Privacy Policy

Last updated: February 12, 2025

These documents apply to clients residing in France. For other countries, please contact us.

CRUSH DIGITAL ATELIER LLC (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy of GhostBro users (“you,” “your”).

This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the GhostBro service.

1. Information We Collect

1.1 Account and Billing Information

When you sign up for GhostBro, we collect: identity (full name, company name), contact (email, phone if voluntarily provided), billing information. Credit card numbers are never stored on our servers — all payment data is processed by Stripe (PCI-DSS Level 1 certified).

1.2 Service Usage Data

We process: conversations and interactions with your AI agent, files you share, configuration and customizations, task outputs, and logs. Your data is completely isolated on a dedicated server. Never shared between customers.

1.3 Technical Data

We automatically collect: IP addresses, browser type, device type, session data, server logs, performance data.

1.4 API Keys and Credentials

API keys are stored encrypted (AES-256) on your dedicated server. You own and control these credentials at all times.

1.5 Cookies

We use minimal, strictly necessary cookies only: session, authentication, preferences. We do NOT use: Google Analytics, advertising cookies, marketing pixels, tracking cookies, or social media plugins. Stripe may set its own cookies during payment processing.

2. How We Use Your Information

2.1 Service Delivery (Legal Basis: Performance of contract — Art. 6(1)(b) GDPR)

We use your data to create and manage your account, deploy and maintain your AI agent, process payments, and provide support.

2.2 Service Improvement (Legal Basis: Legitimate interest — Art. 6(1)(f) GDPR)

We may use aggregated, anonymized data to improve service performance and develop new features. We do not use your individual conversations or personal data for AI model training. Ever.

2.3 Security and Fraud Prevention (Legal Basis: Legitimate interest — Art. 6(1)(f) GDPR)

We use data to detect fraud, protect against security threats, and monitor for abuse.

2.4 Legal Compliance (Legal Basis: Legal obligation — Art. 6(1)(c) GDPR)

We retain certain records for tax, accounting, and legal requirements.

2.5 Marketing Communications (Legal Basis: Consent — Art. 6(1)(a) GDPR)

Only with your explicit opt-in consent. You can unsubscribe at any time.

3. Data Retention

3.1 Active Subscription

All data retained while subscription is active.

3.2 After Cancellation

30-day grace period, then permanent deletion. Within 90 days: purged from backups.

3.3 Billing Records

Retained for up to 10 years (U.S. federal tax regulations).

3.4 Security Logs

Retained for up to 2 years.

3.5 Early Deletion

Available on request. Contact: eric@crushhh.co. Processed within 30 days.

4. Data Sharing and Disclosure

WE NEVER SELL, RENT, OR TRADE YOUR PERSONAL DATA.

4.1 Internal Access

Only authorized personnel with documented business need. Access is logged and audited.

4.2 Service Providers (Sub-Processors)

• Hetzner: Dedicated server infrastructure (Germany, EU)
• Stripe: Payment processing (Ireland EU / USA)
• ElevenLabs: Voice processing if enabled (USA)
• Vercel: Website hosting (USA)

All bound by data processing agreements.

4.3 AI Model Providers

Prompts sent to AI providers via API. We opt out of data training where available. Contractual agreements ensure your data is not used for model training.

4.4 Legal Requirements

We may disclose data if required by valid legal process. We will notify you unless prohibited by law.

4.5 Business Transfers

Your data may transfer in mergers/acquisitions. You will be notified 30 days in advance.

4.6 With Your Consent

We may share data for other purposes only with your explicit consent.

5. Data Security

5.1 Technical Safeguards

• Encryption in transit: TLS 1.2+ / SSL
• Encryption at rest: AES-256
• Infrastructure isolation: Dedicated servers per customer
• Authentication: Secure password hashing
• Firewalls: Multi-layer protection
• Backups: Automated, encrypted, geographically redundant
• Monitoring: 24/7 automated security monitoring
• Patch management: Regular security updates

5.2 Breach Notification

In the event of a data breach: affected individuals notified within 72 hours, relevant authorities notified as required by law, investigation and remediation steps taken.

6. International Data Transfers

6.1 Where Your Data Is Processed

Primary infrastructure: Germany (EU) via Hetzner. Some processing in USA via Stripe, Vercel, AI model providers.

6.2 Transfer Safeguards

For transfers outside the EEA: Standard Contractual Clauses (SCCs), Data Processing Agreements, adequacy decisions where available.

7. Your Rights

7.1 GDPR Rights (EU/EEA Residents)

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right regarding automated decision-making

7.2 CCPA/CPRA Rights (California Residents)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell your data)
• Right to non-discrimination
• Right to correct inaccurate information
• Right to limit use of sensitive personal information

7.3 PIPEDA Rights (Canadian Residents)

Access, correction, withdrawal of consent.

7.4 Exercising Your Rights

Contact: eric@crushhh.co. We respond within 30 days.

7.5 Complaints

• EU: Contact your national data protection authority. France: CNIL — www.cnil.fr
• USA: FTC — www.ftc.gov
• Canada: Office of the Privacy Commissioner — www.priv.gc.ca

8. Children's Privacy

GhostBro is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

9. AI Processing and Automated Decision-Making

Your AI agent uses large language models (OpenAI, Anthropic) via API. No automated decisions with legal or significant effects are made without human oversight.

YOUR DATA IS NOT USED TO TRAIN AI MODELS.

10. Third-Party Data Processing

If you process personal data of third parties using GhostBro: you are the Data Controller (GDPR) / Business (CCPA), we are the Data Processor / Service Provider. A DPA is available upon request.

11. Do Not Track Signals

We do not track users across third-party websites. We honor Do Not Track signals.

12. Changes to This Policy

We may update this Privacy Policy. Material changes: 30 days' email notice. Non-material changes: effective upon posting.

13. Contact

Email: eric@crushhh.co

CRUSH DIGITAL ATELIER LLC, 30 N Gould St Ste N, Sheridan, WY 82801, United States.

Contact: Eric Berg. Response within 30 days.