Privacy Policy — Ghostables

01Who we are

This policy explains how Ghostables Ltd ("Ghostables", "we", "us") collects, uses, and protects personal data. Ghostables Ltd is a company registered in England & Wales and acts as the data controller for the personal data described in this policy.

If you have any questions about this policy or how we handle personal data, contact us at hello@ghostables.io.

02Personal data we collect

The data we collect depends on how you interact with us. We have organised it by context below.

Website visitors

When you visit ghostables.io or any of our sub-domains, our hosting layer logs minimal request metadata for the purposes of operating the service: IP address, user-agent string, requested URL, response status, and timestamp. We do not run analytics scripts or behavioural tracking on the public marketing surface.

Customers

When you purchase a Ghostables licence or subscription, we collect the data needed to issue, deliver, and support that licence:

Name and email address
Billing address and VAT number where applicable
Payment method metadata (handled by Stripe — we do not see or store card numbers)
The Stripe customer ID and subscription ID associated with your account
Sites you have activated your licence on (domain name, plugin version, last check-in time)
Support correspondence you send us

Partner Portal users

If you have been invited to the partner portal at /partner/login, we additionally process your role, the date you accepted the non-disclosure agreement, and the IP address from which you signed. The NDA-signing record is retained as a legal record for the duration of the agreement plus six years.

Plugin installations (telemetry)

When you install a Ghostables plugin on a site, the plugin periodically checks in with our licence server. The check-in includes only operational metadata: licence key, plugin version, site URL, and a heartbeat timestamp. We do not receive any of your customer data, member data, form submissions, or audit-log contents. Personal data your plugin encrypts stays inside your database; we have no key material that could decrypt it.

What we never collect. We do not collect plaintext customer data from your site. We do not collect the contents of audit logs. We do not collect cryptographic keys. The architecture is designed so that even if our servers were compromised, no protected customer data could be derived from what we hold.

03How we use personal data

We use the personal data described above for the following purposes:

To issue, renew, and revoke licences and subscriptions
To process payments and produce VAT invoices
To deliver licence keys, plugin updates, and operational notifications
To verify that plugin installations are operating against current licences
To provide customer support when you contact us
To detect and respond to security incidents affecting our own systems
To comply with our legal and regulatory obligations
To improve our products and our standard

We do not use personal data for advertising, profiling, or automated decision-making with significant effect on you.

04Legal basis for processing

Under UK GDPR we rely on the following legal bases:

Activity	Legal basis
Issuing and managing your licence	Contract (Article 6(1)(b))
Processing payments	Contract (Article 6(1)(b))
Sending operational emails (licence keys, expiry notices)	Contract (Article 6(1)(b))
Sending marketing emails	Consent (Article 6(1)(a)) — only after you opt in
Server logs, anti-abuse, security monitoring	Legitimate interest (Article 6(1)(f))
Keeping invoices, VAT records, NDA signatures	Legal obligation (Article 6(1)(c))

05Third parties we share data with

We use a small number of carefully chosen providers to operate the service. They process personal data only on our instructions and under written data-processing agreements.

Provider	Purpose	Data shared
Stripe Payments UK Ltd	Payment processing, billing portal	Name, email, billing address, payment method
Resend	Transactional email delivery (licence keys, receipts)	Name, email, message content
Cloudflare Inc.	CDN, DDoS protection, R2 object storage	IP address, requested URL, encrypted file blobs
Hetzner Online GmbH	Server hosting for ghostables.io	All server-side processing

We do not sell, rent, or otherwise share personal data with anyone for marketing or advertising purposes.

If we are required to disclose personal data by law (for example in response to a valid court order or regulatory request), we will do so. Where legally permitted, we will inform you before complying.

06How long we keep data

We keep personal data only for as long as we need it for the purposes set out in this policy, or for as long as we are required to by law. Our standard retention periods are:

Category	Retention
Active customer account (licence + contact)	For the duration of the active subscription
Cancelled / lapsed customer account	2 years after subscription ends
Invoices and tax records	6 years (UK HMRC requirement)
NDA signatures and partner-portal access records	Duration of NDA + 6 years
Support correspondence	3 years from last interaction
Server access logs	90 days
Plugin licence-check telemetry	13 months
Marketing-list subscription	Until you unsubscribe

Once a retention period ends, we delete or anonymise the data so it can no longer identify you.

07Your rights under UK GDPR

You have the following rights in relation to personal data we hold about you:

Right of access. You can ask for a copy of the personal data we hold about you.
Right to rectification. You can ask us to correct data that is inaccurate or incomplete.
Right to erasure. You can ask us to delete your personal data, subject to our legal obligations (we cannot delete invoices we are required to keep).
Right to restrict processing. You can ask us to limit how we use your data in certain circumstances.
Right to data portability. Where you provided data to us under a contract, you can ask for a copy in a structured, machine-readable format.
Right to object. You can object to our processing on the basis of legitimate interests, including for direct marketing (we will stop immediately).
Right to withdraw consent. Where we rely on your consent, you can withdraw it at any time.
Right to complain. You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.

To exercise any of these rights, email hello@ghostables.io. We will respond within 30 days. We may need to verify your identity before disclosing personal data, particularly for access requests.

08International transfers

Some of our processors operate in or transfer data to countries outside the UK. Where they do, we rely on the appropriate UK-GDPR transfer mechanisms — the UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK addendum — to ensure your data receives equivalent protection.

Specifically:

Stripe operates a UK entity (Stripe Payments UK Ltd) for UK customers, with onward transfers to its US infrastructure under SCCs
Cloudflare operates UK data centres and uses SCCs for any US transfers
Resend transfers to US servers under SCCs

09How we protect your data

We treat security as a product, not an afterthought — it is our entire business. Specifically:

All connections to our services are TLS-encrypted (TLS 1.2 or higher)
Customer passwords are hashed using modern key-derivation functions, never stored in the clear
Payment card data never touches our servers; it is collected and stored by Stripe
Internal access to customer data is role-restricted and audit-logged
Server and application logs are retained for 90 days and monitored for anomalies
We run the same standard against our own infrastructure that we publish for partners

No system is invulnerable. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and inform affected individuals where required.

10Cookies

We use a small number of strictly-necessary cookies (for example to keep you signed in to the partner portal). We do not use marketing, advertising, or behavioural-tracking cookies. Our cookie practice is described in full in our Cookie Policy.

11Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Effective" date at the top of the page. If we make a material change that affects you (for example a new category of data we collect, or a new third-party processor), we will notify customers by email before the change takes effect.

You can view the change history of this policy on our public repository or by contacting us.

12Contact us

For any privacy-related question, request, or complaint:

Email: hello@ghostables.io
Postal address: available on request to verified customers and partners

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.