How GhostGuard complies with the General Data Protection Regulation, and what this means for your platform and your visitors.
GhostGuard's collection of behavioural timing signals is based on legitimate interests under GDPR Article 6(1)(f) and Recital 47. Recital 47 specifically lists fraud prevention as an example of legitimate interest processing, stating:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned."
Protection against credential stuffing, automated scraping, and spam is a clear fraud-prevention purpose. The balancing test is met because: only minimal data (timing values and boolean flags) is collected; no PII is involved; and visitors are informed via the protection badge.
Because the legal basis is legitimate interests, not consent, GhostGuard does not require a cookie consent popup for its operation. The GhostGuard session cookie is a security cookie falling under the security exemption in ePrivacy Directive Article 5(3).
GhostGuard collects only the minimum data necessary for bot detection:
We explicitly do not collect: which keys were pressed, form field contents, passwords, email addresses from form inputs, or any data from which individual identity could be inferred.
Subscriber websites display the GhostGuard protection badge near protected forms. This satisfies the transparency requirement. Subscribers can link the badge to this page for full disclosure.
Session signal data is retained for 30 days by default. Subscribers can reduce this to as little as 1 day via the privacy_retention_days policy key in their dashboard. IP addresses can be automatically anonymised after scoring by enabling the privacy_anonymize_ip policy flag.
PrivacyHash acts as a data processor for the behavioural signal data collected on your subscriber website. Enterprise subscribers can request a Data Processing Agreement (DPA) by emailing legal@privacyhash.com.
All data is processed on servers within the EU. No cross-border transfers to non-adequate third countries are made. Stripe (our payment processor) operates under Standard Contractual Clauses for any EU-US data transfer.
For GDPR enquiries: privacy@privacyhash.com