Privacy Policy
Last updated: April 25, 2026
At Gathery, we take your privacy seriously. This policy explains how we collect, use, share, and protect personal information when you use our document intake platform.
1. Introduction
Gathery ("we", "us", or "our") provides a secure client document intake portal that lets account owners ("Owners") collect documents and information from their clients ("Clients") through configurable web portals. This Privacy Policy describes how we collect, use, share, and protect personal information in connection with the Gathery website, applications, and services (collectively, the "Service").
This Policy applies to (a) Owners and prospective customers who interact with our website or sign up for the Service, and (b) Clients who upload documents through portals operated by Owners. For Client uploads and Client-provided information, the Owner is the party that determines what is collected and why; Gathery acts on the Owner's behalf as described in Section 2.
2. Definitions
- "Personal Information" means information that identifies, relates to, or could reasonably be linked to a particular individual or household.
- "Account Data" means information about Owners and their Gathery accounts (e.g., name, email, billing details, usage data). Gathery determines how Account Data is processed.
- "Client Data" means files, form responses, and other information that Clients submit through portals operated by Owners. The Owner determines what Client Data is collected and how it is used; Gathery processes Client Data on the Owner's behalf.
- "Portal" means a public intake page that an Owner configures within Gathery to receive Client uploads.
- "Sub-processor" means a third-party service provider engaged by Gathery to help operate the Service.
3. Eligibility & Geographic Availability
The Service is offered from the United States to users located in the United States and other jurisdictions where it is lawful to do so. The Service is intended only for individuals who are 18 years of age or older.
The Service is not directed to, and we do not knowingly offer the Service to, residents of the European Economic Area (EEA), the United Kingdom, or Switzerland. If you are located in those regions, please do not create an account or upload documents through Gathery.
4. Information We Collect
4.1 Account Information
When you create an Owner account we collect your name, email address, company name, and password (stored only as an Argon2id hash). This information is required to provision and maintain your account.
4.2 Billing Information
If you subscribe to a paid plan, payment card details are collected and processed directly by our payment processor (Stripe) and are not stored on Gathery systems. We retain limited billing metadata such as your Stripe customer identifier, plan, subscription status, invoice history, and renewal dates.
4.3 Uploaded Documents (Client Data)
Clients may upload files and form responses through Owner-operated Portals. These uploads are stored in encrypted object storage and retained for the period configured by the Owner (between 1 and 365 days, depending on the Portal and the Owner's account plan). After the retention period expires, files are automatically and permanently deleted from active storage. We do not access, view, index, or analyze the contents of uploaded documents except as necessary to operate the Service (for example, to perform virus scanning) or as required by law.
4.4 Client Information
When a Client submits an upload through a Portal, we collect the Client's IP address and any contact information (such as name or email) the Owner has chosen to request through the Portal. This information is associated with the Owner's account and is visible to that Owner.
4.5 Usage & Device Data
We automatically collect certain information when you interact with the Service: IP address and approximate location derived from it; browser type, version, language, and user-agent string; device characteristics such as operating system and screen size; pages visited, features used, and links clicked within the Service; timestamps and identifiers for actions you take; and the referrer URL.
4.6 Cookies & Similar Technologies
We and our Sub-processors use cookies and similar technologies to operate the Service, keep you signed in, prevent abuse, and measure how the Service is used. A full list of cookies appears in Section 10.
4.7 Audit Logs & Security Events
We record administrative and security-relevant events (such as sign-ins, file uploads, downloads, deletions, and configuration changes) so that Owners can audit activity within their account and so we can investigate security incidents.
4.8 Support Communications
When you contact us by email or through a support channel, we receive the contents of your message, your contact information, and any attachments you choose to share so that we can respond and maintain a record of the request.
4.9 Marketing & Email Engagement
For marketing and transactional emails sent through our email provider, we may receive engagement signals such as whether you opened a message, clicked a link, or unsubscribed. We use this information to measure deliverability and the effectiveness of our communications.
4.10 Third-Party Authentication (Google Sign-In)
You may choose to create an account or sign in using Google Sign-In. When you do, Google shares your name, email address, and profile picture with us. We use this information solely to create and authenticate your Gathery account. We do not receive your Google password.
Your use of Google Sign-In is also subject to Google's Privacy Policy. You can review and revoke Gathery's access to your Google account at any time at https://myaccount.google.com/connections.
5. How We Use Information
We use the information described above to: provide, operate, and maintain the Service (including authentication, processing uploads, virus scanning, and enforcing retention rules); process payments and manage subscriptions through our payment processor; communicate with you about your account, security alerts, product changes, and support requests; detect, investigate, and prevent fraud, abuse, and security incidents and enforce our terms; analyze aggregated usage to improve the Service, debug issues, and develop new features; send marketing communications about Gathery in accordance with your preferences (see Section 14); and comply with legal obligations.
We do not use the contents of uploaded documents (Client Data) for analytics, marketing, advertising, or to train artificial-intelligence or machine-learning models.
6. How We Share Information
We do not sell or rent Personal Information. We share information only as described below.
6.1 Sub-processors
We engage the following third-party service providers to help us operate the Service. We share with each Sub-processor only the information reasonably needed for the stated purpose, and we require them to handle Personal Information consistent with this Policy and applicable law.
| Sub-processor | Purpose | Region |
|---|---|---|
| PostHog | Product analytics. Configured to discard IP addresses; only de-identified usage data is collected. | European Union |
| Stripe | Payment processing and subscription billing. | United States |
| Vultr | Cloud compute hosting for the application and worker services. | United States |
| Cloudflare | CDN, DDoS mitigation, web application firewall, and bot protection. | Global edge network |
| Backblaze B2 | Encrypted object storage for uploaded files. | United States |
| Mailtrap | Transactional and marketing email delivery. | European Union |
| Google Ads | Advertising and conversion measurement. Currently being phased out. | Global |
| Ahrefs | Marketing and search analytics on our public website. | Global |
6.2 Legal Requirements
We may disclose information when we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or where disclosure is necessary to protect the rights, property, or safety of Gathery, our users, or others.
6.3 Business Transfers
If Gathery is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to customary confidentiality obligations.
7. Data Retention
We retain Personal Information for the periods set out below, and longer where required by law (for example, to comply with tax, accounting, or legal-hold obligations).
| Data Category | Retention Period |
|---|---|
| Uploaded documents (Client Data) | As configured by the Owner per Portal: between 1 and 365 days, depending on the Portal and the Owner's account plan. |
| Account information after closure | 30 days after account deletion, after which we delete or anonymize the data. |
| Billing and tax records | 7 years, to comply with U.S. tax and accounting obligations. |
| Audit logs and security events | 1 year |
| Application and server logs | 1 year |
| Email engagement records | 1 year |
| Analytics events (PostHog) | 1 year |
| Marketing list entries | Until you opt out, or 1 year after your last engagement (whichever comes first). |
| Backups | 1 year |
When data is deleted from our active systems, residual copies may persist in encrypted backups until those backups age out under the schedule above.
8. Data Security
We use technical and organizational safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These include: encryption in transit using TLS 1.3 and at rest using AES-256; passwords stored only as Argon2id hashes; role-based access controls and least-privilege principles; multi-factor authentication for administrative access; automated virus scanning of all uploaded files in a quarantine area before they are made available for download; strict per-tenant isolation in the application and database layers; and short-lived, pre-signed download URLs for files.
No method of transmission or storage is completely secure. While we work hard to protect your information, we cannot guarantee absolute security.
9. Breach Notification
If we become aware of a security incident that materially affects the confidentiality, integrity, or availability of your Personal Information, we will notify affected users by email without undue delay, describe what happened, the data involved (to the extent known), the steps we are taking, and recommended actions.
10. Cookies & Tracking
The Service uses the following cookies. Strictly-necessary cookies are required for the Service to function. You can control non-essential cookies through your browser settings; doing so may affect parts of the Service.
| Cookie | Type | Party | Purpose |
|---|---|---|---|
| ory_kratos_session | Strictly necessary | First-party | Maintains your authenticated session. |
| csrf_token_* | Strictly necessary | First-party | Protects sign-in and OIDC flows from cross-site request forgery (set by Ory Kratos). |
| cf_clearance | Strictly necessary | Third-party (Cloudflare) | Records that you passed a Cloudflare bot or security challenge. |
| ph_gathery_posthog | Analytics | Third-party (PostHog) | De-identified product analytics and event tracking. |
| _gcl_au | Advertising | Third-party (Google) | Ad attribution. Currently being phased out. |
| _gcl_gs | Advertising | Third-party (Google) | Ad campaign signal. Currently being phased out. |
Where applicable, we treat a Global Privacy Control (GPC) signal from your browser as a request to opt out of the sale or sharing of Personal Information for cross-context behavioral advertising.
11. Your Rights
Subject to applicable law, you may exercise the following rights with respect to your Personal Information: access (request a copy), correct inaccurate data, delete (subject to legal retention), portability, opt out of marketing, and withdraw consent where we rely on it.
To submit a request, email privacy@gathery.app. We will respond within 30 days. We may need to verify your identity (typically by confirming control of the email associated with your account) before fulfilling a request.
If you are a Client who uploaded documents through a Portal, please direct requests about that data to the Owner who operates the Portal. We will help the Owner respond where appropriate.
12. California Residents (CCPA / CPRA)
This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the CCPA).
12.1 Categories of Personal Information We Collect
In the past 12 months we have collected the following categories of Personal Information: identifiers (e.g., name, email address, IP address); customer records (e.g., billing details processed by Stripe); commercial information (e.g., subscription history); internet or other electronic network activity (e.g., usage and device data); approximate geolocation derived from IP address; and inferences drawn from the foregoing for product analytics. We collect these categories from you directly, from your interactions with the Service, and from the Sub-processors listed in Section 6.1. We use them for the purposes described in Section 5.
12.2 No Sale of Personal Information
We do not sell Personal Information for monetary consideration. We do not knowingly sell or share the Personal Information of consumers under 16 years of age. We do not use or disclose Sensitive Personal Information for purposes other than those permitted under the CCPA without further notice.
12.3 Your California Rights
California residents have the right to know, to delete, to correct, to opt out of the sale or sharing of Personal Information, to limit the use and disclosure of Sensitive Personal Information, and to non-discriminatory treatment for exercising any of these rights. To exercise these rights, follow the process in Section 11. You may use an authorized agent acting on your behalf, in which case we will require proof of authorization and may require you to verify your identity directly with us.
12.4 Shine the Light
California Civil Code §1798.83 permits California residents to request information regarding the disclosure of Personal Information to third parties for those third parties' direct-marketing purposes. We do not disclose Personal Information to third parties for their own direct-marketing purposes.
13. Automated Decision-Making & AI
Gathery does not make decisions about you that produce legal or similarly significant effects through solely automated means.
Gathery does not use Customer Data, uploaded documents, or the contents of Client submissions to train, fine-tune, or evaluate artificial-intelligence or machine-learning models, and we do not provide such data to third parties for those purposes.
14. Marketing Communications
We send two types of email: (a) transactional emails about your account, security, and billing, which are required to operate the Service and cannot be opted out of while your account is active; and (b) marketing emails about Gathery features, news, and offers.
You can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing message, by adjusting the marketing preference in your account settings, or by emailing us at the address in Section 19. Opting out of marketing emails does not affect transactional emails.
15. Google API Services Disclosure
Gathery's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.
Specifically, when you sign in with Google, the basic profile information we receive (name, email address, profile picture) is used only to create and authenticate your Gathery account. We do not transfer that data to others except as necessary to provide or improve user-facing features, and we do not use it for serving advertisements, for human reading, or to develop, improve, or train generalized artificial-intelligence or machine-learning models.
16. Children's Privacy
The Service is intended only for individuals 18 years of age or older. We do not knowingly collect Personal Information from anyone under 18. If we learn that we have collected Personal Information from a person under 18, we will delete that information.
17. Data Processing Agreements
If your organization requires a Data Processing Agreement (DPA) describing how Gathery processes Personal Information on your behalf, please email privacy@gathery.app and we will work with you to put a DPA in place.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify Owners by email and update the "Last updated" date at the top of this page. Your continued use of the Service after a change becomes effective constitutes your acceptance of the updated Policy.
19. Contact Us
Gathery is operated in the United States. If you have questions, requests, or concerns about this Privacy Policy or our handling of Personal Information, contact us at: