Privacy Policy

Overview

Ghostpen (“Ghostpen,” “we,” “our,” or “us”) is an AI content casting platform that helps you transform your voice, ideas, and long-form content into platform-ready posts. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what choices you have.

By accessing or using Ghostpen, you acknowledge you have read and understood this policy. If you do not agree, please do not use our services.

Plain-language summary: We collect only what we need to run the service. We never sell your data. We never use your content to train AI models. You can request deletion of your data at any time.

Data Controller

The data controller for personal data processed through Ghostpen is Camwood Inc. (operating Ghostpen). For privacy-related enquiries, contact us at [email protected].

What We Collect

Account & Profile Data

When you register, we collect your name, email address, and password (hashed via Supabase Auth). You may optionally provide a profile photo or display name.

Content You Submit

To provide the service, we process content you upload or link to: videos, audio recordings, podcast feeds, blog URLs, transcripts, and written drafts. This content is processed by AI models to generate platform-ready outputs. Your content is never used to train any AI model, and it is not shared with third parties beyond what is needed to produce your requested output.

Platform OAuth Tokens

If you connect a social platform (e.g., X/Twitter, LinkedIn, Instagram, Notion, YouTube), we store an OAuth access token issued by that platform on your behalf. This token allows Ghostpen to publish content to that platform when you instruct us to. Tokens are encrypted at rest and can be revoked from Settings → Integrations at any time.

Usage & Analytics Data

We collect information about how you interact with Ghostpen — features used, recasts created, session duration, and error events — to improve the product and diagnose issues. This data is associated with your account internally but is not sold or shared for advertising purposes.

Billing & Payment Data

Subscription payments are processed by a third-party payment provider (currently Stripe). We do not store full card numbers. We receive and retain limited billing metadata (plan, status, last-4 of card, billing address) necessary to manage your subscription.

Technical & Device Data

We collect standard server logs, including IP address, browser type, operating system, referring URL, and timestamps. These are used for security monitoring and service operation and are retained for up to 90 days.

No Health Information: Ghostpen is not designed or intended to process Personal Health Information (PHI) as defined under HIPAA, PHIPA, or equivalent health privacy legislation. Do not submit sensitive health or medical information through the Service. Ghostpen accepts no liability for health information inadvertently submitted by users.

How We Use Your Information

To provide the service: processing your content, generating outputs, scheduling and publishing posts on connected platforms.
To manage your account: authentication, billing, plan enforcement, and customer support.
To improve the product: aggregated and anonymised usage analytics inform feature development.
To ensure security: fraud detection, abuse prevention, and infrastructure monitoring.
To communicate with you: transactional emails (account activity, billing receipts, security alerts). We do not send marketing emails without your opt-in consent.
To comply with law: responding to valid legal requests, enforcing our Terms of Service, and meeting regulatory obligations.

Legal Bases for Processing

Where applicable under the GDPR or UK GDPR, we process personal data on the following legal bases:

Contract performance: processing necessary to provide the service you subscribed to.
Legitimate interests: security monitoring, fraud prevention, product analytics, and service improvement, where these interests do not override your rights.
Legal obligation: complying with applicable laws and responding to lawful requests.
Consent: where we rely on consent (e.g., optional marketing communications), you may withdraw it at any time.

For Canadian users, Ghostpen processes personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You have the right to access, correct, and request deletion of your personal information, and to withdraw consent for non-essential processing where legally permitted. To exercise these rights, contact [email protected].

Your Rights

All users

You may access, export, or delete your account data at any time from Settings → Profile. You may revoke connected platform tokens from Settings → Integrations.

EU / UK users (GDPR & UK GDPR)

You have the right to: access, rectify, or erase your personal data; restrict or object to processing; and receive your data in a portable format. You also have the right to lodge a complaint with your local supervisory authority.

California users (CCPA / CPRA)

California residents may request disclosure of the categories of personal information collected, request deletion, and opt out of sale (we do not sell personal information). We do not discriminate against users who exercise privacy rights.

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

Data Retention

We retain account data for the duration of your account and for up to 90 days following deletion to allow for recovery. Billing records are retained for 7 years as required by financial regulations. Server logs are retained for 90 days. Content you submit for processing is retained on our systems for no longer than 30 days after your last use of the service, after which it is permanently deleted.

International Transfers

Ghostpen operates globally. Your data may be processed in the United States and other countries where our service providers operate. Where data is transferred from the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards.

Security Measures

We implement industry-standard technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS 1.2+) and encryption at rest for all stored personal data.
Access controls that restrict data access to authorised personnel only.
OAuth tokens and API keys stored encrypted and never logged in plaintext.
Regular security patching and dependency updates.

No system is entirely free from risk. In the event of a personal data breach that is likely to result in risk to your rights or freedoms, we will notify affected users and report to applicable supervisory authorities within the timeframes required by applicable law (including within 72 hours under the GDPR where applicable).

Children’s Privacy

Ghostpen is not directed to children under the age of 13 (or 16 where required by applicable law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at [email protected] and we will take steps to delete it.

Cookies & Tracking Technologies

We use strictly necessary session cookies for authentication (maintained by Supabase Auth). We may use analytics tracking to understand aggregate usage patterns. We do not serve third-party advertising cookies. You can configure cookie preferences in your browser at any time; note that disabling authentication cookies will prevent you from logging in.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a notice within the application. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the service after changes take effect constitutes acceptance of the revised policy.

Contact Us

Privacy questions, data requests, and complaints should be directed to:

Camwood Inc.

Privacy Team

[email protected]