Privacy Policy

NoGhost ("we", "our") is committed to protecting the privacy of its users. This privacy policy explains how we collect, use, store, and protect your personal information when you use our application and services.

We collect the following data: • Account information: email address, name, encrypted password • Usage data: login logs, interactions with the application • Prospect data: names, phone numbers, email addresses of prospects you import or sync via Google Calendar • Messaging data: content of messages sent and received through our platform (WhatsApp, Email). Message content is automatically deleted after 30 days (see section 7). • Calendar data: appointment information, Google Meet links, confirmation statuses • Metadata: message delivery status, timestamps, channel used, appointment outcomes (showed/no-show/rescheduled/cancelled). This metadata is retained indefinitely for analytics purposes.

Your data is used to: • Provide and improve our services • Send automated messages to your prospects • Generate performance analytics and statistics • Ensure the security of your account • Contact you regarding your account or our services

NoGhost accesses the following Google data with your explicit consent: • Google Calendar (read and write): We read your calendar events to automatically import appointments as leads. We update event colors to reflect confirmation status (confirmed, rescheduled, cancelled). We never modify or delete your event content. • Gmail — Send (gmail.send): We send emails from your Gmail account on your behalf when you configure messaging sequences with the email channel. Emails appear in your Sent folder as if sent manually. We never send emails without your explicit configuration. • Gmail — Read (gmail.readonly): We read replies from your prospects to emails sent via NoGhost, so we can display them in the app and automatically detect confirmations or cancellations. We only access threads initiated by emails sent through NoGhost. We never read your other emails. Storage and retention of Google data: • Google access and refresh tokens are stored encrypted in our database, isolated per user via Row-Level Security. • Imported calendar data (prospect name, date, time, Meet link) is stored as long as your account is active. • Reply content from your prospects is stored temporarily for display in the app and is automatically deleted after 30 days, in accordance with our message retention policy. We only store replies to threads initiated by NoGhost, never the content of your other emails. Revoking access: You can revoke NoGhost's access to your Google data at any time from: • NoGhost Settings → Integrations → Disconnect • Your Google Account: https://myaccount.google.com/permissions Revoking access immediately stops calendar syncing and email sending.

NoGhost's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Specifically: • We only use Google data to provide the features described above (calendar sync, email sending, reading and displaying prospect replies). • We do not transfer Google data to third parties unless necessary to provide the service, with your consent, or for legal obligations. • We do not use Google data for advertising purposes. • We do not allow humans to read your Google data unless you give explicit consent, for security purposes, to comply with applicable law, or for our internal operations when the data has been aggregated and anonymized.

We never sell your personal data. We act as a data processor for your prospect data. We share your data only with: • Supabase Inc. (database hosting, EU/US) • Vercel Inc. (application hosting, US) • Google LLC (calendar sync, email sending via Gmail API, reply detection via Gmail API, AI reply classification via Gemini API — only reply text is transmitted, no identifying data) • Legal authorities if required by law All our subprocessors are bound by confidentiality obligations and data processing agreements.

Retention policy by data type: • Message content (sent and received): automatically and irreversibly deleted after 30 days. Only metadata is retained (status, timestamps, channel, recipient). • Account and prospect data: retained as long as your account is active. • Metadata and analytics: retained as long as your account is active for performance tracking (show rates, outcomes). • Google tokens: deleted immediately when you disconnect the Google integration. • After account deletion: all your personal data (prospects, messages, sequences, connections, API keys, Google tokens) is deleted within 30 days, except for data we are legally required to retain. You can request immediate deletion of all your data by contacting us at contact@noghost.co or through your account settings.

We implement appropriate technical and organizational security measures to protect your data: • Encryption in transit (TLS/HTTPS on all connections) • Encryption at rest (AES-256 on the database) • Secure authentication with JWT tokens • Per-user data isolation (Row-Level Security) • Automatic deletion of message content after 30 days • Encrypted passwords (never stored in plain text) • API keys and secrets stored in an encrypted vault (Supabase Vault) • Google tokens encrypted and isolated per user

Under the GDPR, you have the following rights: • Right of access to your data • Right of rectification • Right to erasure ("right to be forgotten") • Right to data portability • Right to object to processing • Right to withdraw consent To exercise these rights, contact us at: contact@noghost.co

We use essential cookies for the operation of the application (authentication, language preferences). We do not use advertising or third-party tracking cookies.

For any questions about this privacy policy: Email: contact@noghost.co