Ghost
Ghost

Legal

Privacy Policy.

Last updated 2026-06-20. This policy explains what personal data Ghost collects, how and why we use it, who we share it with, how long we keep it, and the rights you have over it.

This Privacy Policy describes how Ghost ("Ghost", "we", "us") collects, uses, discloses, and otherwise processes personal data in connection with the Ghost website, dashboard, APIs, mobile applications, and related services (collectively, the "Service"). It applies to information we collect from and about you when you visit our sites, create an Account, or use the Service. It does not apply to third-party websites or services, which are governed by their own policies. By using the Service, you acknowledge the practices described here.

1. Who we are & how to contact us

Ghost is the data controller of the personal data we process about you, unless we are acting as your processor in respect of identifiers you ask us to suppress on your behalf (in which case your authorisation under our Terms governs that processing). We are headquartered in London, United Kingdom.

Privacy inquiries: privacy@ghost.privacy. Our Data Protection Officer can be reached at dpo@ghost.privacy. EU and UK representatives are appointed where required and listed at /gdpr.

2. The personal data we collect

We collect the following categories of personal data:

  • Account data — your name, email address, password hash, account preferences, role, and (for paid accounts) billing name, billing address, and last-four payment-card digits supplied by our payment processor.
  • Monitoring identifiers — the personal identifiers you ask us to monitor or remove on your behalf, including names, aliases, prior names, email addresses, phone numbers, postal addresses, dates of birth, social-media handles, employer names, and similar identifiers.
  • Removal & case data — copies of opt-out requests we file, responses received from data brokers, screenshots and timestamps used as proof of submission, status of each case, and any correspondence about an individual case.
  • Breach & exposure data — information returned from breach archives, public records, and dark-web sources when we match one of your identifiers. We hold the minimum metadata needed to alert you and demonstrate the match.
  • Usage data — pages you view, features you use, search queries inside the dashboard, click events, referring URLs, and approximate timestamps. Retained in identifiable form for 90 days and in aggregated/de-identified form afterwards.
  • Device & network data — IP address, user-agent, device type, operating system, browser locale and time zone, and coarse-grained location (country/region) inferred from IP. Retained for 30 days for security purposes; truncated or aggregated afterwards.
  • Cookies & similar technologies — first- and third-party cookies and local-storage items used for session management, security, analytics, and (where you consent) measurement. See our Cookie Policy.
  • Communications — emails, chats, and support tickets you send to us, including any attachments. Retained for 24 months after closure of the relevant ticket for quality and audit purposes.

We do not knowingly collect special-category personal data (such as racial or ethnic origin, religious or philosophical beliefs, trade- union membership, health data, sex life or sexual orientation, or genetic or biometric data). Please do not submit such information through the Service.

3. Where we get it from

We obtain personal data from the following sources:

  • From you — when you register, configure monitoring, contact support, complete forms, or upload identifiers.
  • Automatically — when you interact with the Service (device data, usage telemetry, cookies).
  • From sub-processors and partners — payment events from Stripe, error reports from our observability provider, deliver- ability events from our email provider.
  • From public and breach sources — when we scan data- broker sites, public registries, and breach databases for matches against the identifiers you asked us to monitor.

4. How and why we use it (purposes & legal bases)

We process personal data for the following purposes:

  • Providing the Service — operating the dashboard, submitting opt-out requests, monitoring sources, and notifying you of new exposures. Legal basis: performance of our contract with you (GDPR Art. 6(1)(b)); your authorisation to act on your behalf under our Terms.
  • Billing & payments — processing subscriptions, handling refunds, preventing payment fraud. Legal basis: contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)).
  • Customer support — answering your questions and troubleshooting issues. Legal basis: contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in operating a responsive support function.
  • Security & abuse prevention — detecting fraud, credential stuffing, account takeover, scraping, and abuse of the Service. Legal basis: legitimate interests (Art. 6(1)(f)) in maintaining a secure platform; legal obligation (Art. 6(1)(c)) where a duty applies.
  • Service improvement & analytics — measuring how the Service is used, fixing bugs, planning capacity, and improving match accuracy using de-identified, aggregated data. Legal basis: legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where required by local law.
  • Communications — sending transactional notices (security, billing, exposure alerts), and product communications you have not opted out of. Legal basis: contract (Art. 6(1)(b)) for transactional; legitimate interests or consent for marketing, depending on jurisdiction.
  • Compliance & legal claims — meeting our legal obligations, responding to lawful requests, exercising or defending legal claims. Legal basis: legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)).

5. Who we share it with

We share personal data only as described below.

  • Sub-processors — vetted vendors that process data on our instructions (payments, infrastructure, email delivery, error tracking, customer-support tooling). Current list: /subprocessors.
  • Data brokers, registries & breach providers — we transmit the minimum identifiers necessary to submit opt-out, suppression, or deletion requests on your behalf and to verify their outcomes. We do not share more than is required for each specific request.
  • Professional advisors — lawyers, auditors, accountants, and insurers under appropriate confidentiality obligations.
  • Authorities & regulators — where we are required by law or in response to a valid legal request (such as a court order, subpoena, or regulator demand). We assess each request and challenge it where we believe it is overbroad or unlawful.
  • Corporate transactions — in connection with a merger, acquisition, financing, reorganisation, or sale of all or part of our business. We will require the recipient to honour the protections described in this Policy and notify you of any material change to data handling.

We do not sell or rent your personal data. We do not share your personal data with advertisers for cross-context behavioural advertising. We do not use your Personal Identifiers, Monitoring data, or Removal data to train general-purpose machine-learning models.

6. International data transfers

Your data may be processed in the United Kingdom, the European Economic Area, the United States, and other countries where our sub- processors operate. Where we transfer data outside the UK or EEA, we rely on appropriate safeguards, including: the UK's International Data Transfer Agreement or Addendum; the European Commission's Standard Contractual Clauses; adequacy decisions where they apply; Data Privacy Framework certifications for US recipients where applicable; and supplementary measures such as encryption, pseudo- nymisation, and contractual access restrictions. A copy of the relevant safeguards is available on request to privacy@ghost.privacy.

7. How we secure your data

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, multi-factor authentication for staff, hardened production environments, application-level logging and anomaly detection, secure software-development practices, and regular vendor reviews. No system is perfectly secure; you are responsible for keeping your credentials confidential and notifying us immediately at security@ghost.privacy if you suspect unauthorised activity.

If we determine that a personal-data breach has occurred that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected users without undue delay.

8. How long we keep it

  • Account & billing data — for the life of your Account and for up to seven (7) years after closure to meet tax, accounting, and legal-hold requirements.
  • Monitoring identifiers — for as long as you instruct us to monitor them, and for up to 30 days after you remove them or close your Account, after which they are purged from active systems (backups are overwritten within 90 days).
  • Removal & case evidence — for 24 months after case closure, to demonstrate compliance with privacy-rights regulations and respond to any later disputes.
  • Usage data — 90 days in identifiable form, then aggregated.
  • Device/network logs — 30 days for security; longer only where required for an active investigation.
  • Support communications — 24 months after closure of the relevant ticket.
  • Backups — overwritten on a 30- to 90-day rolling cycle.

9. Your rights

Subject to applicable law, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data (the "right to be forgotten").
  • Restrict or object to certain processing, particularly where we rely on legitimate interests.
  • Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).
  • Portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects. We do not currently make such decisions.
  • Lodge a complaint with a supervisory authority, including the UK Information Commissioner's Office (ico.org.uk), your local EU data- protection authority, or (for California residents) the California Privacy Protection Agency.

To exercise any of these rights, write to privacy@ghost.privacy or use the Privacy & Data controls in your dashboard. We may need to verify your identity before acting on a request. We respond within 30 days; we may extend by a further 60 days for complex requests and will tell you if we do.

10. California (CCPA/CPRA) disclosures

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

  • Right to know the categories and specific pieces of personal information we have collected about you in the past 12 months, the sources, the business purposes, and the categories of third parties to whom we disclosed it.
  • Right to delete personal information, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell your personal information and we do not share it for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than as necessary to provide the Service.
  • Right to non-discrimination for exercising any of these rights.

You may exercise these rights through the channels in Section 9. You may also use an authorised agent; we will verify the agent's authority before responding.

11. Marketing & communications choices

We send transactional messages (security alerts, billing receipts, exposure notifications) as part of operating the Service; you cannot opt out of these while your Account is active. You may opt out of product and marketing emails at any time via the unsubscribe link in the email or by updating your preferences in your dashboard.

12. Cookies & analytics

We use a minimal set of strictly necessary cookies for authentication and security. Where required by law (including in the EU/UK), we request consent before setting non-essential cookies and provide controls to manage them. See our Cookie Policy for the full list, purposes, providers, and retention periods.

13. Children

The Service is not directed at children. We do not knowingly collect personal data from anyone under 18 (or under 16 where local law sets a lower digital-consent age). If you believe a child has provided personal data, please contact us at privacy@ghost.privacy and we will delete it.

14. Third-party services & links

The Service may link to or interact with third-party websites, applications, or services. Their privacy practices are not governed by this Policy. We encourage you to review their policies before sharing any personal data with them.

15. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the current version. For material changes, we will provide at least 30 days' advance notice by email or in-app banner before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact

Privacy inquiries: privacy@ghost.privacy. Data Protection Officer: dpo@ghost.privacy. Security reports: security@ghost.privacy.