Privacy Policy
Last updated: February 15, 2026
Privacy is why our data removal service exists. We remove personal information from the web. We guard your privacy protection in all we do. This policy is clear and simple.
You should know how we handle your data. We tell you what we gather. We tell you how we use it. We tell you how we keep it safe. Our data broker removal process respects your rights.
Our Promise to You
We help remove your data from the web. We know your info is valuable. We know what can happen when data gets out.
**Our Core Rules** We only gather what we need. We only use it for our service. We never sell your data. We lock it down tight.
These rules guide all we do. They are not just words. They are who we are.
What We Never Do
Some things we will never do.
**No Selling** We never sell your info. We don't make money from your data. You are our customer, not our product.
**No Ad Sharing** We don't share data with ad firms. We don't give info to marketers. Your details stay with us.
**No Tracking** We don't track you on other sites. We don't build ad profiles. We only focus on your privacy.
Privacy matters to us. That's why we exist. This policy tells you how we use your data. We protect your info just like we help you remove it from other sites.
1. What We Collect
1.1 Info You Give Us
To help remove your data, we collect what you share:
- Account Info: Email, name, and password (we hash it for safety)
- Scan Info: Emails, phones, addresses, and names you want us to search
- Sensitive Info (Optional): Birthday, SSN for dark web scans. SSNs are hashed right away. We never store them in plain text.
- Payment Info: Stripe handles your card. We don't store card numbers.
- Support Messages: When you email us
1.2 Info We Get Automatically
- Usage Data: Pages you visit and features you use
- Device Info: Browser, OS, and IP address
- Cookies: Session cookies, analytics cookies, and marketing pixels. See our Cookie Policy for full details.
1.3 Info from Scans
When we scan for you, we may find your data on:
- Data broker sites
- Breach databases
- Dark web
- Public records and social media
We only collect this to show you where your data is. Then we help remove it.
2. How We Use Your Info
We only use your info for:
2.1 Our Service
- Scanning sites to find your data
- Sending opt-out requests for you
- Sending CCPA/GDPR deletion requests
- Watching for new exposures
- Helping you with support
2.2 Your Account
- Setting up and running your account
- Processing your payments
- Sending you scan results and updates
- Keeping your account safe
2.3 Making Things Better
- Learning how to improve (using data with no names)
- Building new features
- Keeping the service secure
3. Legal Basis for Processing (GDPR Art. 6)
We process your data under these legal bases, as defined in GDPR Article 6:
- Contract Performance (Art. 6(1)(b)): Processing needed to provide our data removal service to you
- Consent (Art. 6(1)(a)): For optional features like marketing emails and analytics cookies. We obtain consent through clear opt-in mechanisms (e.g., checkbox on registration, cookie consent banner shown to all visitors).
- Legitimate Interest (Art. 6(1)(f)): For security monitoring, fraud prevention, and service improvement
- Legal Obligation (Art. 6(1)(c)): For tax records, legal requests, and regulatory compliance
3.1 Sensitive Data (GDPR Art. 9)
When you optionally provide sensitive data such as Social Security Numbers for dark web monitoring, we process this under:
- Explicit Consent (Art. 9(2)(a)): You explicitly opt in before providing sensitive information. SSNs are immediately hashed (SHA-256 with unique salt) and the plaintext is never stored.
- Substantial Public Interest (Art. 9(2)(g)): Processing necessary for identity theft prevention and protection of individuals against data broker exploitation
3.2 Automated Decision-Making (GDPR Art. 22)
Our service uses AI-assisted automation for scan processing, ticket routing, and removal request optimization. These automated processes assist our service delivery but do not produce legal or similarly significant effects on users. No decisions about your account status, plan features, or data access are made solely by automated means without human oversight. You may contact us at any time to request human review of any automated decision.
3.3 Data Protection Impact Assessment
We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing activities that are likely to result in a high risk to individuals, including our data scanning and removal operations involving sensitive personal data.
4. AI Usage Disclosure
We use automated systems internally to improve our service. Here is how:
- Scan Automation: AI helps identify your data across broker sites faster
- Ticket Processing: AI assists with support ticket routing and resolution
- Compliance Monitoring: AI monitors data broker compliance with removal requests
What We Never Do With AI:
- We never share your personal data with AI model training
- All AI processing uses encrypted, ephemeral sessions
- Your data is never used to train or fine-tune AI models
- AI outputs are reviewed by human staff for quality
5. Who We Share With
We never sell your data. Ever. We only share it when:
5.1 You Ask Us To
When we send removal requests, we share the minimum info needed with data brokers. This is how we remove your data for you.
5.2 Our Subprocessors
We use trusted services to run our platform. Each subprocessor is contractually bound to protect your data:
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Vercel | Hosting & CDN | All application data | US (AWS) |
| AWS (via Neon/Supabase) | Database hosting | Account & scan data (encrypted) | US |
| Stripe | Payment processing | Payment info, email | US |
| Anthropic | AI processing (ephemeral) | Anonymized service data only | US |
| Resend | Transactional email | Email address, name | US |
| LeakCheck | Breach monitoring | Hashed email/credentials | EU |
| Upstash (Redis) | Caching & rate limiting | Session tokens, rate limit counters | US |
| PostHog | Product analytics | Anonymous usage events | US/EU |
| Sentry | Error monitoring | Error logs (no PII) | US |
| Google Analytics | Web analytics | Anonymized usage data (IP anonymization enabled) | US |
| Microsoft Clarity | UX analytics (session recording, heatmaps) | Anonymized interaction data | US |
| Google Ads | Conversion tracking & remarketing | Anonymized conversion events | US |
| Meta (Facebook) | Conversion tracking (Meta Pixel) | Anonymized conversion events. Meta acts as joint controller for pixel data. | US/EU |
5.3 Legal Requests
We may share data if the law requires it. We'll tell you if we can. We push back on requests that go too far.
6. How We Keep You Safe
We use strong security to protect your data:
- Storage: AES-256-GCM authenticated encryption with unique initialization vectors per operation
- Transfer: TLS 1.3 encrypted connections (HSTS enforced)
- Passwords: Hashed with bcrypt (cost factor 12). Never stored in plain text.
- SSNs: SHA-256 hashed with unique salt. Never stored in plain text.
- Access: Staff only see what they need (least privilege). Role-based access control with full audit logging.
- Hosting: SOC 2 Type II compliant infrastructure (Vercel/AWS)
- Testing: Automated vulnerability scanning and code review on every deployment. See our Vulnerability Disclosure Policy.
- Monitoring: 24/7 security monitoring with Sentry (PII excluded)
6.1 Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours per GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify affected users without undue delay per GDPR Article 34. For California residents, we will provide notification as required by Cal. Civ. Code § 1798.82.
7. How Long We Keep Data
Here are our specific retention timelines:
| Data Type | While Active | After Cancellation |
|---|---|---|
| Account Data | Duration of account | Deleted within 30 days |
| Scan Results | 12 months rolling | Deleted within 30 days |
| Removal Records | 24 months | Anonymized after 90 days |
| Payment Records | Duration of account | 7 years (tax law requirement) |
| Server Logs | 90 days | Auto-deleted |
| Support Conversations | Duration of account | Deleted within 30 days |
Want your data gone? Delete your account. We'll remove your info within 30 days. Some data we must keep by law.
8. Your Rights
8.1 Everyone Gets These
No matter where you live, you can:
- See and download your data
- Fix wrong info
- Delete your account
- Export your data
- Stop marketing emails
8.2 California (CCPA/CPRA)
Under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100-1798.199) and the California Privacy Rights Act, California residents have these rights:
- Right to Know (§ 1798.100): Know what data we have and how we use it
- Right to Delete (§ 1798.105): Request deletion of your personal information
- Right to Opt-Out (§ 1798.120): Opt out of data sales (we don't sell anyway)
- Right to Non-Discrimination (§ 1798.125): No punishment for exercising your rights
- Right to Correct (§ 1798.106): Fix inaccurate personal information
- Right to Limit (§ 1798.121): Limit use of sensitive personal information
To exercise your CCPA rights, email privacy@ghostmydata.com. We respond within 45 days.
Authorized Agents: You may designate an authorized agent to exercise your CCPA rights on your behalf. To do so, the agent must provide a signed, written authorization from you, and we may require you to verify your identity directly with us before processing the request.
8.3 Europe (GDPR)
Under the General Data Protection Regulation, EU/EEA residents have these rights:
- Right of Access (Art. 15): Obtain a copy of your personal data
- Right to Rectification (Art. 16): Correct inaccurate data
- Right to Erasure (Art. 17): Request deletion of your data
- Right to Restrict Processing (Art. 18): Limit how we use your data
- Right to Data Portability (Art. 20): Receive your data in a portable format
- Right to Object (Art. 21): Object to processing based on legitimate interest
- Right Not to Be Subject to Automated Decisions (Art. 22): Object to decisions based solely on automated processing that significantly affect you
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time
- Right to Lodge a Complaint (Art. 77): File a complaint with your supervisory authority
We process your data to run our service, with your consent, and to keep things safe. Our Data Protection Officer can be reached at dpo@ghostmydata.com. We respond within 30 days per GDPR Article 12.
EU Representative (GDPR Art. 27):
As we are established outside the EU/EEA, we are in the process of appointing an EU Data Protection Representative pursuant to GDPR Article 27. Once appointed, their contact details will be published here. In the meantime, EU/EEA residents may contact our Data Protection Officer at dpo@ghostmydata.com for any matters relating to the processing of their personal data.
8.4 Canada (PIPEDA)
Under Canada's Personal Information Protection and Electronic Documents Act, Canadian residents have the right to:
- Access your personal information held by us
- Challenge the accuracy and completeness of your data
- Withdraw consent for data collection (subject to legal limitations)
- File a complaint with the Privacy Commissioner of Canada
9. Children's Privacy (COPPA)
Our service is for adults 18 and older. We do not knowingly collect personal information from children under 18. In compliance with the Children's Online Privacy Protection Act (COPPA):
- We do not knowingly collect data from anyone under 13
- We do not target or market to children
- If we learn we have collected data from a child, we delete it immediately
- Parents or guardians who believe their child has provided data to us should contact us at privacy@ghostmydata.com
10. Data Transfers
Your data may be transferred to and processed in the United States. We protect international transfers through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Subprocessor agreements requiring equivalent data protection
- Technical safeguards including encryption in transit and at rest
By using our service, you acknowledge that your data will be processed in the United States, where our servers and subprocessors are located.
11. Cookies & Tracking
We use cookies for the following purposes:
- Strictly Necessary: Login sessions, security tokens, CSRF protection
- Analytics: PostHog, Google Analytics (anonymized usage patterns)
- Marketing: Microsoft Clarity, conversion tracking pixels
We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals from your browser. When we detect either signal, we disable non-essential analytics and marketing cookies for your session. For full details on each cookie, how to manage them, and your choices, see our Cookie Policy.
12. Policy Changes
We may update this policy. We'll post changes here with a new date. For big changes, we'll email you 30 days in advance. If you keep using our service, you agree to the new policy.
13. Contact Us
Questions? Want to use your rights? Reach out:
GhostMyData (operated by Rank127 LLC)
A Delaware limited liability company
8 The Green, Suite A, Dover, DE 19901, United States
Privacy: privacy@ghostmydata.com
DPO: dpo@ghostmydata.com
Support: support@ghostmydata.com
We reply within 30 days. For CCPA requests, we respond within 45 days as required by law.