Privacy Policy — GhostCoach

This Privacy Policy explains how GhostCoach collects, uses, stores, and shares your personal data when you use our website and services. We take your privacy seriously and process your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Dutch implementation thereof (Uitvoeringswet AVG).

1. Who We Are (Data Controller)

The data controller for the personal data processed in connection with GhostCoach is:

[LEGAL ENTITY NAME] [REGISTERED BUSINESS ADDRESS] Amsterdam, The Netherlands KvK (Chamber of Commerce) number: [KVK NUMBER] VAT (BTW) number: [BTW NUMBER] Email: [PRIVACY CONTACT EMAIL, e.g. privacy@ghostcoach.com]

We are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, but the contact above is the responsible point of contact for all privacy matters.

2. What Personal Data We Collect

We collect only the personal data we need to deliver the service. Specifically:

2.1 Account and identity data

Full name
Email address
Account password (stored in hashed form by our identity provider)

2.2 Subscription and billing data

Billing name and address
Payment method details (card data is processed and stored by Stripe, not by us)
Subscription tier, trial status, billing history, invoices
VAT identification number, where applicable

2.3 Service-use data

Your product or business name and description
Current business stage and self-described bottleneck
90-day goal
Full transcripts of your coaching conversations with Marcus
Session summaries generated from those conversations
Notes, goals, or other content you choose to enter

2.4 Technical data

IP address (transiently, for security and abuse prevention)
Browser type and version
Session identifier (strictly necessary session cookie only)
Date and time of your visits and sessions

2.5 Communication data

Emails you send us
Email engagement metrics (opens, clicks) when we send you service or marketing communications

We do not collect special category data (health, religion, ethnicity, political views, sexual orientation, biometric or genetic data). Please do not enter special category data into your coaching sessions with Marcus.

3. Why We Process Your Data and Our Lawful Basis

Under GDPR Article 6, we must have a lawful basis for each purpose for which we process your data.

Purpose	Data used	Lawful basis
To create and manage your account	Identity, account data	Performance of contract (Art. 6(1)(b))
To deliver the GhostCoach service, including AI coaching by Marcus	Service-use data, identity	Performance of contract (Art. 6(1)(b))
To process payments and issue invoices	Billing data	Performance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
To send service emails (e.g. login, billing, account updates)	Email address, account data	Performance of contract (Art. 6(1)(b))
To send product updates and marketing emails	Email address	Consent (Art. 6(1)(a)), withdrawable at any time
To improve and debug the service	Technical data, anonymised service-use data	Legitimate interest (Art. 6(1)(f)) in maintaining a working product
To prevent abuse, fraud, and security incidents	Technical data, account data	Legitimate interest (Art. 6(1)(f)) in protecting users and the business
To comply with tax, accounting, and legal obligations	Billing data	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, you have the right to object — see Section 7.

4. How Long We Keep Your Data

We retain personal data only for as long as needed for the purposes set out above.

Data category	Retention period
Account and profile data	For the duration of your active account, plus 90 days after account closure to allow account recovery
Coaching session transcripts and summaries	For the duration of your active account, plus 90 days after account closure
Billing records and invoices	7 years after the end of the financial year, as required by Dutch tax law (Article 52 AWR)
Email marketing data	Until you unsubscribe, then minimum data retained to honour the unsubscribe
Technical and log data	Maximum 12 months
Support correspondence	24 months after the issue is closed

After these periods, your data is deleted or fully anonymised.

5. Who We Share Your Data With (Sub-processors)

We do not sell your personal data. We share it only with the following service providers ("sub-processors") who help us deliver the service. Each is contractually bound by a Data Processing Agreement (DPA) under Article 28 GDPR.

Sub-processor	Purpose	Location	Transfer mechanism
Anthropic, PBC	AI model that powers Marcus (Claude API)	United States	Standard Contractual Clauses
Memberstack, Inc.	User authentication and membership management	United States	Standard Contractual Clauses
Stripe, Inc.	Payment processing, tax collection, invoicing	United States and EU	Standard Contractual Clauses
Airtable, Inc.	User profile and session data storage	United States	Standard Contractual Clauses
Make.com (Celonis Inc.)	Automation between services (session transcript routing)	EU / United States	Standard Contractual Clauses
Beehiiv, Inc.	Email delivery (transactional and marketing)	United States	Standard Contractual Clauses
Netlify, Inc.	Website hosting	United States	Standard Contractual Clauses

We may also disclose your data where required by law, in response to a valid legal request from a competent authority, or where necessary to protect our legal rights or the safety of users.

We may share aggregated and fully anonymised data (which cannot be used to identify you) for analytics or marketing purposes.

6. International Data Transfers

Several of our sub-processors are located in the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) as the transfer mechanism for these transfers, and where applicable on the EU–US Data Privacy Framework adequacy decision for participating providers.

You can request a copy of the SCCs in place for any specific sub-processor by emailing the address in Section 1.

7. Your Rights Under GDPR

You have the following rights with respect to your personal data:

Right of access (Art. 15): to obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16): to correct inaccurate or incomplete data.
Right to erasure / "right to be forgotten" (Art. 17): to have your data deleted, subject to legal retention obligations (e.g. invoices).
Right to restriction of processing (Art. 18): to limit how we use your data in certain circumstances.
Right to data portability (Art. 20): to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21): to object to processing based on legitimate interest, including direct marketing.
Right to withdraw consent (Art. 7(3)): to withdraw consent at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of prior processing.
Right not to be subject to a decision based solely on automated processing (Art. 22): Marcus provides recommendations only. Marcus does not take decisions about you or your account. All account, billing, and access decisions are taken by a human.

To exercise any of these rights, email us at [PRIVACY CONTACT EMAIL]. We will respond within one month, as required by Article 12(3) GDPR. We may need to verify your identity before fulfilling certain requests.

You also have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens (AP) Bezuidenhoutseweg 30 2594 AV Den Haag Website: https://autoriteitpersoonsgegevens.nl

8. Cookies and Tracking

We currently use only strictly necessary cookies required to operate the website and keep you logged in to your account. These cookies do not track you across other websites and do not require consent under Article 5(3) of the ePrivacy Directive.

We do not currently use analytics, advertising, or third-party tracking cookies. If we add any in the future, we will update this Privacy Policy and present a cookie consent banner before such cookies are set.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

TLS/HTTPS encryption for all data in transit
Encrypted storage at rest by our sub-processors
Access controls limiting who can view personal data
Strong authentication on all administrative accounts
Regular review of sub-processor security practices

No internet-based service can be guaranteed 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours, as required by Article 33 GDPR, and notify affected users without undue delay where required by Article 34.

10. Children's Data

GhostCoach is a business-to-business service intended for use by adults acting in a professional capacity. The service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. For material changes (for example, a new category of data collected, a new purpose, or a new sub-processor), we will notify you by email before the changes take effect.

Continued use of GhostCoach after a change has taken effect constitutes acceptance of the updated policy.

12. Contact

For any privacy-related question, request, or complaint, please contact:

[LEGAL ENTITY NAME] Email: [PRIVACY CONTACT EMAIL] Postal: [REGISTERED BUSINESS ADDRESS], Amsterdam, The Netherlands

We aim to respond to all privacy enquiries within five business days, and to formal data subject requests within one month as required by GDPR.