keys, webhook secrets, database credentials, and encryption keys are never intentionally exposed to the browser.

7. Retention and Deletion

Uploaded user media is intended to be deleted within 30 days. Generated output media is also intended to be deleted within 30 days. Users should download or save outputs promptly if they need long-term access.

Request payloads may be encrypted at rest and may be purged after submission to the AI provider when the configured purge policy is enabled. Operational records such as payment status, webhook events, audit timestamps, hashed abuse-prevention signals, and error metadata may be retained longer where required for reconciliation, fraud prevention, dispute handling, service debugging, security review, or legal compliance.

8. Third-Party Providers

The service relies on infrastructure and providers including payment gateway services, AI model providers, media upload endpoints, hosting infrastructure, database infrastructure, and security verification services.

Third-party providers process data according to their own technical requirements, policies, and operational capacity. This includes AI providers that receive prompts, model parameters, uploaded media, and other materials required to generate the requested output. We send only the information necessary to perform the requested service.

9. No Sale of User Data

GARGATE does not sell user data. GARGATE does not rent user data. GARGATE does not share user data with unrelated parties for advertising, profiling, resale, or data brokerage.

Data is shared only when necessary to operate the service: processing AI requests, uploading media to AI infrastructure, creating and verifying QRIS payments, securing the platform, complying with lawful obligations, resolving disputes, or investigating abuse.

10. Ownership and User Rights

User prompts, uploaded media, request materials, and generated outputs remain the user's materials to the extent permitted by applicable law and the policies of the relevant AI provider. GARGATE claims no ownership over user-submitted content or generated outputs.

Users are responsible for ensuring that their uploads, prompts, and use of outputs comply with applicable law, third-party rights, and provider policies. Users may contact us through official channels for access, deletion, payment, or privacy-related assistance.

11. User Responsibilities

Users must not submit unlawful, abusive, infringing, harmful, or privacy-invasive content. Users must also ensure that they have the necessary rights and permissions for any uploaded media, prompts, or reference materials.

Users should download or save important outputs promptly and keep Payment IDs confidential where privacy is required.

12. Contact

For privacy, payment, access, or operational questions, contact BSTN Innovation Studio through the official contact channels listed on the Contact page.