Privacy

The short version: we don't sell your data.

Ghostleads is a tool, not an ad network. We collect the minimum we need to run your account, deliver your exports, and keep the platform secure. This page tells you exactly what.

Last updated: May 25, 2026

TL;DR
  • · We collect what's needed to run your account: email, name, phone, country, payment events.
  • · We log your signup + last-seen IP for fraud and abuse prevention.
  • · We use Supabase (auth + database), Stripe (payments), Resend (email), and a few data providers (Apollo, MillionsVerifier, LeadMagic) to deliver the product.
  • · We don't sell your data. We don't run ads. We don't share with marketers.
  • · You can request a full account + data deletion any time by emailing support@ghostleads.co.

1. What we collect

The data we actively collect about you, the customer:

  • Account basics: email address, first + last name, phone number, country (collected at signup / onboarding).
  • Auth telemetry: the IP address and user-agent of your signup and most recent login. Used for fraud detection and audit.
  • Activity: the jobs you run, the Apollo URLs you paste, the credits you spend, the CSV files you download. We need this to run the product and to bill correctly.
  • Payment events: what package you bought, when, for how much. Card numbers themselves never touch our servers — Stripe handles those.
  • Communication history: emails between you and our support inbox.

What we don't collect:

  • We don't track you across the web. No third-party advertising pixels.
  • We don't sell or transmit your contact list to anyone else.
  • We don't read your CSV exports for any purpose other than delivering them and serving you (and the multi-tenant cache that benefits all users — see Section 4).

2. What we do with it

  • Run your account. Authenticate logins, gate signup against disposable inboxes, send transactional email (job-ready notifications, billing receipts).
  • Process payments. Stripe handles the actual card transaction. We see only the outcome (paid / failed) and the metadata (package, amount, date).
  • Deliver exports. Your Apollo URL is sent to our scraper. Names + LinkedIn URLs we extract are matched against an email-finding pipeline (LeadMagic, MillionsVerifier).
  • Fraud and abuse prevention. Signup IP + email-verification gates exist to block disposable / dead-inbox abuse. We log auth events for security audits.
  • Improve the product. Aggregate, anonymized usage patterns (which features get used, where pipelines fail) inform what we build next. Never tied back to identifiable individuals in any way that gets shared externally.

3. Who we share it with

We share data only with vendors that help us deliver the product. Each is bound by their own privacy policy and contractual terms.

  • Supabase — authentication, database, file storage (your CSVs).
  • Stripe — payment processing.
  • Resend — transactional email delivery (job-ready, signup verification, support replies).
  • Apollo — the data source for your exports.
  • MillionsVerifier / LeadMagic — email verification and finder providers.
  • Hosting + monitoring providers (Vercel, Cloudflare) — infrastructure.

We do not sell, rent, license, or otherwise commercially share your personal data with any party not listed above.

4. About the contact data in your exports

When you run an Apollo export, the rows you receive contain personal data about third parties (the prospects). A few things to know:

  • That data is sourced from Apollo. Their TOS and privacy policy govern its collection. You agree, by using Ghostleads, to use the data in compliance with applicable laws (GDPR, CAN-SPAM, the Indian DPDP Act, etc).
  • We maintain a shared cache of previously-enriched contacts to keep prices low across all customers. A row that was enriched for one customer may be served from cache to another. The cache does not tie contacts back to which customer originally pulled them.
  • If a prospect contacts us asking to be removed from our cache, we'll honor it within 30 days.

5. Cookies

We use cookies for one thing: keeping you signed in. Specifically the session cookies set by Supabase Auth. We don't run third-party tracking cookies, advertising pixels, or analytics fingerprints.

6. Your rights

Depending on where you live, you have the right to:

  • Access the personal data we hold on you. Email us and we'll send a structured export.
  • Correct inaccuracies. Most fields are editable on your onboarding or account settings — for the rest, email support.
  • Delete your account and all associated data. Email support@ghostleads.co from your signup address with the subject "Delete my data". We'll process within 7 days.
  • Object to specific processing, or withdraw consent. We'll work with you on case-by-case basis.

These rights apply regardless of jurisdiction. We don't make EU users jump through hoops US users don't have to.

7. Data retention

We hold your account and activity data for as long as your account is active, plus 90 days after deletion for audit and abuse-prevention purposes. Beyond that, financial records are retained for the period required by Indian tax law (currently 8 years from the financial year of the transaction).

8. Security

We use industry-standard TLS for all data in transit, encryption at rest for sensitive fields, and least-privilege access for our team. That said: no system is unbreakable. If we ever experience a breach affecting your data, we'll notify you by email within 72 hours of confirmation.

9. Changes to this policy

We'll update this page when our practices change. Material updates trigger an email notification to active accounts. The "Last updated" date at the top of this page always reflects the most recent version.

10. Contact

Questions, requests, complaints, or anything privacy-related: email support@ghostleads.co. For founder-level escalations, use tirth@ghostleads.co.

Want a copy of your data — or to delete it?

One email gets it done. We don't make this hard.

Email supportSupport center