Effective date: July 1, 2026
This Privacy Policy explains how Ghosts ("we," "us") collects, uses, and shares information when you use ghosts.app and the Ghosts platform (the "Service"). It applies to account holders, workspace members, and visitors to our site.
Account information. Name, email address, password (stored as a hash), and optional profile details such as company name and website.
Content. The briefs, notes, links, and materials you submit, and the drafts, revisions, and reviews the Service generates in your workspaces ("Customer Content"). Customer Content is isolated per workspace and, within agency workspaces, per client project.
Billing information. Plan, credit balance, and usage ledger. Payments are processed by Stripe; we receive transaction metadata (amounts, last four digits, expiry) but never your full card number.
Usage and device data. Log data such as IP address, browser type, pages viewed, and actions taken, used for security, debugging, and capacity planning.
When you request a draft, relevant parts of your brief and workspace context are sent to our AI model provider to generate the text you asked for. Our provider agreements do not permit the use of your content to train their models. When you enable research, your topic terms are sent to a search provider and the Service fetches publicly available web pages to ground the draft's citations.
We do not sell your personal information. We share it only with:
We use essential cookies for authentication and session security. We do not run third-party advertising trackers on the Service.
We keep your account information and Customer Content while your account is active. Content you delete is removed from active views immediately and purged from backups on a rolling schedule. Billing ledger records are retained as required for accounting. You may request account deletion at any time; we will delete or de-identify your personal information except where retention is required by law.
Customer Content is protected by workspace- and project-level access controls enforced at the database layer, encrypted in transit, and encrypted at rest by our infrastructure providers. No method of transmission or storage is completely secure; we encourage strong, unique passwords.
Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can exercise most of these directly in your account settings, or by contacting us. We will respond within the time required by applicable law. We do not discriminate against you for exercising your rights.
The Service is not directed to children under 18, and we do not knowingly collect personal information from them.
We are based in the United States and process data there and in the regions our infrastructure providers operate. Where required, transfers are protected by appropriate safeguards such as standard contractual clauses.
We may update this Policy from time to time. Material changes will be posted here with an updated effective date, and we will notify account holders by email when changes meaningfully affect how we handle personal information.
Privacy questions or requests: contact us.