AI Gateway Privacy Policy
Last updated: 11 June 2026
Introduction
This Privacy Policy (“Policy“) explains how UAB “Honeygain” (registered office at Švitrigailos g. 32, Vilnius, Lithuania) (“Honeygain“, “we“, “us“, “our“) collects, uses, shares, and retains personal data, and what your rights are under applicable data protection law.
Who this Policy is for
This Policy is written for two distinct audiences, and we tell you in each section which parts apply to you:
- End users — individuals who enable the AI Gateway Module within a third-party application or device (a “Partner Application“), and individuals who visit our website. Sections marked „applies to end users“ apply to you.
- Partners (Application Owners) — businesses and the individuals acting for them who integrate the Module into their applications under our Partnership Terms of Service. Sections marked „applies to partners“ apply to you.
- Where a section is not marked, assume it applies to all data subjects (end users and partners).
1. Personal data we collect
1.1 Data collected via the AI Gateway Module / Applications (applies to end users)
When you enable the Module within a Partner Application, we may collect and process:
- Account information — your email address and a securely hashed password (where you register directly).
- Device and connection details — IP address, device model, operating system version, last-activity timestamp, and approximate (coarse) geographic location.
- Network-routing data — because the core function of the Module is to route third-party internet requests through your device as an “exit node,” your IP address and connection are used to transmit those requests. We do not read, store, or build a profile from the content you personally browse. See Section 2.4 for a full plain-language explanation of this activity.
- Usage and performance data — aggregated analytics on how the Application is used, plus crash reports and error diagnostics.
1.2 Data collected via the website
- Automatically collected data — IP address, approximate location, browser type, device information, and operating system, collected through cookies and similar technologies (see Section 8).
- Communications data — if you contact us, your name (where provided), email address, the subject and content of your message, attachments, the date, and our correspondence.
1.3 Partner (Application Owner) data (applies to partners)
When you apply to become, or act as, a Partner, we collect and process:
- Business and contact data — company name, registration details, your name and role, business email, and country of registration.
- Verification / KYC data — identity verification documents and company verification information we may request to comply with legal obligations and to prevent fraud and abuse.
- Payment data — bank name, account number, routing number, SWIFT/BIC, and other details necessary to pay you, plus invoicing and tax records.
- Account and performance data — dashboard activity, daily-active-user metrics, throughput and consent-rate reporting tied to your integration.
1.4 Special category data
We do not seek to collect special categories of personal data (e.g., data revealing health, religion, political opinions, or biometric data). Please do not submit such data to us. If it reaches us incidentally (for example within a support message), we will delete it unless retention is legally required.
1.5 Children’s data
The Module and the network are not directed to children, and end users must be of legal age to consent in their jurisdiction. We do not knowingly collect personal data from children below the age of digital consent applicable in their country (which ranges between 13 and 16 across the EEA, and may differ elsewhere). Where a Partner directs its application to a general audience, the Partner is responsible for age-gating in line with applicable law. If we learn we have collected a child’s data without the required parental or guardian consent, we will delete it promptly. Parents or guardians who believe a child has provided data should contact us (Section 11).
2. Why we process your data, and our legal basis
We process personal data only where we have a lawful basis under Article 6 GDPR (and, where relevant, equivalent provisions of other laws). The tables below set out each purpose and basis.
2.1 Operating the network and Applications (applies to end users)
Purpose | Legal basis |
|---|---|
Creating and maintaining your account and providing the Module’s functionality | Contract (when the contract is directly with a natural person) |
Routing your connection as an exit node (see 2.4) | Consent |
Improving and securing the Applications using aggregated usage data | Legitimate interests in maintaining and improving our services |
Detecting fraud, abuse, and low-quality or malicious traffic | Legitimate interests in preventing fraud, abuse; legal obligation |
2.2 Website
Purpose | Legal basis |
|---|---|
Operating, securing, and optimising the website | Consent for non-essential cookies; legitimate interests for security and core functionality |
Responding to your enquiries | Legitimate interests in handling requests; pre-contractual steps where you are exploring a partnership |
2.3 Partner relationship (applies to partners)
Purpose | Legal basis |
|---|---|
Onboarding, providing the Module, and paying you | Contract (when the contract is directly with a natural person); Legitimate interest (when the contract is between two legal entities; the personal data processed belongs to employees/ representatives of the contracting legal entity) |
KYC, identity/company verification, sanctions and fraud screening | Legitimate interests in preventing fraud, abuse; legal obligation |
Tax, accounting, and statutory record-keeping | Legal obligation |
2.4 Plain-language explanation of exit-node routing (applies to end users)
This is the most privacy-significant part of the service, so we explain it directly. When you enable the Module:
- Your device becomes an exit node: it relays internet requests made by Honeygain’s vetted business clients (for example, AI companies needing real-time web access). To the websites those clients reach, the request appears to originate from your IP address and location.
- We route only to destinations that are vetted, legal, and age-appropriate, monitor traffic in real time, and block suspicious activity.
- This routing happens only with your consent which you give through the Partner Application’s consent screen, and you can withdraw it at any time by turning the Module off or removing the Partner Application. Withdrawal stops future routing; it does not affect the lawfulness of processing already carried out.
3. How long do we keep data
We keep personal data only as long as necessary for the purposes above, then delete or anonymise it, unless a legal or regulatory obligation requires longer retention.
Data category | Retention period |
|---|---|
Registration and service-related data | 6 years after the relationship ends |
Network-routing / exit-node connection logs | Retained only as long as needed for security, fraud-prevention, and dispute resolution, and in any event no longer than 3 months. |
Partner business, verification, and payment records | As required by tax/accounting law, generally 10 years |
Communication data | 2 years after your enquiry is resolved (longer if legally required) |
Compliance-related data (Section 2.3) | 10 years |
Website functionality and analytics data | Up to 1 year |
4. Security of your data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, taking into account the state of the art, the costs of implementation, and the risks involved. These measures include, as appropriate: encryption of data in transit and at rest, access controls and least-privilege principles, network and residential-IP traffic monitoring, segregation of duties, vendor due diligence, and staff confidentiality obligations. No method of transmission or storage is completely secure, but we work to protect your data and to maintain and test our controls.
5. Your data protection rights
Subject to applicable conditions and exemptions, you may exercise the following rights. We will respond within one month of a verified request (extendable by two further months for complex or numerous requests, with notice).
- Right to be informed / access — confirmation of whether we process your data, and a copy of it together with information about the processing.
- Right to rectification — correction of inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — deletion where the data is no longer needed, you withdraw consent and there is no other basis, you object successfully, the data was processed unlawfully, or deletion is legally required.
- Right to restrict processing — where you contest accuracy, the processing is unlawful but you prefer restriction, we no longer need the data but you need it for legal claims, or you have objected pending verification.
- Right to data portability — receive data you provided, where processing is based on consent or contract and carried out by automated means, in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible.
- Right to object — to processing based on legitimate interests or public-interest tasks, and at any time to direct marketing.
- Right to withdraw consent — at any time, without affecting the lawfulness of prior processing. For exit-node routing, withdraw by disabling the Module or removing the Partner Application.
- Rights regarding automated decision-making — see Section 7.
- Right to lodge a complaint — with a supervisory authority, in particular in your country of residence, place of work, or where the alleged infringement occurred. In Lithuania this is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).
- Right to non-discrimination [ENHANCED] — you will not receive different treatment for exercising your rights.
Rights under other laws
- California (CCPA/CPRA) — California residents have rights to know, delete, correct, and to opt out of the “sale” or “sharing” of personal information, and to limit use of sensitive personal information. We do not sell personal information for money. We will honour verified requests within one month.
- UK GDPR — individuals in the UK have equivalent rights and may complain to the UK Information Commissioner’s Office (ICO).
- Other jurisdictions — where laws such as LGPD (Brazil), PIPEDA (Canada), or others apply, we will give effect to applicable rights.
6. Automated decision-making and profiling
We do not make decisions producing legal or similarly significant effects based solely on automated processing, including profiling. For security and fraud-prevention purposes, however, we use automated systems and algorithms to detect unusual or potentially suspicious activity within our user base. If such systems identify irregularities, the relevant activity is subject to human assessment. Following this review, appropriate measures may be taken, which could include temporary suspension or, in exceptional circumstances, termination of access to our services.
7. Recipients and international transfers
We do not sell personal data for money. We share personal data with the categories of recipients below only where necessary and lawful. Where data is transferred outside the EEA, we rely on the safeguards indicated (such as Adequacy decisions, the European Commission’s 2021 Standard Contractual Clauses (SCCs)).
Recipient (category) | Purpose | Location | Transfer safeguard |
|---|---|---|---|
Hetzner Online GmbH | Hosting and storage | EU | Not applicable (within EEA) |
Google Ireland Ltd | Analytics | EU | Not applicable (within EEA) |
Google LLC | Analytics | US | EU SCCs (2021) |
Business clients / Partners (exit-node routing) | Enabling vetted clients to access publicly available internet resources via your connection | Worldwide | Adecuacy decisions / EU SCCs (2021) |
Payment, KYC, and accounting providers | Paying Partners; verification; statutory records | Worldwide | Adecuacy decisions / EU SCCs (2021) |
Public authorities, courts, regulators, law enforcement | Where required by law or to establish/exercise/defend legal claims | Worldwide | Adecuacy decisions / EU SCCs (2021) |
8. Cookies and similar technologies
We use cookies and comparable technologies on our website. We request your consent before placing any non-essential cookies; strictly necessary cookies operate automatically. You can manage or withdraw cookie consent at any time through our cookie tool or your browser settings; disabling cookies may affect some features.
The full inventory of cookies we use — their names, purposes, categories, and retention periods — is maintained in our separate Cookie Policy https://aigateway.honeygain.com/cookie-policy/, which forms part of this Privacy Policy.
9. Changes to this Policy
We may update this Policy from time to time. Changes take effect on publication unless stated otherwise. For material changes we will give advance notice by appropriate means (email where available, prominent website or in-app notice, or other suitable channels). We encourage periodic review.
10. Contacts
If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at [email protected].
