Is Ghost a freedom-of-information case management system?

No. Ghost is built around the subject access side of the work — DSAR intake, identity verification, deadline tracking, redaction, response pack assembly, time-limited delivery, and the audit trail. FOI requests often run in parallel against the same files, but they have separate deadlines, exemptions, and review routes — and a dedicated FOI tool is the right home for that workflow.

Can we log a complex-request extension under Article 12(3)?

Yes. Ghost tracks the one-month statutory clock and lets you record a clarified extension up to two further months for complex requests, with the rationale captured on the case. The audit log carries the extension decision so internal review or the ICO can see how it was reached.

Ghost hosts data in EU data centres. Data is encrypted in transit and at rest. The audit log is append-only. Disclosure links to requesters are time-limited and re-issuable. Identity documents collected during verification are retained for a configurable period and then deleted.

Can internal review and external counsel sit alongside?

Yes. Invite internal reviewers and external counsel as members with the appropriate role — Operator for handling cases, Read-only for review. Every decision on every case is in the append-only audit log against the reviewer who made it.

How much does it cost?

Free: 1 active case, manual PDF redaction up to 5 pages per file, 10 redactions per month. Solo DPO is €49/month for one user; DPO Team is €149/month with up to 10 seats. We can engage on procurement-specific arrangements for larger authorities — talk to us via the demo flow.

Ghost

For public sector bodies

High-volume DSARs,
on time, on the record.

Q: How does Ghost support law-enforcement processing under DPA 2018 Part 3?

Ghost is designed primarily around UK GDPR / GDPR workflows. For organisations carrying out law-enforcement processing, Part 3 of the Data Protection Act 2018 applies in place of the UK GDPR for that processing, with its own rules on data-subject rights. Ghost can host the operational records, but the legal mapping is for your information governance lead and counsel.

A housing file, a school record, an HR file — all caught by subject access, often by FOI in parallel. Ghost is built around the subject-access side: intake, identity verification, deadline tracking, redaction, and the audit trail behind every decision.

EU-hosted · Append-only audit log · Designed for procurement scrutiny on residency.

Start 30-day free trial Try the redaction demo

Ghost — Subject access request

Ghost privacy request workspace: case detail with identity verification, tasks, and documents

1 month

UK GDPR Article 12 default

+2 months

Extension for complex requests

72 hours

Breach notification clock (Art. 33)

Hosted infrastructure

The information rights workflow

Log. Locate. Redact. Disclose.

A resident asks for their housing file. A parent asks for their child's social work record. A leaver asks for their HR file. The work is the same shape every time — and the trail has to survive challenge, internal review, and an ICO query.

Step 01

Log and verify

Intake through a branded form. Verify identity before any disclosure. The one-month statutory clock under Article 12 starts the moment the request is identifiable.

Step 02

Locate across service areas

Pull records from the relevant service area systems — housing, social care, education, HR. Ghost holds the case; the records management systems remain the systems of record.

Step 03

Redact third parties and exempt material

Mask third-party identifiers and exempt content. Capture the rationale next to every redaction. AI-assisted detection on Solo DPO and DPO Team; manual redaction on every plan.

Step 04

Disclose and evidence

Send via a signed, time-limited link. Keep an append-only audit trail of every step — exportable as evidence when internal review or the ICO asks.

Privacy request manager

Built around the statutory clock — including complex-case extensions.

Branded intake for requesters and representatives, identity verification before any disclosure, task assignment across service areas, and automatic deadline tracking with optional clarified extensions for complex requests.

Branded intake for requesters and representatives
Identity verification before any disclosure
Tasks assignable across service areas
Clarified Article 12(3) extensions captured on the case

Explore privacy requests

Ghost — Privacy request manager

Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

Manual and AI-assisted redaction

Third parties out. Exempt material out. Defensibly.

Upload exports from line-of-business systems, scanned correspondence, and case files. AI-assisted detection surfaces likely third-party names, addresses, and identifiers for human review. You accept, reject, or refine — and the rationale lands in the audit log.

PDFs, scanned correspondence, CSV exports
AI-assisted PII detection on Solo DPO and DPO Team
Client-side rendering — files stay in your browser
Rationale captured next to every redaction decision

Try the redaction demo

Ghost — Redaction

Append-only audit log

Every acknowledgment, every decision — already written down.

Records of processing aligned to Article 30 across service delivery, employee data, statutory functions, and shared processing. An append-only audit log of every intake, clarification, redaction decision, internal review note, and final response. When an ICO investigator or internal reviewer asks how a decision was reached, the chain is already there.

Article 30 register across service areas
Lawful basis under Art. 6 and Art. 9 on every activity
Append-only timeline per case
Audit pack export when internal review or the ICO asks

Inside the Compliance Hub

Ghost — Compliance Hub

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What public sector teams ask us first

Three questions every IG team raises.

“Where does FOI fit?”

Ghost is built for subject access, not FOI. FOI runs in parallel and has its own deadlines, exemptions, and review routes — a dedicated FOI tool is the right home for that workflow. Ghost lives next to it.

“What about residency for procurement?”

EU-hosted data centres, encryption in transit and at rest, an append-only audit log, time-limited disclosure links, and configurable retention. The full architecture is documented for procurement review.

“Does this replace our records management system?”

No. The records management system stays the system of record. Ghost is the privacy operations layer beside it — for the request, the redaction, and the audit trail.

Pricing

Plans for small, mid, and large authorities.

Start free. Engage with us for procurement-specific arrangements at larger scale.

Free

Run a single subject access request end-to-end before you commit.

€0/forever

1 active case
Manual redaction (PDF, up to 5 pages/file)
10 redactions per month
1 Article 30 register entry

Solo DPO

For a single information governance lead running the programme themselves.

€49/month

Unlimited cases and redactions
AI-assisted PII detection
Article 30 register + append-only audit log
€39/mo billed annually (save 20%)

Start 30-day trial

DPO Team

For information rights teams sharing the work across service areas.

€149/month

Up to 10 seats (€10/extra seat)
Role-based access (Admin, Operator, Read-only)
Outbound webhooks for SIEM / chat / ITSM
Procurement evidence pack on request
€119/mo billed annually

Start 30-day trial

Compare every feature on the full pricing page.

FAQ

Frequently asked questions

The DSAR backlog never gets smaller on its own.

Stand up the workflow before the next batch lands. 30-day free trial — no credit card, EU-hosted.

Start Free Trial

The regulatory landscape public bodies operate in

Two regimes sit at the centre of the work. The UK GDPR (the Regulation as retained in UK law) and the Data Protection Act 2018 govern personal data, including the right of access under Art. 15, the deadlines and transparency obligations under Arts. 12–14, and the processing-records and breach-notification obligations under Arts. 30 and 33. The Freedom of Information Act 2000 (England, Wales, and Northern Ireland) and the Freedom of Information (Scotland) Act 2002 govern information held by public authorities, with a twenty-working-day response window and a separate set of exemptions and public-interest tests.

Where a public body carries out law enforcement processing — policing, prosecuting authorities, certain regulatory functions — Part 3 of the Data Protection Act 2018 applies in place of the UK GDPR for that processing, with its own rules on data-subject rights and disclosure. Statutory disclosure regimes in housing, social care, and education often run in parallel against the same files. Public-records legislation governs retention and eventual transfer to a place of deposit.

Ghost is the privacy operations layer beside these regimes, not the records management system itself and not a substitute for legal judgement on exemptions, redaction tests, or internal review outcomes. Ghost does not provide legal advice — speak to your information governance lead, monitoring officer, or counsel about how each regime applies to a specific request.

High-volume DSARs,
on time, on the record.

EU-hosted · Append-only audit log · Designed for procurement scrutiny on residency.

Every acknowledgment, every decision — already written down.

High-volume DSARs, on time, on the record.