Privacy Policy

Last Updated: March 18, 2026

1. Introduction

GhostCost ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AWS cost optimization platform. By using GhostCost, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect information that you provide directly to us and information automatically collected when you use our service:

  • Account Information: Email address, name, and company name when you register
  • AWS Metadata: Resource identifiers, configurations, and cost data from your AWS account
  • Usage Data: Information about how you interact with our platform, including pages visited and features used
  • Technical Data: IP address, browser type, device information, and operating system

3. Third-Party Services

GhostCost integrates with the following third-party services to provide our platform:

  • AWS Pricing API: Used to retrieve current AWS pricing information for cost calculations
  • Stripe: Payment processing for Pro and Team subscriptions (Stripe handles all payment card data)
  • Resend: Email delivery service for notifications, alerts, and account communications

Each third-party service has its own privacy policy governing the use of your information. We encourage you to review their policies.

4. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256
  • HashiCorp Vault: All secrets, API keys, and sensitive credentials are managed through HashiCorp Vault
  • Access Controls: Role-based access control (RBAC) limits data access to authorized personnel only
  • Audit Logging: All system access and data operations are logged for security monitoring

5. Read-Only AWS Access

GhostCost only requests READ-ONLY IAM access via ExternalId to AWS accounts and NEVER mutates cloud infrastructure.

Our IAM policy is strictly limited to read permissions for cost and resource metadata. We use AWS STS AssumeRole with ExternalId validation for secure, temporary access. We cannot and will not create, modify, or delete any resources in your AWS account. All API calls are logged in your AWS CloudTrail for full transparency.

6. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Data Portability: Request transfer of your data to another service provider
  • Right to Object: Object to processing of your personal data for specific purposes
  • Right to Restrict Processing: Request limitation of how we process your data

To exercise any of these rights, please contact us at hi@ghostcost.com. We will respond within 30 days.

7. CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of the sale of your personal information (note: we do not sell personal information)
  • Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment

To exercise any of these rights, please contact us at hi@ghostcost.com. We will respond within 45 days.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. If you close your account, we will delete your personal data within 90 days, except where we are required to retain it for legal, regulatory, or security purposes.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: hi@ghostcost.com