Privacy Policy
1. Introduction
This Privacy Policy explains how GhostLabs, operated by GhostLabs Pte. Ltd., 53 Chulia Street, #07-01, Singapore 049711 (“GhostLabs,” “we,” “us”), collects, uses, shares, and protects personal information when you access or use the Service described in our Terms of Service (the “Service”).
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, the GDPR (and UK GDPR) applies to our processing. If you are a resident of California, Colorado, Connecticut, Virginia, or certain other US states, the relevant state privacy law applies. If you are a resident of Singapore, the Personal Data Protection Act 2012 applies. Specific rights under those laws are summarised in Section 8.
By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, do not use the Service.
2. Information we collect
2.1 Information you provide directly
Account information. When you sign up for an account, or purchase a scan, we collect your email address. We do not currently require a password. authentication is via magic link sent to that email.
Payment information. When you pay for a scan or a monitoring subscription, our payment processor (Stripe, Inc.) collects your payment details. GhostLabs does not store your full card number or CVV. We store a transaction ID, the last four digits of the payment instrument, the billing country, and the amount paid. For cryptocurrency payments, we store the blockchain network, the sending wallet address, the amount paid, and the transaction hash.
Partner registration information. If you register as a partner in our referral program, we collect your display name or handle, your preferred payout wallet addresses (which may be on Ethereum, Base, Solana, or other supported networks), your email address, optionally a Telegram or X handle for communication, and any other information you voluntarily provide in the registration form. You may also be asked to complete identity verification (KYC) via a third-party provider before payouts above a threshold amount can be disbursed.
Content you submit. When you submit a contract for analysis, we collect the contract address, the chain, the source code (either fetched from the relevant block explorer or uploaded by you), and any metadata you provide with your submission (e.g., description, notes).
Communications. When you contact us through support email, forms, or social channels, we collect the content of your message and any information you voluntarily include.
2.2 Information collected automatically
Usage data. We collect information about how you use the Service, including pages visited, features used, scan identifiers, timestamps, and interactions with the Telegram bot or browser extension.
Device and network data. We collect your IP address, browser type and version, operating system, device type, referring URL, and similar technical information. IP addresses are used for security, fraud prevention, rate limiting, and approximate geolocation.
Cookies and similar technologies. See Section 5 below.
2.3 Information we receive from third parties
Block explorers. When you submit a contract address for analysis, we query block-explorer APIs (Etherscan, Basescan, BSCScan, and equivalents on other supported chains) to retrieve verified source code. These APIs may log our request and associate it with our IP.
Payment processors. Stripe provides us with payment outcome, risk signals, dispute status, and limited billing information.
Sanctions screening. For partner payouts, we use Chainalysis (or a comparable provider) to screen destination wallet addresses against OFAC and other sanctions lists.
Analytics providers. If used, analytics providers (e.g., PostHog, Plausible, or equivalent) provide aggregated data about Service usage. We prefer providers that do not set third-party cookies.
3. How we use information
We use personal information for the following purposes:
To provide the Service. Delivering scan results, generating and hosting report PDFs, sending transactional email, authenticating your account, processing payments, retrieving source code from third-party explorers, running analysis models, maintaining your monitoring subscriptions, and calculating referral attribution and partner payouts.
To secure the Service. Detecting and preventing fraud, abuse, self-referral, rate-limit evasion, account takeover, and other security threats. Maintaining audit logs of administrative actions.
To improve the Service. Analysing aggregated usage to identify feature opportunities, quality issues, and model performance. Training or fine-tuning our analysis models using anonymized and aggregated scan data (never using a single customer’s submissions to produce a model available to other customers in a way that reveals that first customer’s content).
To communicate with you. Sending transactional emails (receipts, scan delivery, subscription notices, security alerts). Sending marketing emails only if you have opted in, and providing an unsubscribe link in every marketing email.
To comply with law and enforce our rights. Responding to valid legal process, enforcing our Terms of Service, protecting our users and third parties, and defending against legal claims.
For sanctions and anti-money-laundering compliance. Screening partner payout wallets against applicable sanctions lists. Declining payouts to any wallet on a sanctions list and reporting where required by law.
4. How we share information
We share personal information only as described below.
Service providers (“processors”). We share information with the third-party vendors who help us operate the Service. The current list is:
| Vendor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Payment details, billing country, email, transaction amount |
| Twilio SendGrid | Transactional email delivery | Email address, email content |
| Anthropic, PBC | AI analysis | Smart contract source code (without customer identifiers), scan metadata |
| Fly.io | Hosting, database, file storage | All data processed by the Service |
| Etherscan and equivalent block-explorer APIs | Source code retrieval | Contract addresses (no customer identifiers) |
| Chainalysis (or equivalent) | Sanctions screening on partner payouts | Destination wallet addresses |
Each vendor is bound by written data protection terms requiring them to process personal information only as permitted.
Business transfers. If GhostLabs is involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, personal information may be transferred as part of that transaction. The recipient will be subject to a privacy policy at least as protective as this one.
Legal process and safety. We may disclose personal information if we reasonably believe disclosure is required to comply with a valid legal process (including court orders, subpoenas, or government requests), to enforce our Terms of Service, to protect the security or integrity of the Service, or to protect the rights, property, or safety of GhostLabs, our users, or any third party.
With your consent. We may share personal information for any other purpose disclosed at the time of collection, with your consent.
We do not sell personal information. GhostLabs does not sell personal information as that term is defined under the CCPA, CPRA, or equivalent laws. We do not engage in “sharing” of personal information for cross-context behavioural advertising.
5. Cookies and tracking
We use a minimum set of cookies and similar technologies. The categories are:
Strictly necessary cookies. session identifiers required to keep you signed in and to provide the Service. These cannot be disabled without breaking the Service.
Analytics cookies (if used). pseudonymized usage analytics. Opt-in for residents of the EEA, UK, and Switzerland. Opt-out available in the cookie banner.
No advertising cookies. We do not use third-party advertising cookies, tracking pixels, or fingerprinting.
You can configure your browser to refuse cookies or to alert you when cookies are being sent. If you refuse strictly necessary cookies, parts of the Service may not function.
6. International transfers
GhostLabs is based in Singapore. Data you provide may be transferred to, stored in, and processed in other countries, including the United States (where Stripe, Anthropic, and SendGrid are located) and the European Union (where Fly.io operates data centres). We rely on appropriate transfer mechanisms as required by law, including Standard Contractual Clauses adopted by the European Commission and the UK International Data Transfer Addendum.
7. How long we keep information
We retain personal information for as long as necessary to provide the Service and for legitimate business purposes, including:
Account information and scan history. retained while your account is active and for a reasonable period afterwards for record-keeping.
Payment and transaction records. retained for at least seven (7) years after the transaction date, or longer where required by tax, accounting, or anti-money-laundering law.
Generated reports (PDFs and HTML). retained for a minimum of ninety (90) days from generation. You may request deletion before then, subject to legal retention requirements.
Security and audit logs. retained for at least twelve (12) months.
Support communications. retained for at least twenty-four (24) months.
When we no longer need personal information for the purposes described here, we delete or anonymise it, subject to legal retention requirements.
8. Your rights
8.1 Rights under the GDPR and UK GDPR
If you are in the EEA or UK, you have the right to: access your personal information; correct inaccurate personal information; request erasure (“right to be forgotten”); restrict processing; data portability (receive your information in a machine-readable format); object to processing (including for direct marketing); and withdraw consent where we rely on consent.
You may also lodge a complaint with a supervisory authority.
8.2 Rights under US state privacy laws (CCPA/CPRA and equivalents)
If you are a California, Colorado, Connecticut, Virginia, or other relevant US state resident, you have the right to: know what personal information we collect and how we use it; request deletion; correct inaccurate personal information; opt out of sale or sharing (note: we do not sell or share as defined under these laws); and not receive discriminatory treatment for exercising your rights.
8.3 Rights under Singapore PDPA
If you are a Singapore resident, you have the right to access your personal information, to correct errors, to withdraw consent where we rely on consent, and to lodge a complaint with the Personal Data Protection Commission.
8.4 How to exercise your rights
Email admin@ghostlabs.asia with a description of your request and enough information to let us verify your identity (we will only request what is necessary). We will respond within thirty (30) days, or sooner if required by applicable law. If your request is denied, you will be told why. There is no fee for reasonable requests.
9. Security
We take reasonable and appropriate measures to protect personal information, including:
- TLS (HTTPS) for all traffic between your browser and the Service
- Encryption at rest for database contents and generated reports
- HMAC-signed URLs with expiry for download links to generated reports
- Rate limiting, monitoring, and anomaly detection on public endpoints
- Principle-of-least-privilege access controls for internal systems
- Append-only audit logging of administrative actions
- Regular backups and documented disaster-recovery plans
No security control is perfect. We encourage you to use a strong, unique email account, to enable two-factor authentication on your email, and to be vigilant about phishing. Report suspected security issues to admin@ghostlabs.asia.
10. Children’s information
The Service is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected personal information from a child under 18, contact us and we will delete it.
11. Third-party links
The Service may contain links to third-party websites, tools, or services. This Privacy Policy does not apply to those third parties. We recommend reviewing the privacy policies of any third party before providing information to it.
12. Changes to this Policy
We may update this Privacy Policy. Material changes will be notified to you by email or by a prominent notice on the Service at least thirty (30) days before the change takes effect. The “Last updated” date at the top of this Policy reflects the most recent revision.
13. Contact
Questions or requests relating to this Privacy Policy should be sent to admin@ghostlabs.asia.
End of Privacy Policy.