Last updated: February 27, 2026
Ghost Agents ("we", "us", "our") operates the ghostagents.app platform. This policy explains what data we collect, why, and how we handle it. This policy is governed by the General Data Protection Regulation (GDPR) and French data protection law.
Account data: When you sign in with Google, we receive your name, email address, and profile picture from Google OAuth. We do not receive or store your Google password.
Bot data: Content you provide to your bots (messages, files, instructions) is stored in your bot's workspace on our servers. Bot conversation history is stored in a per-bot SQLite database inside the bot's container.
Integration credentials: When you connect third-party services (Google, Slack, Notion), OAuth tokens are stored encrypted (AES-256-GCM) in our database. We only request the minimum scopes needed for the features you enable.
Usage data: We record API usage (token counts, model used, cost) for billing and display in your dashboard. We log bot activity (messages sent/received) for your activity feed.
Payment data: Payments are processed by Stripe. We do not store credit card numbers. We store your Stripe customer ID to link purchases to your account.
| Purpose | Legal Basis (GDPR) |
|---|---|
| Operate your bots and deliver the service | Performance of contract |
| Meter AI usage and enforce spending limits | Performance of contract |
| Process credit purchases via Stripe | Performance of contract |
| Send bot outputs to channels you connected | Your explicit consent (via OAuth) |
| Display activity, usage, and billing | Performance of contract |
| Debug issues and improve reliability | Legitimate interest |
Your bot messages are sent to Anthropic's Claude API for processing. Anthropic's privacy policy and API terms apply. We use their commercial API with zero-retention terms β Anthropic does not train on your data.
We also use:
Each third-party service has its own privacy policy. Your data may be transferred to and processed in the United States. We ensure appropriate safeguards (Standard Contractual Clauses, encryption in transit and at rest).
Data is stored on servers located in Europe (France). Security measures include:
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion + 30 days |
| Bot data (conversations, files, workspace) | Until bot deletion or account closure |
| Integration tokens | Until you disconnect the integration |
| Payment records | 7 years (French accounting requirement) |
When you delete a bot, its container and workspace are removed. When you delete your account, all associated data is removed within 30 days, except payment records retained for legal compliance.
Under the General Data Protection Regulation and French data protection law, you have the right to:
You can also export your bot's workspace files at any time via the dashboard, delete individual bots, and disconnect integrations.
To exercise your rights, contact privacy@ghostagents.app. We will respond within 30 days.
You may lodge a complaint with your data protection authority. In France: Commission Nationale de l'Informatique et des LibertΓ©s (CNIL).
We use a single session cookie for authentication (connect.sid). We do not use tracking cookies, analytics scripts, or advertising pixels.
Ghost Agents is not intended for users under 16. We do not knowingly collect data from children.
We may update this policy. Material changes will be communicated via email. The "Last updated" date above reflects the latest version. Continued use of the service after changes constitutes acceptance.
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours and report to the relevant data protection authorities as required by GDPR.
For privacy questions: privacy@ghostagents.app
Data Controller (GDPR Article 13):
P.H.J. Humblot, Entrepreneur Individuel
SIREN: 823 531 157 Β· SIRET: 823 531 157 00019
Activity: 62.01Z β Computer programming
4 Place Louis Chazette, 69001 Lyon, France
Supervisory authority: CNIL (France)