Privacy Policy

NoGhost ("we", "our") is committed to protecting the privacy of its users. This privacy policy explains how we collect, use, store, and protect your personal information when you use our application and services.

We collect the following data: • Account information: email address, name, encrypted password • Usage data: login logs, interactions with the application • Prospect data: names, phone numbers, email addresses of prospects you import or sync via Google Calendar • Messaging data: content of messages sent and received through our platform (WhatsApp, Email). Message content is automatically deleted after 30 days (see section 7). • Calendar data: appointment information, Google Meet links, confirmation statuses • Metadata: message delivery status, timestamps, channel used, appointment outcomes (showed/no-show/rescheduled/cancelled). This metadata is retained indefinitely for analytics purposes.

Your data is used to: • Provide and improve our services • Send automated messages to your prospects • Generate performance analytics and statistics • Ensure the security of your account • Contact you regarding your account or our services

NoGhost accesses the following Google data with your explicit consent, requesting only the minimum scopes strictly necessary for the application to function: • Google Calendar — Events (calendar.events, read and write): We read your calendar events to automatically import appointments as leads, and we update event colors and titles to reflect the confirmation status (confirmed, rescheduled, cancelled, showed, no-show). We never create new events, never delete events, and never modify the main text content of your events. • Gmail — Send only (gmail.send): We send reminder emails from your Gmail account on your behalf when you configure messaging sequences with the email channel. Emails appear in your Sent folder as if sent manually. We never send emails without your explicit configuration. We do not request, and do not have, any permission to read your inbox or existing emails. Reply detection: NoGhost detects prospect replies through two channels that do not use any Gmail read permission: • WhatsApp replies: received directly via our WhatsApp integration. • Email replies: received via your external integration (Zapier, Make, or a custom webhook) that forwards the reply text to our API. Your Gmail inbox remains exclusively under your control; NoGhost never reads your emails directly from Gmail. Storage and retention of Google data: • Google access and refresh tokens are stored encrypted in our database, isolated per user via Row-Level Security (RLS). • Imported calendar data (prospect name, date, time, Meet link) is stored as long as your account is active. • No content from your Gmail inbox is ever read or stored. Revoking access: You can revoke NoGhost's access to your Google data at any time from: • NoGhost Settings → Integrations → Disconnect • Your Google Account: https://myaccount.google.com/permissions Revoking access immediately stops calendar syncing and email sending.

NoGhost's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: • We only use Google data to provide the features described above (calendar sync, email sending). • We never transfer Google User Data to any third-party AI provider. The only AI service used by NoGhost is the Google Gemini API (gemini-2.5-flash), which is a Google service. Our Gemini API access runs through a Google Cloud project with billing enabled ("Paid Services"); under Google's applicable terms of service, prompts and responses sent to Gemini are not used to train or improve Google's generalized AI models. • No integration with OpenAI, Anthropic, OpenRouter, or any other non-Google AI provider exists in our application. • We do not use Google data for advertising purposes. • We do not allow humans to read your Google data unless you give explicit consent, for security purposes, to comply with applicable law, or for our internal operations when the data has been aggregated and anonymized. • We do not transfer Google data to other third parties unless necessary to provide the service (hosting), with your consent, or for legal obligations.

We never sell your personal data. We act as a data processor for your prospect data. We share your data only with: • Supabase Inc. (database hosting, EU/US) • Vercel Inc. (application hosting, US) • Google LLC: – Google Calendar API (read/write of events via calendar.events) – Gmail API (sending emails only via gmail.send) – Google Gemini API (paid tier, gemini-2.5-flash) for two limited uses: (a) classifying the text of a prospect reply as confirmed / rescheduled / cancelled / other — only the reply text is transmitted; (b) extracting the prospect's name from the title and description of a calendar event at creation time — only event metadata. Under Google's Paid Services terms, this content is not used to train or improve Google's generalized AI models. • Resend Inc. (transactional welcome and account-notification emails, US) • Stripe Inc. (payment processing, US/EU) • PostHog Inc. (anonymized product analytics, EU) • Legal authorities if required by law No non-Google AI provider (OpenAI, Anthropic, OpenRouter, etc.) is used. All our subprocessors are bound by confidentiality obligations and data processing agreements.

Retention policy by data type: • Message content (sent and received): automatically and irreversibly deleted after 30 days. Only metadata is retained (status, timestamps, channel, recipient). • Account and prospect data: retained as long as your account is active. • Metadata and analytics: retained as long as your account is active for performance tracking (show rates, outcomes). • Google tokens: deleted immediately when you disconnect the Google integration. • After account deletion: all your personal data (prospects, messages, sequences, connections, API keys, Google tokens) is deleted within 30 days, except for data we are legally required to retain. You can request immediate deletion of all your data by contacting us at contact@noghost.co or through your account settings.

We implement appropriate technical and organizational security measures to protect your data: • Encryption in transit (TLS/HTTPS on all connections) • Encryption at rest (AES-256 on the database) • Secure authentication with JWT tokens • Per-user data isolation (Row-Level Security) • Automatic deletion of message content after 30 days • Encrypted passwords (never stored in plain text) • API keys and secrets stored in an encrypted vault (Supabase Vault) • Google tokens encrypted and isolated per user

Under the GDPR, you have the following rights: • Right of access to your data • Right of rectification • Right to erasure ("right to be forgotten") • Right to data portability • Right to object to processing • Right to withdraw consent To exercise these rights, contact us at: contact@noghost.co

We use essential cookies for the operation of the application (authentication, language preferences). We do not use advertising or third-party tracking cookies.

For any questions about this privacy policy: Email: contact@noghost.co