GhostAudit

Privacy Policy

Effective Date: Dec 30, 2025

Introduction

Welcome to GhostAudit. At GhostAudit, your privacy and data security are our top priorities. This Privacy Policy outlines how we collect, process, protect, and (in rare cases) share your information when you use our Stripe security audit services.

Our Core Privacy Commitments

  1. Stripe Key Security: We strongly require and only support the use of Stripe's Restricted Read-Only Keys (rk_live_...). We will never ask for keys with write permissions.
  2. Key Storage Policy:
    • For Manual Scans, your Stripe API keys are transmitted via encrypted connections and are never persistently stored in our databases or logs.
    • For Scheduled Scans (PRO), your key is stored in an encrypted format (AES-256-GCM) to enable automated processing.
  3. Data Minimization: We only read transaction metadata necessary for security risk assessment. We do not read or store customer names, specific purchased items, or sensitive payment details.

Information Collection and Use

To provide high-quality audit services, we collect the following types of data:

  1. Account Information

    • What We Collect: Your email address (provided via sign-in).
    • Purpose: To manage your PRO access and send security alerts if critical vulnerabilities are detected.

  2. Stripe Audit Data (Temporary Processing)

    • What We Collect: When you run a scan, we access transaction summaries via your read-only key (e.g., presence of billing address, card origin country).
    • Purpose: To calculate your "Ghost Transaction" rate and identify configuration risks. This raw data is purged from our memory immediately after the scan is complete.

  3. Payment Information

    • What We Collect: Payments for PRO licenses are handled directly by Stripe.
    • Purpose: We only receive confirmation of successful payment and do not have access to your credit card details.

  4. Cookies and Analytics

    • What We Collect: Anonymous usage data via Google Analytics and Microsoft Clarity.
    • Purpose: To analyze site interactions and optimize user experience.

Scheduled Scan and Data Persistence (PRO only)

If you choose to enable the "Scheduled Scan" feature, the following additional data practices apply:

  1. Encrypted Key Storage: To perform automated scans on your behalf, we store your Stripe Restricted Key in an encrypted format using industry-standard AES-256-GCM encryption. The encryption keys are managed separately from the database.
  2. Persistence: The encrypted key and your automated scan configurations (frequency, recipient emails) are stored in our database until you choose to disable the feature or delete your account.
  3. Automated Reports: Scan results generated by the automated system are stored similarly to manual scan reports, allowing you to track security trends over time.

Data Storage and Security

We implement multi-layered security protections:

  • SSL Encryption: All data transmissions are encrypted via HTTPS.
  • In-Memory Processing: Audit logic runs in a temporary memory environment to ensure raw transaction data is never written to disk.
  • Access Controls: Only authorized systems can communicate with the Stripe API.

Information Sharing and Disclosure

We never sell your personal information to third parties. We only share data in the following cases:

  • Legal Requirements: If required by law or public authorities.
  • Service Providers: Such as Stripe (payment processing) or Google (analytics), who are bound by strict confidentiality agreements.

Your Rights

You can request to delete your account or clear any historical statistical reports associated with you at any time. Please contact us via the email below.

Contact Us

If you have any questions about this policy, please contact:

Website: ghostaudit.io Email: [email protected]

By using GhostAudit, you consent to this Privacy Policy. Thank you for trusting us with your Stripe account security.