Privacy Policy
Last Updated: June 13, 2026
At Ghostal, we take your privacy and the security of your creative property seriously. This Privacy Policy describes how we collect, use, and process your personal data and social credentials when you use our services. By using Ghostal, you agree to the practices described in this policy.
1. Information We Collect
We collect information to provide a stable, autonomous continuity system for your accounts:
- Account Credentials: Email address, display name, and hashed password for your Ghostal account.
- Instagram Data (via Meta OAuth): When you connect your Instagram account, we access and store:
- Your Instagram username and display name
- Your Instagram user ID (app-scoped identifier assigned by Meta)
- Your Instagram media count (number of posts)
- Your Instagram follower count (fetched at connection time)
- An encrypted access token to publish content and read profile data on your behalf
- Media and Captions: Images, videos, and captions you upload to your Content Vault or include in your publishing schedule.
- Usage Vitals: Login frequency, scheduling patterns, and interaction metrics used by our inactivity detection engine.
- Automatically Collected Data: IP addresses, browser type, and standard server log information for security and debugging purposes.
2. How We Use Your Data
We process your data strictly to maintain your creator continuity:
- To publish scheduled posts and automated survival queue posts to your connected Instagram account on your behalf.
- To detect posting inactivity and trigger Ghost Mode survival queues.
- To run AI caption remixing algorithms on your historical post data.
- To provide analytics on your posting consistency and queue health.
- To provide support and prevent unauthorized access or API rate breaches.
- To send transactional emails (e.g., queue warnings, account alerts) when you have opted in.
We do not use your Instagram data to train third-party AI models, sell to advertisers, or share with any third party except as described in Section 4.
3. Instagram / Meta Platform Data
Ghostal uses the Instagram Graph API (provided by Meta Platforms, Inc.) to connect and publish to your Instagram account. By connecting your Instagram account, you authorize Ghostal to:
- Read your Instagram profile information including username, user ID, media count, and follower count (
instagram_business_basicpermission). - Publish photos, videos, and reels to your Instagram feed on your behalf (
instagram_business_content_publishpermission).
We do not request or use any permissions beyond the two listed above. We do not access your Instagram password, private messages, or any data not explicitly listed here. Your access token is encrypted at rest using AES-256-GCM and is never shared with third parties.
This application is built in compliance with the Meta Platform Terms and Meta Developer Policies.
4. Token Security and Revocation
Your Instagram access tokens are:
- Encrypted at rest using AES-256-GCM before being stored in our database.
- Transmitted securely using Transport Layer Security (TLS 1.2+).
- Never logged, displayed in plaintext, or shared with any third party.
- Instagram long-lived tokens are valid for 60 days from issuance. You will need to reconnect your account when a token expires.
To revoke access at any time, you can:
- Go to Settings → Instagram in your Ghostal dashboard and click Disconnect Instagram. This immediately deletes your stored token.
- Alternatively, go to your Facebook Account Settings → Business Integrations, find Ghostal, and click Remove. This revokes the token at Meta's level and triggers our automated data deletion callback.
Upon token revocation, Ghostal will no longer be able to publish to your account. Any scheduled posts in the queue will be cancelled.
5. Data Sharing and Retention
We do not sell, rent, or trade your creative media or personal information. We work with the following categories of third-party processors:
- Supabase — our database and authentication provider (data stored in EU/US regions).
- Vercel — our hosting provider. Server logs may be retained for up to 30 days.
- Meta Platforms, Inc. — the Instagram Graph API provider used to publish your content.
Retention: Your data is retained for as long as your account is active. Upon account deletion, all personal data, Instagram tokens, vault items, scheduled posts, and activity logs are permanently purged immediately. For deletion requests submitted via email, processing is completed within 30 daysof identity verification. When deletion is triggered automatically via Meta's data deletion callback (e.g., revoking app access from Facebook Settings), your data is purged immediately.
6. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data on the following legal bases:
- Contract Performance: Processing your data is necessary to deliver the scheduling, autopilot, and publishing services you subscribed to.
- Consent: When you connect your Instagram account via OAuth, you explicitly consent to Ghostal accessing and publishing to it on your behalf.
- Legitimate Interests: We process server log data to maintain security, prevent fraud, and debug service issues.
- Legal Obligation: We may retain certain data where required by applicable law (e.g., billing records for tax compliance).
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Correct inaccurate or incomplete personal data.
- Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data. You can do this directly from Settings → Profile → Delete Account, or by emailing us.
- Right to Data Portability: Receive your data in a structured, machine-readable format.
- Right to Object: Object to processing of your data for certain purposes.
- Right to Withdraw Consent: Disconnect your Instagram account at any time to withdraw consent for OAuth-based processing.
To exercise any of these rights, contact us at support@ghostal.xyz. We will respond within 30 days.
8. Cookies
We use strictly necessary session cookies to keep you logged in to Ghostal. We do not use advertising cookies or third-party tracking pixels. You can view our full Cookie Policy here.
9. Children's Privacy
Ghostal is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top. For material changes, we will notify you by email or via an in-app banner.
11. Contact Us
If you have any questions, data removal requests, or concerns regarding this policy, contact our privacy team:
support@ghostal.xyzFor data deletion requests specifically, visit our Data Deletion Instructions page.