• Home
  • FAQ's
  • More
    • Home
    • FAQ's
  • Home
  • FAQ's

General Data Protection Regulation (GDPR)

GDPR Compliance Policy

Ghostpilot, Inc.

Effective Date: September 1, 2024 Last Updated: November 1, 2025

Ghostpilot, Inc. (“Ghostpilot,” “we,” “us,” or “our”) is committed to full compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) whenever we process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom (UK).

This GDPR Policy supplements our Privacy Policy and applies only to personal data subject to GDPR. It does not create rights for individuals outside the EEA/UK.

1. Scope and Applicability

This policy applies when Ghostpilot acts as a Data Controller or Data Processor under GDPR:

RoleTrigger Controller  We determine purposes/means (e.g., marketing, account management, billing).Processor We process on behalf of customers (e.g., analyzing uploaded website data).  

2. Lawful Bases for Processing (Art. 6)

We process personal data only when we have a valid lawful basis:

Purpose Lawful Basis Examples Account creation & service delivery Contract (Art. 6(1)(b))Username, email, SEO project data Billing & subscriptions Contract + Legal Obligation Payment details, invoices Marketing emails Consent (Art. 6(1)(a))Newsletters (opt-in only)Analytics & product improvement Legitimate Interests (Art. 6(1)(f))Aggregated usage stats (LIA conducted)Fraud prevention Legitimate Interests IP monitoring Legal compliance Legal Obligation (Art. 6(1)(c))Tax records, court orders 

Consent is granular, freely given, and withdrawable via privacy@ghostpilot.ai.

3. Data Subject Rights (Arts. 12–23)

Individuals in the EEA/UK have the following rights, free of charge:

Right Response Time Process Access (Art. 15)30 days Export in CSV/JSON Rectification (Art. 16)Immediate Dashboard or support ticket Erasure (“Right to be Forgotten”) (Art. 17)30 days Subject to retention obligations Restriction (Art. 18)Immediate Flag account for limited processing Portability (Art. 21)30 days Structured, machine-readable format   Objection (Art. 21)Immediate (marketing) / 30 days (other)Stop processing unless compelling grounds Automated Decisions (Art. 22)N/ANo solely automated decisions with legal effect 

Submit requests to dpo@ghostpilot.ai with subject “GDPR Request – [Your Name]”.

We verify identity (e.g., email confirmation) before action.

4. Data Protection by Design & Default (Art. 25)

  • Minimization: Collect only what is necessary.
  • Pseudonymization: SEO analytics use project IDs, not names.
  • Default Settings: Strictest privacy (e.g., no marketing without opt-in).
  • Privacy Impact Assessments (DPIA): Conducted for high-risk features (e.g., AI training on user content).

5. International Data Transfers (Chapter V)

Ghostpilot is headquartered in the United States. Transfers outside the EEA/UK use:

Mechanism Details Standard Contractual Clauses (SCCs)2021 EU Commission modules (Controller-to-Processor & Processor-to-Processor)UK International Data Transfer Agreement (IDTA)For UK flows Supplementary Measures Encryption, access controls, TIA (Transfer Impact Assessment) 

We do not rely on Privacy Shield (invalidated).

6. Data Processors & Sub-Processors (Art. 28)

All sub-processors are bound by GDPR-compliant Data Processing Agreements (DPAs).

Current Sub-Processors

Sub-ProcessorServiceLocationSCC/IDTA Amazon Web Services (AWS)Cloud hosting US (Oregon)Yes Stripe, Inc.Payments US Yes Google Workspace  Email & docs US Yes Postmark (ActiveCampaign)Transactional email US Yes Sentry Error tracking US Yes 

Full list: ghostpilot.ai/legal/subprocessors (updated quarterly).

Customers may subscribe to change notifications.

7. Data Breach Notification (Arts. 33–34)

  • Controller Breach: Notify relevant Supervisory Authority within 72 hours of awareness.
  • High-Risk Breach: Notify affected data subjects without undue delay.
  • Processor Breach: Notify customer (controller) immediately (max 48 hours).

All incidents logged in our Breach Register.

8. Data Protection Officer (DPO) (Art. 37)

Name: Sarah Chen Email: dpo@ghostpilot.ai  

The DPO is independent, reports to the CEO, and oversees GDPR compliance.

9. Records of Processing Activities (ROPA) (Art. 30)

We maintain internal records including:

  • Purposes, categories, recipients
  • Retention periods
  • Security measures
  • Cross-border transfers

Available to Supervisory Authorities on request.

10. Children’s Data (Art. 8)

We do not knowingly process data of individuals under 16. If discovered, we delete immediately.

11. Automated Decision-Making (Art. 22)

We do not use solely automated processing to make decisions with legal or significant effects (e.g., no AI hiring or credit scoring).

12. Accountability & Governance

  • Annual GDPR Training: Mandatory for all staff.
  • Policy Reviews: Quarterly by DPO.
  • Third-Party Audits: SOC 2 Type II + GDPR gap analysis (annual).
  • Board Oversight: Compliance report every 6 months.

13. Complaints

Lodge complaints with:

  1. Our DPO: dpo@ghostpilot.ai
  2. Supervisory Authority in your EEA country (list: edpb.europa.eu)
  3. UK ICO: ico.org.uk

We cooperate fully with all investigations.

14. Contact

Data Protection Officer Ghostpilot, LLC 444 N Michigan Av, Chicago, Illinois, 60611, USA

Email: dpo@ghostpilot.ai Secure Form: ghostpilot.net/gdpr-request

Approved by Kevin G williams– Chief Executive Officer 

Sarah Chen – Data Protection Officer


We don’t just comply with GDPR — we build trust through transparency.Ghostpilot: AI SEO, done right.

Copyright © 2026 Ghostpilot - All Rights Reserved.

  • Privacy Policy
  • Terms & Conditions
  • Anti Slavery
  • GDPR
  • CCPA

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept