← Back to Home

Privacy Policy

Last updated: February 2026

1. Controller

The data controller within the meaning of Art. 4(7) GDPR is ghostkit UG, Germany. You can reach us at [email protected]. A data protection officer is not required under Sec. 38 BDSG as the company regularly employs fewer than 20 persons with data processing activities.

2. Data We Collect

Email addresses. When you sign up to access gated content (e.g. the Security Playbook), we collect and store your email address. This is voluntary and based on your explicit consent (Art. 6(1)(a) GDPR). We use a double opt-in process.

URL scan data. When you use our URL scanner, we store the submitted URL, its domain, and the scan results. Scans are associated with a hashed IP address for rate-limiting purposes. We do not link scan data to your identity.

Usage analytics. We use self-hosted analytics on our Hetzner infrastructure to collect anonymous, aggregated usage data (page views, events). This data contains no personally identifiable information and is processed entirely within Germany.

Server logs. Our hosting provider (Hetzner Online GmbH) and CDN provider (Cloudflare) may temporarily store standard server logs including IP addresses, browser type, and request timestamps. These are retained for operational and security purposes only (Art. 6(1)(f) GDPR).

3. Cookies & Tracking (Sec. 25 TTDSG)

ghostkit.net does not use tracking cookies or analytics cookies. We do not set first-party cookies for advertising or user profiling. Essential cookies may be set by our hosting infrastructure for operational purposes (e.g. load balancing). Technically necessary cookies are exempt from the consent requirement under Sec. 25(2) No. 2 TTDSG. Cloudflare may set technically necessary cookies (e.g. __cf_bm) for bot management and security purposes. These are exempt from the consent requirement under Sec. 25(2) No. 2 TTDSG as they are strictly necessary for the service.

4. Purpose and Legal Basis

  • Email collection: To deliver gated content and occasional product updates. Legal basis: your consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
  • Scan data: To provide the URL scanning service and display results. Legal basis: performance of a service you requested (Art. 6(1)(b) GDPR).
  • Analytics: To understand how the site is used and improve our services. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Rate limiting: To prevent abuse of the scanning service. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

5. Data Sharing

We do not sell or rent your personal data. We share data only with the following processors, which are bound by data processing agreements:

  • Hetzner Online GmbH (hosting, database, and analytics), Germany. Data is processed exclusively within the EU.
  • Cloudflare Inc. (CDN, DDoS protection, and DNS), USA, certified under the EU-US Data Privacy Framework (Art. 45 GDPR).
  • 1&1 IONOS SE (Germany), email forwarding and processing. IONOS processes data exclusively within the EU.

We may also disclose data if required by law or a binding court order.

6. Data Retention

  • Email addresses: Retained until you request deletion or withdraw consent.
  • Consent proof (email signups): Timestamp, IP address, and consent text are retained for 3 years to comply with the statutory limitation period (Sec. 195, 199 BGB).
  • Scan results: Retained indefinitely to allow permalink access. Public scan results are visible to anyone with the link.
  • Server logs: Automatically deleted after 30 days by our hosting provider.

After expiry of retention periods, data is deleted or anonymized.

7. Your Rights (GDPR Art. 15-22)

You have the right to:

  • Right of access (Art. 15) - obtain confirmation of whether your data is processed and receive a copy.
  • Right to rectification (Art. 16) - correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) - request deletion of your data under the conditions specified by law.
  • Right to restriction (Art. 18) - restrict the processing of your data in certain cases.
  • Right to data portability (Art. 20) - receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) - object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) - withdraw any consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right not to be subject to automated decision-making (Art. 22) - we do not use automated decision-making or profiling that produces legal effects.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

8. Data Security (Art. 32 GDPR)

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All data transmitted between your browser and our servers is encrypted using SSL/TLS (HTTPS). Access to personal data is restricted to authorized personnel on a need-to-know basis. Our processors (Hetzner, Cloudflare, IONOS) maintain their own security certifications and measures.

9. Minors

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.

10. External Links

Our website contains links to external third-party websites over whose content and privacy practices we have no influence. We expressly distance ourselves from all data processing activities on linked pages. At the time of linking, no privacy violations were apparent. A permanent review of external privacy practices is not reasonable without concrete evidence of a violation. Upon becoming aware of privacy violations, we will remove such links immediately. We encourage you to review the privacy policies of any third-party site you visit. We are not responsible for the data protection practices, data security, or content of external websites.

11. Right to Object (Art. 21 GDPR)

Where we process your personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object at any time for reasons relating to your particular situation. This applies to processing for analytics, server log analysis, and rate limiting. If you object, we will no longer process your data for those purposes unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims. To object, email [email protected].

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. You may contact any EU supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). A list of all German data protection authorities is available at www.bfdi.bund.de.

13. Changes to This Policy

We reserve the right to update this privacy policy to reflect changes in our data processing activities or legal requirements. The current version is always available on this page. Material changes will be indicated by updating the date at the top of this policy.

14. Contact

ghostkit UG, Germany
Email: [email protected]

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description