Privacy Policy

1. Introduction

Ghost Tax Inc. ("Ghost Tax", "we", "us") operates the ghost-tax.com website and related services. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services. By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect information you provide directly: • Email address (when you run a paid detection or submit a contact form) • Company domain (when you use our analysis services) • Company size and industry (optional, to improve analysis accuracy) • Payment information (processed by Stripe — we never store card details) We collect automatically: • Usage data (pages visited, features used) • Device information (browser type, operating system) • IP address (for rate limiting and security)

3. How We Use Your Information

We use your information to: • Deliver financial exposure analysis and reports • Process payments via Stripe • Send delivery confirmations and follow-up communications • Improve our analysis methodology and service quality • Comply with legal obligations We do NOT: • Sell your data to third parties • Share your data for advertising purposes • Use your data to train AI models • Profile you for purposes unrelated to our service

4. Data Storage and Security

Your data is stored on SOC 2 Type II audit-ready infrastructure (certification in progress, target Q3 2026) in US-East-1 (Virginia). All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Raw analysis data is automatically purged after 30 days. Structured reports are retained for the duration of your business relationship with us. We follow Zero-Knowledge audit principles: your data never touches our analysis engine in identifiable form.

5. Sub-processors

We use the following third-party services: • Supabase (database hosting, US) — SOC2 Type II • Stripe (payment processing, US) — PCI DSS Level 1 • Vercel (website hosting, US) — SOC2 Type II • Resend (email delivery, US) — SOC2 Type II • OpenAI (analysis, US) — SOC2 Type II, no-logging mode • Exa (data enrichment, US) — SOC2 Type II

6. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to: • Access your personal data • Rectify inaccurate personal data • Request erasure of your personal data • Restrict processing of your personal data • Data portability • Object to processing To exercise any of these rights, contact us at privacy@ghost-tax.com.

7. Data Retention

• Raw analysis data: automatically deleted after 30 days • Structured reports: retained while your account is active • Payment records: retained for 7 years (legal requirement) • Contact form submissions: retained for 2 years • Email communications: retained for 2 years You can request deletion at any time by contacting privacy@ghost-tax.com.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We recommend reviewing this Privacy Policy periodically for any changes.

Questions about this privacy policy? Contact us at privacy@ghost-tax.com.