👻

Ghostwritr Privacy Policy

Last updated: July 11, 2026

What Ghostwritr does

Ghostwritr lets teammates (Ghostwriters) draft emails that an executive (a Sender) reviews and sends from their own Gmail account. This policy explains what we collect, why, and how long we keep it.

Data we collect

Account data: your name, work email address, organization, and role — used to run your workspace and route notifications.

Request content: the briefs, AI drafts, and final email text of each request, held only while the request is active (see Retention).

Style characteristics:to draft in a Sender's voice we store structured writing traits — tone scores, greeting and sign-off patterns, short habitual phrases. We never store the text of sent emails in the style profile.

Usage metadata: request statuses, timestamps, and operational counters (for example drafts generated per day). Application logs carry identifiers and error codes — never email content.

Google user data

With a Sender's explicit consent we request one Gmail permission: send email on your behalf(gmail.send). We cannot read, modify, or delete your mail, and every email is sent only when the Sender personally clicks Send. OAuth refresh tokens are encrypted at rest with AES-256-GCM and are never shared, sold, logged, or returned by any API. Ghostwritr's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements: Google data is used solely to provide the sending feature, never for advertising, and never transferred except as needed to provide the service or comply with law.

AI processing

Draft generation and style analysis are performed by Anthropic's Claude API. Request briefs and, at send time, the final email text are processed in memory to produce a draft or extract style characteristics; we do not use your content to train models, and the extracted characteristics are the only output that persists.

Retention

Email text (briefs, drafts, final bodies, decline notes) is permanently deleted by an automated job 7 days after a request completes. Request metadata (recipients, subjects, statuses, timestamps) is retained for your dashboard history. Deleting a user or organization removes the associated account data.

Third-party processors

Vercel (hosting), Neon (database), Anthropic (AI drafting), Stripe (billing — we never see full card numbers), Resend (notification email), and Slack (optional notifications, only after your admin installs the app). Each receives only what its function requires.

Security

All traffic is encrypted in transit. OAuth and bot tokens are encrypted at rest. Every Gmail add-on request is verified against Google-signed identity tokens, webhook payloads are signature-verified, and invite tokens are stored hashed.

Your choices

Revoke Ghostwritr's Google access at any time at myaccount.google.com/connections — sending stops immediately. For data questions, export, or deletion, contact privacy@ghostwritr.xyz. We'll update this policy as the product evolves and note the date above.