Ghostviber
← Back to home

GHOSTVIBER PRIVACY POLICY

  • Version: 1.1
  • Effective date: 26 May 2026

1. General provisions

  1. This Privacy Policy sets out the rules for the processing of personal data in connection with the use of the Ghostviber service, which includes the ghostviber.com website, the app.ghostviber.com web application, the user account, the creative editor, AI tools, subscription plans, AI credits, payments, and related digital services.
  2. This Privacy Policy is for information purposes only. It does not replace the terms and conditions for the provision of services by electronic means, does not set out the rules of contractual liability, and does not govern rights to user content or generated content, except where this directly concerns the processing of personal data.
  3. Personal data is processed in accordance with the GDPR, the Polish Personal Data Protection Act, the Act on the Provision of Services by Electronic Means, the law on electronic communications, and other applicable legal provisions.
  4. This Privacy Policy may be made available in different language versions solely for the convenience of users. In the event of any interpretive discrepancies or differences between the language versions, the Polish language version shall prevail.

2. Data controller

  1. The controller of personal data is Unbelievable Software spółka z ograniczoną odpowiedzialnością, with its registered office in Warsaw, ul. Złota 75A/7, 00-819 Warsaw, entered in the register of entrepreneurs of the National Court Register under KRS number: 0001003333, NIP: 5273029264, REGON: 523721743, share capital: PLN 5,000.00.
  2. The controller may be contacted:
    1. by email at: [email protected];
    2. in writing at the controller's registered office address;
    3. in matters concerning the account, payments, or technical support, at the contact addresses indicated in the service.
  3. The controller has not appointed a data protection officer.

3. Scope of the Policy

  1. This Policy applies to personal data processed in connection with the use of:
    1. the Ghostviber website;
    2. the Ghostviber web application;
    3. the user account;
    4. the creative editor;
    5. projects, texts, prompts, and other content entered by the user;
    6. AI functions, including the generation, analysis, and personalization of content;
    7. the user's style profile;
    8. paid plans, subscriptions, AI credits, and payments;
    9. contact forms, communication with support, and email messages;
    10. cookies, local storage, telemetry, analytics, and security tools.
  2. The Policy does not apply to third-party websites, applications, or services to which the user may be redirected from the service, if they are not controlled by the controller.

4. Minimum user age

  1. The service is intended for persons who are at least 16 years of age.
  2. The controller does not intend to knowingly collect personal data of children under 16 years of age.
  3. If the controller obtains credible information that an account has been created by a person under 16 years of age or that such a person has provided personal data without the required consent, the controller may delete the account and the related data, subject to legal obligations and the retention rules described in this Policy.

5. Categories of processed data

  1. The controller processes personal data within a scope that depends on how the service is used.
  2. If an account is created, the following may, in particular, be processed:
    1. email address;
    2. password hash;
    3. pseudonym or stage name;
    4. profile picture;
    5. information about age or about meeting the minimum age requirement;
    6. interface language;
    7. country;
    8. time zone;
    9. account settings;
    10. security settings;
    11. account status;
    12. account creation date;
    13. date of last login;
    14. information about email address verification.
  3. In connection with the use of the application, content entered or created by the user may be processed, in particular:
    1. lyrics;
    2. drafts;
    3. projects;
    4. notes;
    5. prompts;
    6. private rhyme dictionaries;
    7. version history;
    8. editor preferences;
    9. creative preferences;
    10. AI analysis results;
    11. style profile;
    12. generated texts, titles, beats, music, audio, graphics, or covers.
  4. The content referred to in section 3 may contain personal data if the user themselves includes it therein.
  5. In connection with the use of AI functions, the following may, in particular, be processed:
    1. prompts;
    2. selected fragments of projects;
    3. project context;
    4. previous content;
    5. input data;
    6. output data;
    7. metadata of AI requests;
    8. metadata of AI responses;
    9. information about the model or provider used;
    10. the number of tokens;
    11. the number of AI credits;
    12. data necessary to ensure the operation of AI functions.
  6. In connection with payments and settlements, the following may, in particular, be processed:
    1. identification and billing data;
    2. customer identifiers with the payment operator;
    3. subscription identifiers;
    4. invoice identifiers;
    5. payment status;
    6. plan history;
    7. history of AI credit purchases;
    8. amounts;
    9. currencies;
    10. billing country;
    11. tax data;
    12. invoices;
    13. transaction metadata.
  7. The controller does not store full payment card numbers.
  8. In connection with the security and operation of the service, the following may in particular be processed:
    1. IP address;
    2. user agent;
    3. device type;
    4. browser type;
    5. operating system;
    6. session identifiers;
    7. login logs;
    8. failed login attempts;
    9. error logs;
    10. security logs;
    11. rate limit events;
    12. data relating to the use of features;
    13. other technical data necessary to maintain, secure, and account for the service.
  9. In connection with telemetry, analytics, and marketing, the following may, in particular, be processed:
    1. cookie identifiers;
    2. device or session identifiers;
    3. source of visit;
    4. pages visited;
    5. interactions with the interface;
    6. conversion events;
    7. campaign information;
    8. approximate location derived from the IP address;
    9. marketing and cookie consents;
    10. marketing communication opt-out status;
    11. data on interactions with marketing messages.
  10. In connection with contacting the controller, the following may, in particular, be processed:
    1. email address;
    2. first name and surname;
    3. message content;
    4. attachments;
    5. correspondence history;
    6. communication metadata;
    7. information necessary to handle the request.

6. Data the user should not submit

  1. The user should not submit to the service data that is not necessary for the use of Ghostviber, in particular:
    1. identity document numbers;
    2. PESEL number;
    3. full payment card data;
    4. medical records;
    5. biometric data;
    6. data concerning children;
    7. special categories of data;
    8. confidential information of third parties.
  2. The data referred to in section 1 may be provided only where the user has an appropriate legal basis and it is genuinely necessary for the intended purpose.
  3. If the user voluntarily places such data in prompts, texts, projects, messages, or attachments, the controller may process it to the extent necessary to provide the service, handle the request, ensure security, comply with legal obligations, or establish, exercise, or defend claims.

7. Purposes and legal bases of processing

  1. Personal data is processed for the following purposes and on the following legal bases:
    1. creating and maintaining the account, including in particular the email address, password hash, account settings, and account status, based on Article 6(1)(b) GDPR;
    2. providing Ghostviber services, including in particular projects, texts, prompts, version history, editor settings, and AI credits, based on Article 6(1)(b) GDPR;
    3. operation of AI functions, including in particular prompts, project context, AI results, request metadata, and AI credits, based on Article 6(1)(b) GDPR;
    4. personalization of features and style profile, including in particular writing patterns, creative preferences, and AI analysis results, based on Article 6(1)(b) GDPR, and as regards additional personalization, based on Article 6(1)(f) GDPR;
    5. handling of payments and subscriptions, including in particular billing data, payment history, Stripe identifiers, and invoice status, based on Article 6(1)(b) and (c) GDPR;
    6. accounting and taxes, including in particular invoices, tax data, and transaction history, based on Article 6(1)(c) GDPR;
    7. security of the service, including in particular IP address, logs, session identifiers, and security events, based on Article 6(1)(f) GDPR;
    8. prevention of abuse, including in particular logs, technical data, activity history, and breach reports, based on Article 6(1)(f) GDPR;
    9. handling of contact and support, including in particular email address, message content, and correspondence history, based on Article 6(1)(b) or (f) GDPR;
    10. establishing and defending claims, including in particular account data, settlements, correspondence, and logs, based on Article 6(1)(f) GDPR;
    11. marketing communication, including in particular email address, consent, and opt-out status, based on Article 6(1)(a) GDPR;
    12. cookie-based analytics and advertising, including in particular cookie identifiers, analytical events, and conversions, based on Article 6(1)(a) GDPR, where consent is required;
    13. performance of legal obligations, including data required by law or by requests of authorities, based on Article 6(1)(c) GDPR.
  2. The legitimate interests of the controller include in particular:
    1. ensuring the security of the service;
    2. preventing abuse;
    3. development and maintenance of the product;
    4. handling of requests;
    5. analysis of the operation of features;
    6. establishing and defending claims;
    7. protecting the rights of the controller, users, and third parties.

8. AI functions and style profile

  1. Ghostviber uses AI functions to support the user in the creative process, in particular by generating, analyzing, transforming, suggesting, or personalizing content.
  2. In order to perform the requested AI function, the controller may process:
    1. prompts;
    2. texts;
    3. projects;
    4. project context;
    5. previous results;
    6. creative preferences;
    7. usage metadata;
    8. generation results.
  3. The data referred to in section 2 may be transmitted to external AI providers, in particular OpenAI, Google/Gemini, or other providers used in the future within the service.
  4. The controller seeks to use business or API versions of AI services and processing settings that do not provide for training the AI providers' models on users' private content, unless the user has given separate consent or this results from the applicable terms of service of a given provider and is lawful.
  5. The style profile may include information about:
    1. the manner of writing;
    2. language preferences;
    3. rhyming tendencies;
    4. flow;
    5. genre;
    6. mood;
    7. the structure of texts;
    8. other creative characteristics.
  6. The style profile is used to personalize AI suggestions and results.
  7. The user may request deletion of the style profile by contacting the controller or by using the function available in the application, where such a function is provided.
  8. The controller does not use the style profile to make decisions based solely on automated processing that would produce legal effects concerning the user or similarly significantly affect them.

9. Cookies and similar technologies

  1. The service uses cookies, local storage, pixels, tags, session identifiers, and similar technologies.
  2. Strictly necessary technologies are used for the operation of the service, in particular for:
    1. authentication;
    2. maintaining the session;
    3. security;
    4. remembering basic settings;
    5. processing payments;
    6. preventing abuse;
    7. providing functions requested by the user.
  3. The use of strictly necessary technologies does not require consent where it is necessary to provide the service requested by the user or to transmit a communication.
  4. Functional technologies may be used to remember the user's preferences, such as language, theme, editor settings, or cookie choices.
  5. Analytical and telemetry technologies may be used to:
    1. measure the operation of the service;
    2. analyze the use of features;
    3. detect errors;
    4. improve onboarding;
    5. develop the product.
  6. Where required by law, analytical and telemetry technologies are used only after obtaining the user's consent.
  7. Advertising and retargeting technologies may be used to:
    1. measure advertising effectiveness;
    2. build audience groups;
    3. exclude existing users from campaigns;
    4. measure conversions;
    5. conduct Ghostviber advertising on external platforms.
  8. Advertising and retargeting technologies are used only where the user has given the required consent.
  9. The user may manage consents using the cookie banner, the cookie preferences panel, account settings, or browser settings.
  10. Withdrawal of consent does not affect the lawfulness of processing carried out before its withdrawal.

10. Product telemetry

  1. The controller may process limited telemetry data concerning the use of the service, in particular:
    1. event name;
    2. event time;
    3. user or session identifier;
    4. information about the device and browser;
    5. feature usage;
    6. errors;
    7. performance;
    8. events related to AI credits.
  2. Telemetry should not include the full content of private projects, texts, prompts, or creative content, unless it is necessary to handle a request, to debug, for security, or to resolve a specific technical issue.
  3. If the user disables telemetry associated with the account, the controller may continue to process technical data necessary to provide the service, ensure security, settlements, detect abuse, and maintain the service.

11. Marketing communication

  1. The controller may send marketing communications, newsletters, information about new features, promotions, or product updates only where the user has given the required consent or where this is permitted under applicable law.
  2. Marketing consent is voluntary and is not a condition for using the service.
  3. The user may withdraw marketing consent at any time, in particular through the unsubscribe link, account settings, or by contacting the controller.
  4. Withdrawal of marketing consent does not affect the sending of messages:
    1. transactional;
    2. technical;
    3. legal;
    4. billing-related;
    5. concerning security;
    6. related to account servicing or the performance of the contract.

12. Data recipients

  1. Personal data may be transferred to recipients to the extent necessary to provide, secure, account for, and develop the service.
  2. Recipients of data may include in particular:
    1. providers of hosting, cloud infrastructure, and data storage;
    2. backup providers;
    3. AI providers;
    4. payment operators;
    5. providers of email, communication tools, and customer support;
    6. providers of analytics, telemetry, advertising, and conversion measurement;
    7. providers of security, DNS, proxy, bot protection, and monitoring;
    8. providers of developer tools, project management, and technical administration;
    9. legal, tax, accounting advisers, and auditors;
    10. entities authorized under provisions of law, including courts, public administration authorities, and law enforcement authorities.
  3. The controller may, in particular, use the following providers:
    1. OVH;
    2. AWS S3;
    3. Backblaze B2;
    4. Cloudflare;
    5. OpenAI;
    6. Google/Gemini;
    7. Google Analytics;
    8. Google Tag;
    9. PostHog;
    10. Meta Pixel;
    11. Stripe;
    12. Google Workspace;
    13. Bitbucket;
    14. Jira;
    15. Confluence.
  4. The controller does not sell users' personal data.
  5. The controller does not publish the user's private creative content, unless the user themselves publishes it, shares it, or gives separate consent to do so.

13. Transfers of data outside the EEA

  1. Some service providers may process personal data outside the European Economic Area, in particular in the United States or in other countries where AI providers, payment operators, providers of analytical, advertising, communication, infrastructure, or technical support tools are located.
  2. Where data is transferred outside the EEA, the controller applies the mechanisms provided for by the GDPR, in particular:
    1. a European Commission decision finding an adequate level of protection;
    2. Standard Contractual Clauses;
    3. additional safeguards;
    4. data processing agreements;
    5. other legally permissible bases for transfer.
  3. The user may obtain information about the safeguards applied by contacting the controller, provided that disclosure of such information does not infringe security, trade secrets, the rights of third parties, or applicable provisions of law.

14. Data retention period

  1. Personal data is retained for the period necessary to achieve the purpose for which it was collected, and thereafter for the period required or permitted by law, in particular for the purposes of:
    1. accounting;
    2. tax;
    3. complaints;
    4. security;
    5. abuse prevention;
    6. pursuing claims;
    7. defense against claims.
  2. Account data is retained for the period during which an active account exists.
  3. After account deletion, the data is deleted or anonymized, subject to data whose further retention is required or justified.
  4. Creative content, projects, prompts, version history, and the style profile are, as a rule, retained for the period of account activity or until they are deleted by the user or the account is deleted.
  5. After account deletion, the data referred to in section 4 may be deleted or anonymized following a technical retention period, which is generally up to 30 days, unless longer retention is necessary for legal, security, billing, complaint, or claim-related reasons.
  6. Billing data, invoices, payment metadata, and tax data are retained for the period required by tax, accounting, and other applicable legal provisions.
  7. Security logs may be retained for the period necessary to ensure security, investigate abuse, handle incidents, detect unauthorized access, and pursue or defend claims.
  8. IP addresses in telemetry data are deleted, anonymized, or hashed after a limited period, generally up to 30 days, unless further processing is necessary for security reasons, abuse prevention, or incident handling.
  9. Telemetry events may be retained for a period of up to 12 months, unless they are anonymized or aggregated earlier.
  10. Aggregated or anonymous data that does not allow identification of the user may be retained for a longer period.
  11. Data may remain in backups for a limited period of time, until they are overwritten or deleted as part of the backup rotation cycle.
  12. Backups are not used for the current use of data, unless restoration is necessary for security reasons, business continuity, failure, incident, or a legal obligation.

15. Account deletion

  1. The user may request deletion of the account using the function available in the application or by contacting the controller.
  2. Account deletion may result in the loss of access to:
    1. projects;
    2. version history;
    3. creative content;
    4. style profile;
    5. AI credits;
    6. settings;
    7. subscription data;
    8. generated content.
  3. Before deleting the account, the user should download the content they wish to keep, where the export function is available.
  4. After receiving a request to delete the account, the controller may first deactivate the account or mark it as designated for deletion, and then delete or anonymize the data in accordance with the retention process.
  5. Some data may continue to be retained where this is necessary due to:
    1. legal obligations;
    2. accounting obligations;
    3. tax obligations;
    4. security;
    5. abuse prevention;
    6. complaints;
    7. claims;
    8. backups.

16. User rights

  1. The data subject has the right to:
    1. access the data;
    2. receive a copy of the data;
    3. rectification of the data;
    4. erasure of the data;
    5. restriction of processing;
    6. data portability;
    7. object to processing based on legitimate interest;
    8. withdraw consent at any time, where processing is based on consent;
    9. lodge a complaint with the supervisory authority.
  2. To exercise these rights, contact the controller at: [email protected].
  3. The controller may request information necessary to confirm the identity of the person submitting the request, where it has reasonable doubts as to their identity.
  4. The request will be addressed without undue delay, no later than within one month of its receipt, unless the GDPR allows for extension of this period due to the complex nature of the request or the number of requests.
  5. The right to erasure of data, restriction of processing, objection, and data portability may be subject to limitations resulting from the GDPR or other provisions of law, in particular where further processing is necessary for:
    1. compliance with a legal obligation;
    2. establishing, exercising, or defending claims;
    3. ensuring security;
    4. performance of a contract.

17. Complaint to the supervisory authority

  1. The data subject has the right to lodge a complaint with the competent supervisory authority, in particular with the President of the Personal Data Protection Office (UODO).
  2. Up-to-date contact details for the President of the Personal Data Protection Office are available on the UODO website.
  3. According to information from UODO, the office is located at ul. Stanisława Moniuszki 1A, 00-014 Warsaw, and may be contacted, among other means, by email at [email protected], via the electronic inbox, and by telephone.

18. Data security

  1. The controller applies appropriate technical and organizational measures to protect personal data against:
    1. accidental or unlawful destruction;
    2. loss;
    3. alteration;
    4. unauthorized disclosure;
    5. unauthorized access;
    6. other unlawful processing.
  2. The measures referred to in section 1 may include in particular:
    1. encryption of transmission;
    2. password hashing;
    3. access control;
    4. restrictions on administrative access;
    5. authentication;
    6. security monitoring;
    7. event logging;
    8. backups;
    9. segmentation of permissions;
    10. infrastructure safeguards;
    11. incident handling procedures.
  3. The user should protect their login credentials, use a strong password, not share their account with third parties, and promptly notify the controller of any suspected unauthorized access to the account.

19. Personal data breaches

  1. In the event of a personal data breach, the controller assesses:
    1. the nature of the breach;
    2. the consequences of the breach;
    3. the risk to the rights or freedoms of natural persons;
    4. the measures required to mitigate the consequences of the breach.
  2. The controller takes the actions required by law.
  3. If the breach requires notification to the supervisory authority or communication to the data subjects, the controller will make such notification or communication within the time limits and to the extent required by the applicable provisions.

20. Changes to the Privacy Policy

  1. The controller may amend the Privacy Policy, in particular in the event of:
    1. changes in the law;
    2. changes in the functions of the service;
    3. changes in technology;
    4. changes in providers;
    5. changes in the manner of data processing;
    6. changes in the rules for the use of cookies;
    7. changes in the controller's organizational structure;
    8. the need to clarify the information provided to users.
  2. The new version of the Privacy Policy will be published on the service.
  3. If the changes are material, the controller may also inform users by email, by a message in the application, or by another appropriate means.

21. Privacy contact

  1. For matters concerning the processing of personal data, exercising rights under the GDPR, cookies, telemetry, the style profile, marketing consents, or account deletion, please contact the controller at: [email protected]
  2. Written contact is possible at the following address: Unbelievable Software sp. z o.o. ul. Złota 75A/7 00-819 Warsaw
← Back to home

Cookie preferences

We use essential and functional storage to remember your experience. With your consent, we also use analytics, advertising measurement, and retargeting tools to understand usage, measure campaigns, and show relevant Ghostviber ads.

Your cookie preferences apply to Ghostviber's website and app, including ghostviber.com and app.ghostviber.com.

Privacy PolicyTerms of Service