Ghost
ResourcesPricingSecurity
Get started
HomePrivacy Policy

On this page

  • Overview
  • Document processing
  • Privacy Request Manager data
  • Article 30 Register data
  • Compliance Hub data
  • Client and matter data
  • Webhook integrations
  • Data we collect
  • How we use your data
  • Data retention
  • Sub-processors
  • Your rights
  • Contact

Privacy Policy

How Ghost collects, uses, and protects your information.

Last updated April 2026

1. Overview

Ghost ("we", "our", "us") is a privacy compliance platform providing document redaction, a Article 30 Register (ROPA), a Privacy Request Manager (DSAR Manager), and a Compliance Hub (incident register, DPIAs, third-party register, legitimate interest assessments, retention schedules, consent records, training records, and policy management). We are committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

2. Document processing

Manual redaction runs in your browser. Optional AI-assisted detection on Pro and Team uses encrypted upload and isolated processing. Final redacted exports are rendered and downloaded in your browser.

In more detail:

  • Manual redaction (including Free): You draw redaction boxes yourself. No automated PII detection runs and no document content is sent through our detection pipeline. Export renders in your browser.
  • Optional AI-assisted detection (Pro and Team, when enabled for your organisation): Documents are encrypted before upload and processed in isolated workers for AI-powered PII detection. Encrypted uploads may be stored to support processing, save/resume, and linked workflows. Worker-side processing content is deleted when that step completes. Final redacted exports are rendered and downloaded in your browser.

We do not retain unmasked PII text or OCR output from the detection pipeline. If you use optional AI-assisted detection, encrypted document bytes may be stored to support processing, save/resume, and linked workflows. Redaction session metadata (file name, page count, detection counts, and masked PII previews) may also be stored. Finished redacted exports from the redaction tool are not stored unless you add them to another workflow, such as a privacy request response pack.

3. Privacy Request Manager data

When you use the Privacy Request Manager, we store case metadata necessary to operate the service:

  • Case records: Requester name, email, request type, status, deadlines, and timestamps.
  • Tasks and audit logs: Task assignments, status changes, actor email addresses, and an append-only timestamped audit log of every action per case.
  • Identity verification documents: If an individual uploads identity documents for verification, these are stored in encrypted storage and retained only for the duration of the case.
  • Response packs: Redacted response packs uploaded by your team (including multi-file packs linked to redaction sessions) are stored in encrypted storage (S3) with time-limited signed URLs for secure download. Only already-redacted files are stored — never originals.
  • Intake form submissions: Information submitted by individuals through your public intake form.
  • Correspondence: Records of correspondence with individuals during the privacy request lifecycle.

4. Article 30 Register data

Records of Processing Activities you create are stored in our encrypted EU database. This includes processing activity descriptions, legal bases, data categories, recipients, retention periods, and any other fields you enter. Processing inventory data is accessible only to members of your organisation.

5. Compliance Hub data

The Compliance Hub includes several modules, each storing data in our encrypted EU database. This data is scoped to your organisation and subject to the same access controls as other platform data.

  • Incident register: Incident narratives, severity classifications, Article 33/34 notification drafts, DPC deadlines, optional links to privacy request cases, and an append-only event log per incident.
  • Impact assessments (DPIAs): Assessment records, identified risks, mitigations, links to Article 30 register activities, approval status, and event history.
  • Third-party / processor register: Third-party details, agreement status, and contact information.
  • Legitimate Interest Assessments (LIAs): Assessment records and balancing test outcomes.
  • Retention schedules: Data category retention periods and review dates.
  • Consent records: Records of consent and withdrawal events.
  • Training records: Staff privacy training completion records.
  • Policy documents: Privacy policies and notices you manage within Ghost.
  • Compliance pack exports: When you generate an org-wide compliance ZIP, we store a time-limited download token. The export is automatically purged after expiry.

6. Client and matter data

If your organisation manages multiple clients or matters, we store client records including name, industry, company size, and optional regulatory profile fields (supervisory authority details and breach export boilerplate). When client-level access control is enabled, we store membership records linking team members to specific clients.

7. Webhook integrations

On the Team plan, your organisation can configure outbound webhook integrations (Slack, Microsoft Teams, or custom HTTPS endpoints). We store the integration configuration, event subscription categories, and a delivery log (event type, timestamp, HTTP status) to support retry and debugging. Webhook endpoint URLs are stored as vault-backed secrets. When a webhook fires, event payloads containing case or breach metadata are sent to your chosen third-party endpoint — you are responsible for the data handling practices of those destinations.

8. Data we collect

  • Account: Email address for authentication (magic link login).
  • Organisation: Organisation name, team member emails, and role assignments (Admin, Operator, Read-only).
  • Signup: Email and firm size when you create your account.
  • Usage: Anonymised counts (e.g. documents processed per month) and IP + fingerprint hash for quota enforcement. No document content.
  • Product analytics: We use cookieless product analytics hosted on EU infrastructure to understand how the app is used and to improve it. No cookies or local storage are written for analytics — session state is held in memory only and does not persist across page refreshes. This includes page views, navigation, automatic interaction metadata (for example clicks and form interactions, with element text masked), heatmap and usability signals, product events you trigger, and core web vitals. On public marketing pages only (such as our landing page, pricing, and resource guides), we may use session replay to observe navigation flow; all visible text is masked and all images and videos are replaced with blank placeholders before the recording leaves your browser. Session replay is never active inside the authenticated application. This processing is not used for advertising.
  • Redaction sessions: File name, file hash, page count, detection summary counts, masked PII previews, and redaction box coordinates.
  • Cloud-assisted redaction uploads: Encrypted document bytes referenced by storage path for processing, save/resume, and linked workflows.
  • Privacy request case data: As described in section 3 above.
  • Processing inventory data: As described in section 4 above.
  • Compliance Hub data: As described in section 5 above.
  • Client and matter data: As described in section 6 above.
  • Webhook configuration and delivery logs: As described in section 7 above.
  • Audit logs: Org-level audit trail recording team changes, webhook events, sharing actions, and other administrative operations, with actor email and timestamps.
  • Notification preferences: Your email notification settings for privacy request deadlines, case updates, breach alerts, and system notifications.

9. How we use your data

We use your data to operate the service (authentication, quota enforcement, privacy request case management, deadline tracking, breach DPC reminders, compliance pack generation, email notifications, webhook delivery, and support), improve the product, and communicate with you. We do not sell your data or use it for advertising.

10. Data retention

  • Cloud-assisted redaction uploads (Pro/Team): Encrypted document bytes may be stored while a session remains active to support processing, save/resume, and linked workflows. Worker-side processing content is deleted when AI detection completes. Uploaded encrypted files are removed by session deletion and retention cleanup flows.
  • Redaction session metadata: Retained while your account is active. You can delete individual sessions at any time. Automated retention purges run periodically.
  • Privacy request cases: Retained according to your organisation's configured retention period. Automated retention crons purge expired case data, including identity documents and response packs.
  • Processing inventory data: Retained while your account is active. You can delete activities at any time.
  • Compliance Hub data: Incident records, DPIAs, third-party entries, LIAs, retention schedules, consent records, training records, and policy documents are retained while your account is active. Compliance pack exports are automatically purged after their download token expires.
  • Account data: Retained while your account is active. Deleted upon account deletion request.

11. Sub-processors

We use a limited number of sub-processors to operate the service, covering authentication, database hosting, AI detection workers, encrypted file storage, payment processing, transactional email, error monitoring, and application hosting. All sub-processors are selected for their security posture and, where applicable, EU data residency. A current list of sub-processors is available on request by contacting us at the email below.

12. Your rights

You may request access, correction, or deletion of your data. Contact us at the email below. EU and UK residents have additional rights under GDPR, including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority.

13. Contact

For privacy inquiries: privacy@ghostredact.app

© 2026 Ghost. All rights reserved.
ResourcesPrivacyTermsSecurity