Privacy Policy
Last updated: 2026-05-18
GhostFetch is operated by First Commit LLC. This Privacy Policy explains what we collect, why, how we use it, and the choices you have. We collect the minimum necessary to operate the Service, bill you correctly, and keep the platform reliable.
1. Information we collect
Account data: name, email, hashed password (or the OAuth subject identifier if you sign in with Google). We do NOT see your password in plaintext.
Billing data: Stripe customer ID and the last 4 digits of your payment method. Full card numbers are stored and processed by Stripe — they never reach our servers.
API request metadata: for every request, we record the timestamp, target domain (not the full URL beyond the registrable host), render mode, HTTP status, duration, bytes returned, and a hash of your API key. We use this for billing reconciliation, abuse detection, and your usage dashboard.
Marketing consent records: whenever you opt in to or out of marketing email, we record the timestamp, the source of the action (signup form, settings toggle, in-email unsubscribe), your IP address, and your browser's user-agent string. This audit trail is retained while your account is active and exists to demonstrate compliance with anti-spam laws (CAN-SPAM, GDPR Art. 7) if asked.
Support correspondence: if you contact us via the contact form or email, we keep the message and your reply chain for as long as needed to resolve your issue and for legitimate record-keeping.
2. What we do NOT store
We do not retain customer request bodies. We do not retain the HTML returned to you beyond what is needed to relay the response on the wire.
Dashboard request logs show metadata only — never response bodies, never URL paths or query strings beyond the registrable host, never headers from the target site.
We do not use third-party advertising cookies, tracking pixels, or fingerprinting analytics on the marketing site or dashboard.
3. How we use your information
To operate the Service: authenticate you, dispatch your requests to workers, return results.
To bill you correctly via Stripe metered billing.
To prevent and investigate abuse, fraud, and Acceptable-Use violations.
To send transactional email (security alerts, billing receipts, password resets, contact-form replies) — you cannot opt out of these while your account is active.
To send marketing email (product updates, feature announcements, pricing changes) — only if you have opted in. See the section on Marketing Email below.
To improve reliability — aggregated, anonymized telemetry helps us spot regressions.
4. Marketing email
We send marketing email only to users who have explicitly opted in. The opt-in checkbox on the sign-up form is unticked by default, and you can flip your preference any time at Dashboard → Settings → Notifications.
Every marketing email includes a one-click unsubscribe link and an RFC 8058 List-Unsubscribe-Post header. We honor unsubscribes immediately — far faster than the 10 business days required by CAN-SPAM § 5(a)(4).
Transactional email (account-related messages: security alerts, billing receipts, password resets, contact-form replies) is sent regardless of marketing preference, because you cannot meaningfully opt out of "your password was just changed."
5. Cookies
We use essential cookies for authentication and session management. We do not use third-party advertising or analytics cookies.
6. Third parties
Stripe — payment processing. Sends us your customer ID and billing status; we never see full card data.
Our outbound network provider — routes outbound requests to target sites. They do not receive your account identity.
BetterStack — status page and log aggregation. Receives operational events, not customer request bodies.
Resend / AWS SES — transactional and (opt-in) marketing email delivery. They receive your email address and the message content we send to you.
Each third party processes only what it needs to for its specific function and is bound by its own privacy policy.
7. Your rights
Access — view your account data and recent request metadata at Dashboard → Logs.
Export — download your account data on request (email privacy@ghostfetch.io).
Correction — update your name from Dashboard → Settings.
Deletion — delete your account at Dashboard → Settings. Note: usage event ledger rows are retained for accounting and tax compliance even after account deletion, because they back invoices we have already issued.
Opt out of marketing — unsubscribe link in any marketing email or Dashboard → Settings → Notifications.
Data-protection complaints — privacy@ghostfetch.io. EU/UK residents may also lodge a complaint with their local supervisory authority.
8. Children's privacy
The Service is not directed to individuals under 18 and we do not knowingly collect personal information from them.
9. Changes
We may update this Privacy Policy from time to time. Material changes will be announced by email or via the dashboard at least 30 days before they take effect.
10. Contact
Privacy questions: privacy@ghostfetch.io.
Mailing address: First Commit LLC, 329 South Oyster Bay Road #2165, Plainview, NY 11803, United States.