Privacy Policy
Effective Date: March 31, 2026 · Last Updated: March 31, 2026
1. Introduction
Gheist.io ("Gheist.io," "we," "us," or "our") operates the Gheist.io institutional knowledge management platform. This Privacy Policy describes how we collect, use, store, and protect information when you use our website (gheist.io) and our platform services (collectively, the "Services").
We are committed to protecting the privacy and security of your data. By using our Services, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Account Information
When you create a Gheist.io account, we collect your name, email address, organization name, and password (stored in hashed form). If you use single sign-on (SSO), we receive basic profile information from your identity provider.
2.2 Organizational Knowledge Data
Gheist.io connects to your organization's productivity tools (Google Workspace, Gmail, Microsoft Teams, Fireflies.ai, and others as available) to capture and organize institutional knowledge. This may include document content, email threads, meeting transcripts, and chat messages. This data belongs to your organization and is processed solely to provide our Services.
2.3 Usage Data
We collect information about how you interact with the Services, including pages visited, features used, search queries within the platform, and timestamps. This helps us improve the product experience.
2.4 Technical Data
We automatically collect device type, browser type, IP address, and operating system information when you access our Services.
3. How We Use Your Information
We use the information we collect to: provide and operate the Gheist.io platform; process and organize your institutional knowledge data; generate AI-powered insights and summaries from your knowledge base; improve, personalize, and expand our Services; communicate with you about your account, updates, and support; detect and prevent fraud, abuse, or security incidents; and comply with legal obligations.
4. AI Processing & Data Handling
Gheist.io uses artificial intelligence (powered by Anthropic's Claude) to analyze and organize your knowledge data. Important commitments regarding our AI processing:
- No model training on your data. Your organizational data is never used to train or fine-tune AI models. It is used exclusively to generate responses and insights within your own workspace.
- Ephemeral processing. Data sent to the AI model for processing is not retained by the model provider beyond the scope of generating a response.
- Organization-scoped access. AI-generated outputs are accessible only to authenticated members of your organization.
5. Data Security
We implement technical and organizational measures to protect your data:
- Encryption at rest: Sensitive data, including OAuth tokens and integration credentials, is encrypted using AES-256-GCM authenticated encryption. Encryption keys are derived separately from application data and are never stored in source code.
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+.
- Access controls: Role-based access controls (RBAC) ensure users access only the data relevant to their organization and permissions.
- Security headers: Our platform enforces HSTS, Content Security Policy (CSP), X-Frame-Options, and other security headers to protect against common web vulnerabilities.
- Rate limiting: API rate limiting protects against abuse and denial-of-service attacks.
6. Data Sharing & Third Parties
We do not sell your personal information or organizational data. We share data only in these limited circumstances:
- AI processing provider: We use Anthropic's Claude API for AI analysis. Data sent for processing is governed by our data processing agreement with Anthropic and is not used for model training.
- Infrastructure providers: Our platform is hosted on Railway (cloud infrastructure). Data is stored within their secure environment.
- Legal requirements: We may disclose information if required by law, subpoena, or government request.
6.1 Sub-Processor List
The following sub-processors have access to Customer Data in the course of providing our Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Anthropic (Claude API) | AI processing & analysis | United States |
| Railway | Application hosting & database | United States |
We will update this list and notify active customers at least 30 days before engaging a new sub-processor that handles Customer Data.
7. Data Retention & Deletion
We retain data according to the following schedule:
| Data Type | Retention Period | After Termination |
|---|---|---|
| Knowledge base data | Duration of account | Deleted within 30 days |
| Account information | Duration of account | Deleted within 90 days |
| OAuth tokens / credentials | While integration active | Deleted immediately on disconnect |
| Usage / analytics logs | 12 months rolling | Deleted within 30 days |
| Support tickets / emails | 24 months | Deleted within 90 days |
Upon account termination or deletion request, we will make your data available for export for 30 days before permanent deletion begins.
8. Data Portability & Export
You have the right to export your organizational data at any time. Gheist.io provides data export functionality so you can retrieve your knowledge base in standard formats. To request a complete data export, contact us at privacy@gheist.io.
9. Your Rights
Depending on your jurisdiction, you may have rights including: access to the personal data we hold about you; correction of inaccurate data; deletion of your data ("right to be forgotten"); restriction or objection to certain processing; data portability; and the right to withdraw consent where processing is based on consent.
To exercise any of these rights, contact us at privacy@gheist.io. We will respond within 30 days.
10. International Data Transfers
Our Services are primarily hosted in the United States. If you access our Services from outside the U.S., your data may be transferred to and processed in the U.S.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for data transfers. These clauses are incorporated into our Data Processing Agreements. We also implement supplementary technical measures, including AES-256-GCM encryption at rest and TLS 1.2+ in transit, to protect transferred data.
To request a copy of our SCCs or Data Processing Agreement, contact legal@gheist.io.
11. Cookies & Tracking
We use essential cookies to maintain your session and authentication state. We do not use third-party advertising trackers. Analytics, if used, are privacy-focused and do not share data with advertising networks.
12. Children's Privacy
Gheist.io is a business-to-business service and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Services after changes are posted constitutes acceptance of the updated policy.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Gheist.io
Email: privacy@gheist.io
Miami, FL