Legal

Privacy Policy

Last updated: 4 May 2026

1. Who We Are

GhostlyX is a product of Varsuite Media Group Ltd, a company registered in England and Wales (the “Company”, “we”, “us”, or “our”). We act as the data controller for personal data you provide when creating an account or using the Service. For personal data collected about your website visitors via the tracking script, you are the data controller and we act as your data processor.

This Privacy Policy explains how we collect, use, store, and share information when you use the GhostlyX website and analytics service (“Service”). It applies to visitors of ghostlyx.com and to users who have created an account.

Privacy is not an afterthought at GhostlyX: it is the foundation the product is built on. We collect the minimum data necessary to operate the Service, we never sell your data, and we never use it for advertising.

For questions about this policy, contact us at privacy@ghostlyx.com.

2. Data We Collect

We collect only what is necessary to deliver and improve the Service. Below is a full account of every category of data we collect and why.

2.1 Account Data

When you register, we collect your name, email address, and a hashed password. We never store your password in plain text. If you sign in via Google or GitHub (OAuth), we receive your name, email address, and a provider-issued user identifier in place of a password. We use this data solely to authenticate you and to communicate with you about your account.

2.2 Analytics Data (Cookieless)

GhostlyX is built on a cookieless, privacy-first architecture. When the tracking script is loaded on your website, we record:

  • Page URL and pathname
  • Referrer URL (domain only: we strip the full path and any query parameters)
  • UTM campaign parameters
  • Browser name and version
  • Operating system name
  • Device type (desktop, mobile, or tablet)
  • Approximate country, region, and city (derived from IP address using a local database; the IP address itself is never stored and no data is sent to third parties for geolocation)
  • Active time on page in seconds (measured via the Page Visibility API; the timer pauses when the tab is hidden, so only genuine engagement time is captured)

We do not store raw IP addresses at any point. Visitor uniqueness is determined using a daily-rotating, one-way cryptographic hash of the IP address, user-agent string, and site identifier. This hash expires every 24 hours and cannot be reversed to identify an individual. No cookies are set on your visitors’ browsers. We do not build profiles of individual visitors across sessions or across sites.

2.3 Session Data

When you are signed in to the GhostlyX dashboard, your authenticated session is stored in our database. The session record includes your IP address and user-agent string for security purposes only (specifically, to detect session hijacking). Sessions are automatically pruned on a rolling basis. This data is never shared with third parties and is used solely to protect your account.

2.4 Payment Data

Payments are processed directly by Stripe. We never see, handle, or store your card number, bank details, or any other payment instrument data. We receive and store only your Stripe customer ID, subscription status, and invoice history, which is necessary to manage your account and provide billing support.

2.5 Support Tickets & Contact Form

When you contact us via the support system or contact form, we collect your name, email address, and the content of your message. This data is used solely to respond to your enquiry and maintain a record of our communications. Support ticket content may be processed by our AI provider to generate an initial response draft, as described in section 2.8. Contact submissions and support tickets are automatically deleted after 12 months. You may request earlier deletion by emailing privacy@ghostlyx.com.

2.6 Email Communication Logs

We maintain an internal log of transactional emails sent from the Service (such as welcome emails, billing notifications, and support replies). These logs contain only the recipient email address and subject line: not the body of the email. Logs are automatically and permanently deleted after 90 days. We do not use these logs for marketing profiling.

2.7 Technical & Log Data

Our servers log standard HTTP request metadata (timestamp, HTTP status code, and response size) for operational monitoring and security purposes. We do not log request bodies or personally identifiable information in these logs. All server logs are automatically deleted after a maximum of 30 days.

2.8 AI Feature Processing

Certain features of the Service use artificial intelligence to generate insights, analysis, and support responses. To provide these features, aggregated and contextual data from your account is transmitted to our AI provider, Anthropic. Specifically:

  • For analytics insights and AI Analyst features: anonymised, aggregated analytics summaries (such as traffic trends and top pages) are sent. No raw visitor data, IP addresses, or personal data about your website visitors is included.
  • For AI-assisted support: the content of your support interaction is sent to generate a response draft. Only the content you have actively submitted is included.

We do not permit Anthropic to use any data processed on our behalf to train, fine-tune, or improve their AI models. AI-generated outputs are stored within your account and are deleted when your account is closed. You may request deletion of specific AI-generated content at any time by contacting privacy@ghostlyx.com.

2.9 Imported Historical Data

Scale plan subscribers may upload CSV files containing historical analytics data exported from third-party platforms (such as Google Analytics, Plausible, Fathom, Matomo, Simple Analytics, or a generic CSV file). When you use the Data Import feature:

  • The uploaded CSV file is temporarily stored on our servers for the duration of the import job and then permanently deleted.
  • We apply automated privacy sanitisation before any imported data is written to your dashboard. This includes stripping query parameters that may contain personal data from page paths, removing query strings from referrer URLs, and filtering known PII-carrying parameters.
  • Imported pageview records are stored under your account with the same retention rules that apply to all analytics data (see section 6).

Your responsibility. You are solely responsible for ensuring that any file you upload does not contain personal data that should not be processed by GhostlyX. Our sanitisation is a technical safeguard, not a guarantee. You must review your export files before uploading and ensure they comply with the privacy expectations of your website visitors and any applicable data protection law. See our Terms of Service, section 10, for the full scope of your obligations.

3. How We Use Your Data

We use the data we collect only for the following purposes. We do not use your data for advertising, profiling, or any purpose unrelated to operating and improving the Service.

  • Providing the Service: processing analytics data, displaying your dashboard, managing your account and subscription.
  • Authentication & security: verifying your identity when you sign in, detecting and preventing unauthorised access, and protecting against fraud and abuse.
  • Billing & payments: managing your subscription, processing renewals, issuing invoices, and handling payment failures.
  • Customer support: responding to your enquiries and resolving issues with your account or the Service.
  • Service communications: sending transactional emails such as account confirmations, billing receipts, and security alerts. These are not optional as they are necessary to operate your account.
  • AI-powered features: generating analytics insights and support responses using the data described in section 2.8.
  • Service improvement: understanding how the Service is used in aggregate to fix bugs, improve performance, and develop new features. This is done using aggregated, non-identifiable data only.
  • Legal compliance: retaining records required by law (such as tax and billing records) and responding to lawful requests from authorities.
  • Marketing communications: only where you have given explicit consent. See section 11 for how to opt out.

4. Legal Basis for Processing (GDPR / UK GDPR)

We process personal data on the following legal grounds, matched to the purposes described in section 3:

  • Contract (Article 6(1)(b)): processing necessary to deliver the Service you signed up for, including authentication, analytics processing, billing, and account management.
  • Legitimate interests (Article 6(1)(f)): we have a legitimate interest in keeping the Service secure, preventing fraud and abuse, improving the Service using aggregated data, and communicating with users about issues that affect their accounts. We have assessed that these interests are not overridden by your rights, given the minimal and non-intrusive nature of the data involved and the controls we provide.
  • Legal obligation (Article 6(1)(c)): retaining billing and tax records as required by applicable law.
  • Consent (Article 6(1)(a)): marketing emails, where you have explicitly opted in. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Because the analytics data collected by GhostlyX does not constitute personal data under GDPR (no cookies, no persistent identifiers, no raw IP storage, no cross-site tracking), no consent banner is required for your website visitors when you use GhostlyX on your own site. This is one of the core privacy benefits of the GhostlyX architecture.

5. Data Sharing & Sub-processors

We do not sell your data. We do not share your data with advertisers. We do not share your data with data brokers. We share data only with third-party sub-processors that are strictly necessary to deliver the Service, each of which is bound by a data processing agreement.

A full list of sub-processors, including their location and the specific purpose for which data is shared, is available at:

ghostlyx.com/sub-processors →

Where required by law, or to protect the rights, property, or safety of the Company or others, we may disclose information to law enforcement or regulatory authorities. We will notify you of any such disclosure where we are legally permitted to do so.

6. Data Retention

We retain data only for as long as necessary for the purpose it was collected, or as required by law. The table below sets out our retention periods for each category of data.

Data type Retention period
Analytics data (pageviews, events) 12–60 months depending on subscription plan, then permanently deleted
Account data (name, email) Until account deletion, then permanently removed within 30 days
Session data (IP address, user-agent) Pruned automatically on a rolling basis
Support tickets & contact submissions 12 months from submission, then auto-deleted
AI-generated outputs Until account deletion or earlier on request
Email communication logs 90 days, then auto-deleted
Server / HTTP logs 30 days maximum, then auto-deleted
Uploaded import CSV files Deleted immediately after the import job completes
Billing & tax records 7 years as required by UK tax law

When data reaches the end of its retention period it is permanently and irreversibly deleted. We do not archive data “just in case”.

7. Your Rights (GDPR / UK GDPR)

If you are in the UK or EEA, you have the following rights over your personal data. We take these rights seriously and will never make exercising them unnecessarily difficult.

  • Right of access: receive a copy of the personal data we hold about you, free of charge, within 30 days.
  • Right to rectification: request correction of any inaccurate or incomplete personal data.
  • Right to erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations such as billing records.
  • Right to restriction: request that we restrict processing of your data in certain circumstances, for example while a dispute about accuracy is resolved.
  • Right to object: object to processing carried out on the basis of legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to data portability: receive your data in a structured, machine-readable format. You can exercise this right directly from Account Settings → Export data at any time, without needing to contact us.
  • Right to withdraw consent: where processing is based on consent (such as marketing emails), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, email privacy@ghostlyx.com. We will acknowledge your request within 5 working days and respond in full within 30 days. We will never charge a fee for a legitimate request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at any time.

8. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following additional rights:

  • Right to know: the categories and specific pieces of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
  • Right to delete: request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising and have never done so.
  • Right to limit use of sensitive personal information: we do not use sensitive personal information for any purpose beyond providing the Service.
  • Right to non-discrimination: we will never discriminate against you for exercising any CCPA right. Exercising your rights will not affect your access to the Service or the price you pay.

To exercise your CCPA rights, email privacy@ghostlyx.com with the subject line “California Privacy Request”. We will respond within 45 days. You may also use an authorised agent to submit requests on your behalf, provided the agent can verify their authority.

Do Not Sell or Share My Personal Information: GhostlyX does not sell or share personal information. Our tracking script automatically honours the Global Privacy Control (GPC) browser signal and the Do Not Track (DNT) header. When either signal is detected, no analytics data is collected for that visitor.

9. Data Storage & International Transfers

All personal data processed by GhostlyX is stored on servers located in London, United Kingdom. We do not transfer your personal data outside the United Kingdom or European Economic Area except where necessary to engage the sub-processors listed at ghostlyx.com/sub-processors.

Where a sub-processor is located outside the UK or EEA (for example, for payment processing, security, or AI features), we ensure an appropriate transfer safeguard is in place, such as the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or a UK adequacy decision. You may request details of the specific transfer safeguard applicable to any sub-processor by contacting privacy@ghostlyx.com.

10. Analytics Opt-Out for Website Visitors

Visitors to websites that use GhostlyX analytics can opt out of data collection at any time. The tracking script automatically and unconditionally respects the Global Privacy Control (GPC) and Do Not Track (DNT) browser signals: no configuration required by the site owner.

Visitors can also opt out explicitly by visiting:

ghostlyx.com/gx-opt-out

This stores a preference in the visitor’s browser local storage. No data is collected after opting out. The opt-out can be reversed at any time by visiting the same page. We do not use dark patterns or make opting out more difficult than opting in.

11. Marketing Communications

We will only send you marketing or promotional emails if you have explicitly opted in to receive them. We do not add you to marketing lists by default when you create an account.

You can opt out of marketing emails at any time by:

Opting out of marketing emails does not affect transactional emails (such as billing receipts, security alerts, or account notifications), which are necessary to operate your account.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22. The AI-powered features within GhostlyX analyse your analytics data and generate insights or support responses for your review. They do not make autonomous decisions about you as an individual, determine your access to the Service, affect your subscription, or produce any other decision with a legal or significant effect on you.

All AI-generated outputs are presented as information for you to act on as you see fit. A human is always in the loop.

13. Cookies

The GhostlyX application uses only session cookies that are strictly necessary for authentication. We do not use advertising cookies, tracking cookies, or any cookies that follow you across other websites. Our CDN and security provider, Cloudflare, sets two short-lived security cookies (__cf_bm and cf_clearance) required to protect the site from automated bot traffic. These are classified as strictly necessary under GDPR and PECR and contain no personal data. See our Cookie Policy for full details.

14. Children’s Privacy

The Service is not directed at, and is not intended for use by, children under the age of 16 (or under 16 in the United States). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@ghostlyx.com and we will promptly delete that information.

If we become aware that we have inadvertently collected personal data from a child, we will take immediate steps to delete it from our systems.

15. Security

All data is stored on servers located in London, United Kingdom. We implement the following security measures to protect your personal data:

  • Encrypted data transmission using TLS for all connections
  • Passwords stored using one-way cryptographic hashing and never in plain text
  • Access controls limiting data access to authorised personnel only
  • Session security monitoring to detect and prevent account hijacking
  • Prompt injection detection and monitoring for AI features
  • Regular security reviews of our infrastructure and dependencies

No method of transmission over the Internet is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, and notify affected users without undue delay where required.

If you discover a security vulnerability in GhostlyX, please report it responsibly via our bug bounty programme at ghostlyx.com/bug-bounty. Researchers who follow our responsible disclosure guidelines are protected from legal action.

16. Data Breach Response

In the event of a personal data breach, we will:

  • Contain the breach and assess the risk to individuals as quickly as possible
  • Notify the ICO within 72 hours of becoming aware of the breach, where required by UK GDPR Article 33
  • Notify affected users directly, without undue delay, where the breach is likely to result in a high risk to their rights and freedoms, as required by UK GDPR Article 34
  • Document the breach, its effects, and the remedial action taken

Breach notifications to users will be sent to the email address associated with your account and will include: a description of what happened, the categories and approximate number of records affected, the likely consequences, and the steps we have taken or propose to take to address the breach.

17. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. Non-material changes (such as clarifications or corrections) may take effect immediately with an updated “last updated” date. Continued use of the Service after the effective date of any update constitutes acceptance of the revised policy.

We will always keep a clear record of what changed and when. Previous versions of this policy are available on request by emailing privacy@ghostlyx.com.

18. Contact & Complaints

For any questions, requests, or concerns about this policy or how we handle your data, contact our privacy team:

Varsuite Media Group Ltd
Mentor House, Ainsworth Street
Blackburn, BB1 6AY
United Kingdom
Email: privacy@ghostlyx.com

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority for data protection. You can contact them at 0303 123 1113 or via their website.

Terms of Service → Cookie Policy → Sub-processors → Analytics Opt-Out → Bug Bounty →