Privacy Policy

Ghostbase, Inc. ("Ghostbase", "we", "our") operates the AI agent platform available at ghostbase.io and related services (the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have. If anything here is unclear, email us at support@ghostbase.ai.

We collect three categories of information:

• Account data. Name, work email, organization, password hash, and billing details when you subscribe to a paid plan.
• Workspace content. Prompts, documents, knowledge-base files, and tool outputs you or your agents produce while using the Service.
• Usage data. Logs of agent runs, tool calls, API requests, device and browser metadata, and product analytics needed to operate and improve the Service.

We use the information above to:

• Provide, maintain, and secure the Service.
• Execute agent runs, integrations, and tool calls you initiate.
• Bill you for paid plans and prevent abuse or fraud.
• Send service-related notices, security alerts, and support replies.
• Analyze aggregated usage to improve reliability and product design.

We do not use your workspace content to train foundation models. Your prompts, documents, and agent outputs are used only to run the Service for your organization.

Ghostbase relies on a small set of sub-processors to run the Service — including cloud hosting, database, analytics, LLM, and email providers. We only share the minimum data needed, bind each provider to contractual confidentiality, and review them periodically. A current list of sub-processors is available on request.

When you authorize Ghostbase to connect to third-party tools (e.g. Gmail, Slack, Salesforce, Stripe, Notion), we receive tokens and data scoped to the permissions you grant. We use them strictly to execute the actions requested by you or your agents. You can revoke access at any time from the integrations page or directly in the third-party service.

We keep account and workspace data for as long as your workspace is active. Run logs and analytics are retained for up to 24 months. When you delete a workspace, we permanently remove its content from our production systems within 30 days, and from backups within 90 days.

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to production is restricted by role-based access control and multi-factor authentication. We maintain audit logs, follow least-privilege principles, and run regular security reviews. No system is perfectly secure — if you discover a vulnerability, please report it to support@ghostbase.ai.

Ghostbase is operated from the European Union and the United States. Where personal data is transferred internationally, we rely on Standard Contractual Clauses and equivalent safeguards to protect it.

Depending on your jurisdiction, you may have rights to access, correct, export, restrict, or delete your personal data, and to withdraw consent or object to certain processing. You can exercise most of these rights from your account settings, or by emailing support@ghostbase.ai. We respond within 30 days.

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has given us personal data, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product at least 14 days before they take effect. The "Effective" date at the top of the page always reflects the current version.

Questions about this policy or our data practices? Email support@ghostbase.ai. We read every message.