Legal › GDPR

GDPR information

How GhostGuard complies with the General Data Protection Regulation, and what this means for your platform and your visitors.

🌏 GhostGuard was designed with GDPR compliance as a first-class requirement, not an afterthought. The technical architecture reflects this: no PII is collected from visitor sessions, and the legal basis is robust.

Legal basis: Legitimate interests (Article 6(1)(f))

GhostGuard's collection of behavioural timing signals is based on legitimate interests under GDPR Article 6(1)(f) and Recital 47. Recital 47 specifically lists fraud prevention as an example of legitimate interest processing, stating:

"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."

Protection against credential stuffing, automated scraping, and spam is a clear fraud-prevention purpose. The balancing test is met because: only minimal data (timing values and boolean flags) is collected; no PII is involved; and visitors are informed via the protection badge.

No consent popup required

Because the legal basis is legitimate interests, not consent, GhostGuard does not require a cookie consent popup for its operation. The GhostGuard session cookie is a security cookie falling under the security exemption in ePrivacy Directive Article 5(3).

Data minimisation (Article 5(1)(c))

GhostGuard collects only the minimum data necessary for bot detection:

We explicitly do not collect: which keys were pressed, form field contents, passwords, email addresses from form inputs, or any data from which individual identity could be inferred.

Transparency for visitors (Article 13/14)

Subscriber websites display the GhostGuard protection badge near protected forms. This satisfies the transparency requirement. Subscribers can link the badge to this page for full disclosure.

Data retention (Article 5(1)(e))

Session signal data is retained for 30 days by default. Subscribers can reduce this to as little as 1 day via the privacy_retention_days policy key in their dashboard. IP addresses can be automatically anonymised after scoring by enabling the privacy_anonymize_ip policy flag.

Data processing agreement (DPA)

PrivacyHash acts as a data processor for the behavioural signal data collected on your subscriber website. Enterprise subscribers can request a Data Processing Agreement (DPA) by emailing legal@privacyhash.com.

Cross-border transfers

All data is processed on servers within the EU. No cross-border transfers to non-adequate third countries are made. Stripe (our payment processor) operates under Standard Contractual Clauses for any EU-US data transfer.

Contact your DPA

For GDPR enquiries: privacy@privacyhash.com