General Privacy Policy

This document explains how Ghosty collects, uses, shares, and protects Personal Data when you use our website and related services.

By visiting our websites, submitting your personal data to us, or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please refrain from using our services and websites.

Last Updated: 17 April 2026

Our privacy documentation is divided into two documents for clarity:

General Privacy Policy (this document)
Ghosty VPN – Specific Privacy Notice (VPN service details)

1. Who We Are

The entity responsible for the processing of Personal Data described in this Privacy Policy is:

Ghosty VPN S.L.
Calle de Manzanares 4, 28005 Madrid, Spain
Email: [email protected]

Throughout this Privacy Policy, “Ghosty”, “we”, “us”, or “our” refers to Ghosty VPN S.L.

2. Definitions

  • Account: A user account created to access the Service.
  • Company: Ghosty VPN S.L., also referred to as “we,” “us,” or “our.”
  • Cookies: Small text files stored on your device to save browsing activity, preferences, or session identifiers.
  • Country: Refers to Spain, where Ghosty VPN S.L. is headquartered.
  • Device: Any electronic device capable of accessing our services, such as a computer, smartphone, or tablet.
  • Personal Data: Any information relating to an identified or identifiable individual.
  • Service: Refers to Ghosty VPN software, including the website, application, and any associated services.
  • Service Provider: Third-party companies or individuals that process data on our behalf to facilitate the service, improve its functionality, or analyze usage.
  • Usage Data: Data collected automatically when using the Service (e.g., device information, browser type, pages visited on our website).
  • Website: The Ghosty VPN website accessible at ghosty.com.
  • You: The individual using our service, or the legal entity on behalf of which such individual is using the service.

3. What Data We Collect

We collect and process Personal Data to operate the Service, provide customer support, facilitate payments, and improve functionality and security.

3.1 Data You Provide Directly

Account data: Email address (required), and optionally name/surname.

Support communications: Information you include when contacting support (e.g., message content, email, troubleshooting details, and any information related to refund or billing inquiries).

3.2 Data Collected Automatically

Website Usage Data: Browser type, device identifiers, pages visited, and approximate location (e.g., city-level) where supported by analytics configuration.

Security and troubleshooting logs (web application): Connection IP address and session-related technical data may be processed for security and troubleshooting purposes.

These web application logs are separate from VPN traffic and do not reveal websites visited through the VPN.

These logs do not include VPN traffic data or browsing activity conducted through the VPN service.

3.3 Payment and Subscription Data

If you purchase a paid subscription, we process information needed to manage your subscription and payments, such as:

Subscription data: Selected plan, subscription ID, billing cycle, currency, and payment status.

Transaction data: Billing details and transaction metadata (e.g., payment confirmation, tokenized identifiers where provided by the payment processor).

We do not store full card numbers. Payment processing is handled by third-party payment providers (for example, Stripe and/or PayPal). We receive confirmation and limited transaction details needed for billing, fraud prevention, and customer support.

4. How We Use Personal Data

We use Personal Data for:

  • Service Provision and Maintenance: Ensuring service functionality and security.
  • Contractual Performance: Developing, complying with, and executing purchase agreements.
  • Customer Support: Managing user inquiries and technical support.
  • Business Transfers: Sharing or transferring data in case of company restructuring, mergers, or acquisitions.
  • Refund Requests and Dispute Handling: To review, process, and manage refund requests, including verifying eligibility, resolving issues, and preventing fraud or abuse.
  • With Affiliates and Business Partners: We may use Personal Data to support marketing, promotions, referral programs, or co-branded initiatives and to improve our Service. Where required by applicable law, we will obtain your consent before sending marketing communications or sharing data for such purposes, and you may opt out at any time.

Marketing Communications: If you opt in (or where permitted under applicable law), we may send you marketing communications about Ghosty products, features, promotions, and updates. You can opt out at any time by using the unsubscribe link in our emails (where provided) or by contacting us at [email protected]. Opting out of marketing messages does not affect service-related or transactional communications (such as account notices, security alerts, or billing messages).

Ghosty VPN offers various products tailored to different user needs. As a result, these products may collect and process specific types of personal data to ensure optimal performance. To learn more about data processing for each product, please refer to Ghosty VPN – Specific Privacy Notice.

5. Legal Bases for Processing

We process Personal Data under one or more of the following legal bases:

  • Contract: To provide the Service and manage subscriptions.
  • Legal obligation: To comply with applicable accounting, tax, and regulatory obligations.
  • Consent: Where required (e.g., certain cookies/analytics or marketing communications).
  • Legitimate interests: To secure and improve our Service, prevent fraud and abuse (including in connection with billing and refunds), and maintain operational reliability (balanced against your rights).

6. Cookies and Tracking Technologies

We use cookies and similar technologies (such as tags and scripts) for essential functionality, preferences, and (where enabled) analytics.

6.1 Google Tag Manager (GTM)

We use Google Tag Manager to manage and deploy website tags. Google Tag Manager itself is a tag management system; cookies are typically set by the specific tags configured within it (for example, Google Analytics).

6.2 Google Analytics

We may use Google Analytics to understand how visitors interact with our website (e.g., pages visited, time on site, navigation patterns). Data is used in aggregated form to improve user experience and service quality.

6.3 Managing Cookies

You can control cookies through:

  • Cookie banner / consent settings (where available).
  • Your browser settings (blocking, deleting, or limiting cookies).

Note: Disabling certain cookies may impact website functionality.

7. Sharing and Disclosure of Personal Data

We do not sell your Personal Data. We may share Personal Data only as needed:

  • Service Providers: For payment processing (e.g., Stripe/PayPal), analytics (e.g., Google Analytics), infrastructure hosting, customer support tooling, and security services.
  • Legal requirements: If we are legally compelled to disclose information (e.g., valid legal process). Due to our no-logs approach for VPN traffic, we do not retain browsing history or VPN activity logs that would reveal websites visited through the VPN (see the Specific Privacy Notice for details).
  • Corporate transactions: If we undergo a merger, acquisition, or asset sale, Personal Data may be transferred as part of that transaction, with appropriate notice where required.
  • Affiliates and Business Partners: We may share limited Personal Data with our affiliates and selected business partners for the purposes described in this Privacy Policy (including marketing and promotions), subject to appropriate safeguards and confidentiality obligations. Where required, we rely on your consent and provide opt-out mechanisms.

8. Security

We implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Our measures may include, as appropriate:

  • Access controls and least-privilege permissions
  • Encryption in transit and, where appropriate, encryption at rest
  • Logging and monitoring to help detect and prevent abuse and unauthorized access
  • Security updates and patch management practices
  • Vendor due diligence and contractual safeguards with Service Providers that process data on our behalf

Despite these measures, no method of transmission over the Internet and no method of electronic storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials, using strong passwords, and enabling additional account security features where available.

9. International Data Transfers

Ghosty is established in Spain and primarily processes Personal Data within the European Economic Area (EEA). However, some of our Service Providers, affiliates, and partners may process Personal Data in countries outside the EEA.

When we transfer Personal Data internationally, we implement appropriate safeguards as required by applicable data protection laws. Depending on the circumstances, these safeguards may include:

  • Transfers to countries recognized as providing an adequate level of protection, where applicable; and/or
  • Standard Contractual Clauses (SCCs) and, where required, supplementary measures.

You may contact us at [email protected] to request additional information about relevant transfer mechanisms, where applicable.

10. Data Retention

We keep Personal Data only as long as necessary for the purposes described above:

  • Account data: Retained while your account is active, and for a reasonable period thereafter as needed for security, legal compliance, or dispute resolution.
  • Web application security logs: Retained for a limited period (e.g., up to 14 days) for security and troubleshooting.
  • System logs (service operations): Retained for a limited period (e.g., up to 30 days) to maintain operational reliability.
  • Billing and accounting records: Retained for up to 10 years, or as required by applicable law.

You may request account deletion as described below.

11. Your Privacy Rights

Depending on your jurisdiction (including GDPR in the EEA), you may have rights to:

  • Access, correction, deletion
  • Restriction and objection
  • Data portability
  • Withdraw consent (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

To exercise your rights, contact us at: [email protected]

12. Minors

The Service is not directed to children. However, we may allow minors to use the Service only under the conditions described below and in our EULA.

Minimum age:

  • You must be at least 13 years old to use the Service.
  • If you are located in the European Economic Area (EEA), you must be at least 16 years old to use the Service.

Parental/guardian consent:

If you are under 18, you may use the Service only with the verifiable consent and supervision of your parent or legal guardian. Your parent or legal guardian must review the EULA on your behalf and discuss any questions you might have. Where appropriate, your parent or legal guardian should create and manage the account for you.

Paid subscriptions:

To purchase a paid subscription, you must be legally able to enter into a binding contract and use the chosen payment method. Where applicable, purchases must be made by a parent or legal guardian.

Data minimization for minors:

We aim to collect only the minimum Personal Data necessary to provide the Service (for example, account email and support communications). We do not knowingly collect sensitive Personal Data from minors.

Marketing:

We do not knowingly direct marketing communications to minors where prohibited by law. Where marketing consent is required, we will seek it from the parent or legal guardian, as applicable.

If we learn a user is underage without valid consent:

If we become aware that a user does not meet the minimum age requirement or lacks required parental/guardian consent, we may suspend the account and delete Personal Data where required or appropriate.

Parents/guardians who believe their child has provided Personal Data without appropriate consent may contact us at [email protected] to request access, deletion, or other actions permitted by law.

13. Third-Party Links

Our website may include links to third-party websites. Their privacy practices are governed by their own policies.

14. Governing Language

This Privacy Policy is currently available only in English. In the event of any future translations, the English version shall prevail in case of discrepancies or legal interpretations. For legal purposes, the English version of this Privacy Policy prevails over any translations. In case of discrepancies, the English text will govern.

15. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated “Last Updated” date.

16. Contact

For privacy questions or requests, contact: [email protected]

Scroll to Top