Privacy Policy
This Privacy Policy explains how Ghost Metrics, LLC ("Ghost Metrics," "we," "us," or "our") collects, uses, discloses, and protects information in connection with our website, our sales and support activities, and our analytics service.
1. Scope of this policy
This policy covers two distinct contexts:
- The Ghost Metrics marketing website at ghostmetrics.io and our related sales, support, and documentation properties. We act as the data controller for information collected here, including information from prospects, customers, job applicants, and visitors.
- The Ghost Metrics analytics service (the "Service") that our customers deploy on their own websites and digital properties. When end users of our customers' websites interact with the Service, our customers are the data controllers and we act as their data processor or, where applicable under U.S. healthcare law, as their HIPAA Business Associate. Our handling of that data is governed primarily by the Data Processing Addendum (DPA) and Business Associate Agreement (BAA) that we sign with each customer, and secondarily by the privacy policy of the customer whose website you are visiting.
If you visited a website that uses Ghost Metrics and have questions about how your data is used there, please contact the operator of that website. This policy describes the boundaries of our role and the protections we provide regardless of which customer is using the Service.
2. HIPAA notice for healthcare customers
Ghost Metrics is designed to support HIPAA-regulated workloads. When a customer is a Covered Entity or another Business Associate under HIPAA and protected health information (PHI) is or may be involved in their use of the Service, we sign a Business Associate Agreement before any production data is collected. The BAA, not this policy, governs our handling of PHI.
In all cases, regardless of HIPAA status:
- We do not use customer data, end-user data, or any PHI to train machine learning models.
- We do not use customer data, end-user data, or any PHI for marketing, advertising, or behavioral targeting.
- We do not sell customer data, end-user data, or PHI.
- We do not share data across tenants. Each customer's data is logically isolated.
To request a BAA or DPA, contact [email protected].
3. Information we collect
From the marketing website
When you visit ghostmetrics.io, request a demo, sign up for an account, contact support, or apply for a job, we may collect:
- Identifiers: name, business email address, phone number, business address.
- Account information: username, hashed password, role, company name.
- Billing information: billing contact, billing address, and payment metadata. We do not store payment card numbers; payment cards are handled by our PCI-compliant payment processor.
- Communications: the content of demo requests, support tickets, sales emails, and meeting notes.
- Website usage data: IP address, approximate location derived from IP, browser and device characteristics, pages viewed, referrer, and timestamps. We collect this data using our own Ghost Metrics analytics on our website.
From the Ghost Metrics Service
When deployed on a customer's website, the Service may collect the following on behalf of that customer:
- IP address (which the customer can configure to be anonymized at collection)
- A pseudonymous visitor identifier
- Pages viewed, page titles, referring URL, and exit URL
- Approximate geographic location derived from IP
- Device characteristics (browser, operating system, screen size, language)
- Time spent and interaction events
- Custom dimensions, goals, funnel events, and form interactions configured by the customer
- Heatmap and session recording data, where the customer has enabled those features and configured appropriate masking
The customer determines what is collected, what is masked, what consent is obtained from end users, and how long data is retained. We honor the customer's configuration and do not access or use this data outside the scope of operating the Service for them.
4. How we use information
We use information collected through the marketing website to:
- Provide and improve our website, sales process, and customer onboarding
- Respond to demo requests, support tickets, and other inquiries
- Process billing and manage customer accounts
- Send service communications (security notices, billing notices, sub-processor change notices, scheduled maintenance)
- Send marketing communications to prospects and existing customers, where permitted, with an option to opt out in every message
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations and enforce our agreements
We use information collected through the Service only to:
- Provide the analytics Service to the customer that owns the data
- Maintain, secure, monitor, and troubleshoot the Service
- Comply with legal obligations
- Carry out the customer's documented instructions under the DPA or BAA
We do not use Service data for our own marketing, profiling, training of machine learning models, or any purpose outside the operation of the Service for the customer.
5. How we disclose information
We disclose information in the following limited circumstances:
- Sub-processors. We use a small set of vetted vendors to operate our business and the Service. See the Sub-processors section below.
- Customers. Where we operate the Service, we make data available to the customer that owns it.
- Legal requirements. We may disclose information when required by law, court order, or valid request from a government authority. Where lawful, we will notify the affected customer or individual.
- Business transfers. If Ghost Metrics is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will provide notice to affected customers and any buyer will be bound by commitments at least as protective as this policy and any applicable BAA or DPA.
- With consent. We may disclose information for any other purpose with your consent.
We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under California law, and we have not done so in the preceding twelve months.
6. Sub-processors
We maintain a complete, current list of sub-processors on our Sub-processors page that identifies each sub-processor, the purpose of processing, the location of processing, and whether a BAA is in place.
Our sub-processors fall into the following categories:
- Cloud infrastructure (hosting, storage, encryption key management, monitoring)
- Customer support (ticketing and helpdesk)
- Billing and payments
- Compliance, security, and risk management (including independent penetration testing)
- Communications and contract execution
- Productivity and internal collaboration
We sign a written agreement with every sub-processor that imposes data protection obligations no less protective than those in this policy and our customer agreements. Where the sub-processor will handle PHI, we sign a BAA.
We notify customers of new sub-processors at least 30 days before they begin processing customer data, by email to the designated account contact and by updating our Sub-processors page. Customers who object to a new sub-processor may terminate the affected portion of the Service in accordance with the DPA.
7. Security
We maintain a documented information security program designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Current controls include:
- Encryption in transit using TLS 1.2 or higher for all customer-facing endpoints.
- Encryption at rest for databases, object storage, file systems, and backups, using AES-256 with managed encryption keys.
- Network isolation with private networking, security groups, and least-privilege access between application, database, and administrative tiers.
- Access controls including SSO, multi-factor authentication for administrative access, and role-based access scoped to the minimum necessary.
- Audit logging of administrative and infrastructure activity, retained and monitored.
- Vulnerability management including periodic scanning and annual independent penetration testing by a qualified third party.
- Backup and recovery with regular automated backups, point-in-time recovery, and tested restore procedures.
- Tenant isolation so that each customer's data is segregated and access is scoped per tenant.
- Compliance program aligned with HIPAA Security Rule requirements and SOC 2 Trust Services Criteria.
We are SOC 2 Type II certified. Our most recent SOC 2 report is available under NDA on request.
No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. We will notify affected customers of any confirmed security incident involving their data without undue delay and in accordance with applicable law and the BAA or DPA.
8. Data retention
We retain information only as long as needed for the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements.
| Category | Retention |
|---|---|
| Marketing website analytics | 13 months |
| Demo requests and sales inquiries from prospects who do not become customers | 24 months from last contact |
| Customer account records | Duration of the customer relationship plus 7 years for tax, billing, and legal purposes |
| Support tickets | 3 years from ticket closure |
| Application and security logs | 1 year |
| Backups | 30 days rolling |
| Service data (analytics, heatmaps, recordings) | Retained according to the customer's configuration in the Service. Upon customer termination, customer data is deleted within 30 days unless a longer retention is required by law. |
Customers can request earlier deletion of their data by contacting [email protected] or, where available, using in-product controls.
9. Hosting and transfers
The Service and the marketing website are hosted on Amazon Web Services in the United States. We do not currently offer hosting in other regions.
If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
10. Your privacy rights
General
You may have rights under applicable law to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing.
To exercise any right, contact [email protected]. We will respond within the timeframes required by applicable law and may need to verify your identity before fulfilling the request.
If you are an end user of a website that uses the Service and you wish to exercise rights with respect to data collected on that site, please contact the operator of that website. We will support our customers in fulfilling such requests as required by the DPA or BAA.
California (CCPA / CPRA)
If you are a California resident, you have the rights to know, access, correct, delete, opt out of sale or sharing, limit the use of sensitive personal information, and not be discriminated against for exercising your rights.
We do not sell personal information and we do not share personal information for cross-context behavioral advertising.
The categories of personal information we collect are: identifiers; commercial information; internet or other electronic network activity; geolocation data (approximate, derived from IP); professional information (for prospects); and sensitive personal information limited to account login credentials.
We disclose personal information to sub-processors as described in this policy, in each case under written contract for a business purpose, and not for sale or sharing.
To submit a verifiable consumer request, contact [email protected]. You may use an authorized agent to submit a request on your behalf, subject to verification.
Other U.S. state privacy laws
Residents of states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted) have rights similar to those above. Submit requests to [email protected].
11. Children's privacy
The marketing website and the Service are not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that is the applicable threshold). If you believe a child has provided us with personal information, contact [email protected] and we will take steps to delete it.
Some of our customers operate pediatric healthcare practices and may use the Service in connection with care delivered to minors. In those cases, the customer's privacy notice and the BAA govern.
12. Cookies and similar technologies
The marketing website uses a small number of first-party cookies and the Ghost Metrics analytics product itself, configured for first-party measurement. We do not run third-party advertising or remarketing pixels on ghostmetrics.io.
The Service deploys a tracking script and cookies on customer websites under the customer's configuration and consent management. The customer is responsible for obtaining any required consent from end users.
13. Do Not Track and Global Privacy Control
Our marketing website honors the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing under California law. Because we do not sell or share personal information, this signal has no practical effect, but we recognize it.
We do not currently respond to legacy Do Not Track (DNT) browser signals because there is no consensus standard for what they mean.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top, post the revised policy, and where required notify affected customers and individuals by email or in-product notice prior to the change taking effect. We will retain prior versions and make them available on request.
15. Contact us
For privacy questions, requests, or to obtain a BAA or DPA:
Ghost Metrics, LLC
2624a New Hartford Rd
Owensboro, KY 42303
Email: [email protected]