Legal

Privacy policy

Last updated: May 2026. GhostGuard is a product of PrivacyHash (privacyhash.com).

What we collect

From subscribers (account holders): name, email address, company name, billing information processed by Stripe (we never store card numbers), and usage data (sessions scored, domains protected).

From visitor sessions on subscriber websites: behavioural timing signals (key interval durations, mouse trajectory coordinates, scroll timing), browser capability flags (WebGL support, AudioContext support, webdriver flag), and a randomly-generated session identifier. We do not collect key values, form content, passwords, or any personally identifiable information from visitors.

What we do not collect

We never collect: passwords or form field contents, key-value pairs from keyboard input, persistent cross-site tracking identifiers, cookie data beyond the GhostGuard session token, or any biometric data as defined under GDPR Article 9.

Legal basis (GDPR)

Processing of visitor behavioural signals is based on legitimate interests (GDPR Article 6(1)(f) and Recital 47) — specifically the legitimate interest of protecting web platforms from automated abuse, credential stuffing, and fraudulent activity. The protection badge displayed on subscriber websites informs visitors that this protection is active.

Processing of subscriber account data is based on contract performance (Article 6(1)(b)) — it is necessary to provide the GhostGuard service.

Data storage and retention

All session signals, scores, and logs are stored on the GhostGuard platform server at ghostguard.privacyhash.com. No visitor data is transmitted to third-party cloud providers. Signal data is retained for 30 days by default (configurable per account). Audit logs are retained for 90 days.

Subscriber data sharing

We do not sell subscriber data or visitor session data to any third party. Anonymised and hashed threat intelligence observations (IP hashes, network hashes, fingerprint hashes) may be shared between GhostGuard accounts for cross-tenant reputation scoring. Raw IP addresses and personally identifiable information are never included in reputation observations. Subscribers can disable reputation contribution with the reputation_share_enabled policy flag.

Third-party processors

Stripe — Payment processing. Stripe processes payment card data under their own privacy policy and PCI-DSS certification. We share your name and email with Stripe to create a billing customer record.

No other third-party processors have access to subscriber or visitor data.

Your rights

Under GDPR you have the right to access, rectify, port, or erase your personal data. To exercise any of these rights, contact privacy@privacyhash.com. We will respond within 30 days.

Contact

PrivacyHash — privacy@privacyhash.comprivacyhash.com