Ghost
ResourcesPricingSecurity
Log inGet started
For law firms and in-house legal

Matter files,
disclosed precisely.

A subject access request against a matter mixes the client's data with the opposing party's, the witness's, and a privileged instruction in the same paragraph. Ghost handles the work of separating them — and records every decision against the person who made it.

EU-hosted · Append-only audit log · Built for the defensibility a regulator expects.

Start 30-day free trialTry the redaction demo
Ghost — Matter-file DSAR
Ghost privacy request workspace: case detail with identity verification, tasks, and documents
1 month
Article 12 response window
Article 23
Member-state restrictions
Privilege
DPA 2018 Sch. 2 Pt. 4 exemption
EU
Hosted infrastructure

The matter-file DSAR workflow

Intake. Separate. Disclose. Record.

A request lands against a matter file built over months or years. The work isn't retrieval — it's separating what can be disclosed from what cannot. Four steps; every decision recorded against the person who made it.

Step 01

Intake and verify

Receive the request through a branded form, verify identity before any disclosure, and start the Article 12 clock from the moment the request is identifiable.

Step 02

Assemble from the DMS

Pull correspondence, instructions, witness statements, expert reports, and administrative records into the case. The DMS remains the document store; Ghost holds the request.

Step 03

Redact and claim exemptions

Mask opposing parties, witnesses, and third-party correspondents. Mark candidate passages for privilege review and capture the rationale next to each redaction or exemption claimed.

Step 04

Deliver and evidence

Send via a signed, time-limited link. Keep an append-only audit trail of every step — exportable as evidence when the SRA, the BSB, the ICO, or counsel asks.

Privacy request manager

Built around the one-month Article 12 clock.

A branded intake form for requesters and representatives, identity verification before any disclosure, and the Article 12 deadline tracked automatically. Task assignment across fee-earners; deadlines surface on the case header.

  • Branded intake for requesters and representatives
  • Identity verification before any disclosure
  • Tasks assignable across fee-earners
  • Article 12 deadline tracked automatically
Explore privacy requests
Ghost — Privacy request manager
Ghost privacy request workspace showing intake, identity verification, tasks, and documents on a single case

Redaction with rationale

Mark, route, record.

Upload matter files, redact opposing parties and witnesses inline, mark candidate passages for privilege review, and route them for second-pair-of-eyes sign-off. The rationale lands in the audit log next to every redaction.

  • Manual redaction on every plan
  • AI-assisted detection on Solo DPO and DPO Team
  • Mark candidate passages for privilege review
  • Rationale captured next to every decision
Try the redaction demo
Ghost — Redaction
Ghost redaction workspace with detected entities ready for review on a PDF

Article 30 register and audit log

The evidence regulators and clients ask for — written down.

Records of processing across matter types, lawful basis and retention captured against each activity, processor links to counsel's chambers and e-disclosure vendors. An append-only audit log on every case. The evidence is written down as it happens.

  • Article 30 register with lawful basis per matter type
  • Processor links to counsel and e-disclosure vendors
  • Append-only timeline per case
  • Audit pack export when the SRA, BSB, or ICO asks
Inside the Compliance Hub
Ghost — Compliance Hub
Ghost Compliance Hub showing the audit-ready evidence around privacy requests and records

See it end to end

A short walk-through of the workspace.

Redaction, privacy requests, and the audit log — in about three minutes.

Ghost — Product tour

More walkthroughs and guides

What legal teams ask us first

Three questions every firm raises.

“Will Ghost touch privilege?”

Ghost doesn't decide what is privileged. It gives reviewers a workspace to mark candidate passages, route them for sign-off, and record the rationale — the privilege decision remains the qualified lawyer's.

“We have a DMS already.”

The DMS stays. Ghost is what happens when a matter file has to leave it — a DSAR, a regulatory request, a DPIA on a new system. Matter management stays where it is.

“Article 30 across our matter types is huge.”

Exactly — different lawful bases, retention by jurisdiction and professional rule, processors from chambers to e-disclosure vendors. Ghost gives it structure with a completeness score that surfaces gaps.

Pricing

Plans for firms and in-house legal.

Start free. Upgrade as matter-file DSAR volume — or your Article 30 register — grows.

Free

Run one matter-file DSAR end-to-end before you commit.

€0/forever
  • 1 active case
  • Manual redaction (PDF, up to 5 pages/file)
  • 10 redactions per month
  • 1 Article 30 register entry
Sign up free
Most popular

Solo DPO

For a sole-practitioner or in-house lead running the privacy programme themselves.

€49/month
  • Unlimited cases and redactions
  • AI-assisted PII detection
  • Article 30 register + append-only audit log
  • €39/mo billed annually (save 20%)
Start 30-day trial

DPO Team

For firms with multiple fee-earners and a privacy or compliance function.

€149/month
  • Up to 10 seats (€10/extra seat)
  • Role-based access (Admin, Operator, Read-only)
  • Outbound webhooks for SIEM / chat / ITSM
  • Matter-restricted client access scoping
  • €119/mo billed annually
Start 30-day trial

Compare every feature on the full pricing page.

DSAR redaction for legal teams

Practical guidance on redacting matter files under Article 15, with the privilege exemption and Article 23 restrictions in mind. Written for fee-earners.

Read the guide

FAQ

Frequently asked questions

Matter-file DSARs don't wait for the right week.

Stand the process up before the next request lands. 30-day free trial — no credit card, EU-hosted.

Start Free Trial
The regulatory landscape legal teams operate in

Personal data held in matter files is processed under Regulation (EU) 2016/679 (GDPR) and, in the UK, the Data Protection Act 2018. The right of access under Article 15, the deadlines under Article 12, the Article 30 register under Article 30, the breach notification duty under Article 33, and the DPIA obligation under Article 35 all apply.

What is distinct for legal teams is the interaction with legal professional privilege. Article 23 of the GDPR permits member-state law to restrict certain rights, including for the protection of judicial independence and judicial proceedings. In the UK, Schedule 2 Part 4 of the Data Protection Act 2018 sets out the legal professional privilege exemption to the right of access. The decision that material attracts privilege remains a matter for qualified lawyers within the firm.

Solicitors, barristers, and chartered legal executives are additionally regulated by the SRA, the Bar Standards Board, CILEX in England and Wales, and equivalents in other jurisdictions. Ghost is not regulated by any of these bodies and does not certify against their codes. Ghost does not provide legal advice.

Privacy compliance for regulated teams.

Built to the same data-protection standards as regulated financial software.

Product
RedactionPricingDemoResources
Guides
How to redact PDFs (GDPR)Privacy request (DSAR/SAR) response guideWhat is PII under GDPRGDPR redaction requirementsFree redaction tool
Tools & sectors
GDPR document redactionRemove PII from PDFEmployee data PDFsProcessing inventory (ROPA) templatePrivacy request (DSAR/SAR) redaction toolIrish dental practicesDental GDPR checklistHealthcare redactionHR document redactionLegal / privacy request redactionAcrobat alternative
Legal
Privacy PolicyTerms of ServiceSecurityCookie Policy
Company
AboutBook a demoHome
© 2026 Ghost. Your GDPR compliance platform.