Last updated: 2026 · Ghostproof · ghostproof.uk
This policy applies to all users of ghostproof.uk and is compliant with UK GDPR and the Data Protection Act 2018.
Ghostproof ("we," "us," "our") operates ghostproof.uk, an AI-powered book production engine for indie authors. For data protection purposes, Ghostproof is the data controller for personal data collected through this service. Contact: legal@ghostproof.uk
When you create an account, we collect your email address and a hashed password. This is stored securely via Supabase (our database provider, hosted in the EU).
We record your subscription plan, generation count, and reset dates. This is used solely to enforce plan limits and provide your service.
Payments are processed by Stripe. We never see or store your card details. Stripe stores your payment information under their own privacy policy. We receive only a customer ID and subscription status from Stripe.
If you explicitly opt in, we collect anonymised before-and-after prose samples when you use editorial tools (Editorial Review, AI Editor, Health Check). These are stored with a monthly session hash — never linked to your name, email, or account ID. You can opt out at any time in the engine's footer.
The Ghostproof engine stores your project data (book settings, chapters, word count stats) in your browser's localStorage. This data never leaves your device unless you explicitly save a project. It is not transmitted to our servers.
We use a session cookie set by Supabase to keep you logged in. This is a strictly necessary cookie — it cannot be disabled without preventing login. We do not use advertising, tracking, or analytics cookies.
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation and login | Contract (Art. 6(1)(b)) |
| Generation count | Enforcing plan limits | Contract (Art. 6(1)(b)) |
| Payment / subscription status | Providing paid features | Contract (Art. 6(1)(b)) |
| Session cookie | Keeping you logged in | Legitimate interests (Art. 6(1)(f)) |
| Editorial prose pairs | Building proprietary training dataset | Consent (Art. 6(1)(a)) |
Account data is retained while your account is active and for 30 days after deletion (to allow recovery). Payment records are retained for 7 years as required by UK tax law. Editorial prose pairs are retained indefinitely as part of the research dataset, but are permanently anonymised — they cannot be linked back to you after collection.
We share data only with the following processors, under written data processing agreements:
We do not sell your data to third parties. We do not share your data with advertisers.
You have the right to:
To exercise any right, email legal@ghostproof.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk).
All data is transmitted over HTTPS. Passwords are hashed by Supabase — we never store plaintext passwords. The editorial dataset uses anonymous session hashes and cannot be reverse-linked to individual users. We conduct regular security reviews of our infrastructure.
Anthropic (US) processes text you send for AI generation under EU Standard Contractual Clauses. Vercel (US) hosts the application under the same mechanism. Supabase data is stored in the EU.
Ghostproof is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided data, contact us immediately.
We may update this policy. Significant changes will be notified by email or in-app notice. Continued use after changes constitutes acceptance.
Data controller: Ghostproof · ghostproof.uk
Email: legal@ghostproof.uk
© 2026 Ghostproof · ghostproof.uk