Legal
Privacy Policy
How we handle data across Ghost Works products and services. Plain English, no boilerplate.
Last updated: April 29, 2026
This Privacy Policy describes how Ghost Works Co., LLC (“Ghost Works,” “we,” “us”) handles information across our products and services, including Ghosty, our internal websites, and any other software we publish. By using a Ghost Works product, you agree to the practices described here.
What we collect
We collect the minimum data required to operate the product and debug issues. In practice, that means:
- Account information you provide when you sign up – typically an email address and the basics required for authentication.
- Content you send through the product – messages, files, prompts, integration data – as needed to fulfill the action you asked us to take.
- Basic usage data for debugging – request logs, error traces, timestamps, the kind of operational telemetry needed to keep the lights on and fix bugs.
We do not run advertising trackers, behavioral profiling, or third-party analytics that exist primarily to monetize your attention.
Where data lives
Ghost Works infrastructure runs on Supabase (databases, authentication, storage) and Vercel (web hosting and serverless compute). Both are reputable US-based vendors with industry-standard security practices.
Third parties
To deliver useful functionality, our products send data to third-party services on your behalf. The current list:
- Anthropic– for Claude-based AI features
- OpenAI– for AI features that use OpenAI models
- Google– for Workspace integrations (Gmail, Calendar, Drive, Docs) when you connect a Google account
- Slack– for Slack integrations when you connect a Slack workspace
Each of these vendors has its own privacy policy. We send them only what's needed to fulfill your request, and we do not authorize them to use your data for purposes beyond serving you.
We don't train on your data
Ghost Works does not use your content, messages, or integration data to train, fine-tune, or otherwise improve AI models – ours or anyone else's. Where we use third-party AI APIs, we use them in modes that, per those vendors' published policies, do not retain your inputs for training.
Data isolation
At present, Ghost Works products operate with shared operational data across users. Operational logs, debug traces, and system memory may be pooled across the user base. We do not share your account-specific content publicly or with other users, but you should treat anything you send through the product as visible to Ghost Works operators for support and debugging purposes.
Retention and deletion
We retain data only as long as needed to operate the product, or as required by law. If you want your account and associated data deleted, email legal@ghost.haus and we'll process the deletion within a reasonable window, subject to any legal hold or backup-retention obligations we're bound by.
Some operational logs (e.g. third-party vendor logs, system audit trails) may persist beyond account deletion as part of normal infrastructure operation.
Your rights
Regardless of where you're based, you can:
- Request access to the data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and content
- Withdraw consent for any optional integration at any time
If you're a resident of the European Economic Area, the United Kingdom, or another jurisdiction with data protection laws (e.g. GDPR, UK GDPR), you have additional rights including data portability and the right to lodge a complaint with your local supervisory authority. Exercise any of these rights by emailing legal@ghost.haus.
International data transfers
Ghost Works is a US company with operations in Southeast Asia. Our infrastructure providers are predominantly US-based. By using our products, you understand that your data may be processed in the United States and other jurisdictions where we or our service providers operate. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
Children
Ghost Works products are intended for adult users. We do not knowingly collect personal information from anyone under the age of 18. If you believe a child has provided us with information, contact us at legal@ghost.haus and we will delete it promptly.
Security
We use industry-standard security practices including encryption in transit (TLS), encryption at rest where supported by our infrastructure providers, and least-privilege access controls. No system is perfectly secure; if we discover a breach affecting your data, we will notify you in line with applicable law.
Changes to this policy
We may update this policy as our products evolve. Material changes will be reflected in the “Last updated” date at the top of the page, and where appropriate we will notify active users by email or in-product notice. Your continued use of Ghost Works products after a change constitutes acceptance of the revised policy.