Privacy Policy

1Introduction

GhostChat ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our live chat widget service.

2Information We Collect

3Zero Tracking, Zero Cookies

4Lawful Basis for Processing

We process personal data on the following legal bases under GDPR Article 6:

• •Contract performance — account data (email, password, domain) and chat messages are necessary to provide the Service you signed up for.
• •Legitimate interest — IP addresses and session identifiers are processed for security, abuse prevention, and service operation. These interests are not overridden by your privacy rights given the minimal data involved.
• •Consent — visitor email addresses are only collected if the visitor voluntarily provides them through the chat widget.

5How We Use Your Information

• •To provide and maintain the Service
• •To send email notifications when visitors message your site (via Resend)
• •To process payments (via Stripe — we do not store credit card details)
• •To respond to support requests
• •To detect and prevent abuse or fraud

6Third-Party Services

We use the following third-party services to operate GhostChat:

• •Supabase — database hosting (PostgreSQL). Stores account data and chat messages.
• •Cloudflare — edge network. Hosts the widget and WebSocket connections.
• •Stripe — payment processing. Handles all billing; we never see or store card numbers.
• •Resend — transactional email. Sends chat notification emails.
• •Vercel — website hosting. Serves the marketing site and dashboard.
• •Google Cloud Translation — auto-translate (Pro+ plan). Translates chat messages between visitor and agent languages. Message text is sent to Google's API for translation; no other data is shared.

We do NOT use Google Analytics, Facebook Pixel, or any advertising trackers.

7Data Storage and Security

• •Data is stored in Supabase (PostgreSQL) hosted in the US
• •Chat sessions use Cloudflare Durable Objects (edge-distributed)
• •Passwords are hashed with bcrypt
• •All connections use HTTPS/WSS encryption
• •We implement reasonable security measures but cannot guarantee absolute security

8Data Retention

• •Free plan: conversation history retained for 30 days
• •Pro plan: conversation history retained for 1 year
• •Business plan: conversation history retained indefinitely
• •Account data is retained until you delete your account
• •You can request deletion of all your data by contacting us

9Visitor Data (Widget Users)

• •The widget does NOT set cookies
• •Session IDs are stored in localStorage (browser-local, not sent to third parties)
• •Visitor email addresses are only collected if the visitor voluntarily provides them
• •Visitor IP addresses are visible to site owners via Cloudflare headers for abuse prevention
• •We do NOT build profiles, fingerprint browsers, or track visitors across sites

10Your Rights

• •Access: Request a copy of your data
• •Correction: Request correction of inaccurate data
• •Deletion: Request deletion of your account and all associated data
• •Portability: Export your contacts and conversations (CSV export available in dashboard)
• •Complaint: If you are in the EU/EEA, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, CNIL in France) if you believe we have not complied with applicable data protection laws.

To exercise these rights, please contact us via our contact page.

11Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

12Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.